[Date Prev][Date Next] [Chronological] [Thread] [Top]

About ACL checking for modify method of shell backends



Hello,

  I already posted some messages about the fact that for shell backends
the ACLs are checked by the slapd daemon only for the search method and
not for the modify method.

  I still think that this is not a very good thing for the following reasons:

  a) Some methods of the shell backend have to check the ACLs (e.g. modify)
     while some others do not have to bother about them (e.g. search)
  b) ACLs checking is very complex, duplicate this code between slapd and
     shell backend may not be a good thing
  c) Altering the slapd interface to shell backend to make it checking ACLs
     for the modify method seems to be quite easy

  You will find attached to this mail a diff patch for the directory
servers/slapd/back-shell which do the work. The method used to check ACLs
for modify method is to call the search method of the shell backend to 
get the full entry to be modified with its attributes and then checking
the ACLs for modification.

  Is there a fundamental reason that this patch cannot be applied to the 
official sources ?

  The patch also include an example backend which provide bind and modify
methods.  This example is based on the original search example. Take a look to
a sample of the config file:

==============================================================
# Database definition
database        shell
suffix          "dc=example,dc=org"
search          ./search.sh
bind            ./bind.sh
modify          ./modify.sh
 
# The password can be changed by its owner, others should
# not be able to see it, except the admin
access to attrs=userPassword
  by dn="cn=root,dc=example,dc=org" write
  by dnattr=member write
  by * compare
==============================================================

And take a look to a session with this shell backend example:

$ ldapsearch -x -b "dc=example,dc=org" "(uid=hinvisib)"
version: 2
 
#
# filter: (uid=hinvisib)
# requesting: ALL
#
 
# hinvisib,dc=example,dc=org
dn: cn=hinvisib,dc=example,dc=org
objectClass: top
objectClass: person
cn: hinvisib
cn: Homme Invisible
sn: hinvisib
uid: hinvisib
member: cn=hinvisib,dc=example,dc=org
 
# search result
search: 2
result: 0 Success
 
# numResponses: 2
# numEntries: 1

$ ldapsearch -x -b "dc=example,dc=org" -D "cn=hinvisib,dc=example,dc=org" -W
  "(uid=hinvisib)"
Enter LDAP Password:
version: 2
 
#
# filter: (uid=hinvisib)
# requesting: ALL
#
 
# hinvisib,dc=example,dc=org
dn: cn=hinvisib,dc=example,dc=org
objectClass: top
objectClass: person
cn: hinvisib
cn: Homme Invisible
sn: hinvisib
uid: hinvisib
member: cn=hinvisib,dc=example,dc=org
userPassword:: eVFSMm1PUlhYZjRFYw==
 
# search result
search: 2
result: 0 Success
 
# numResponses: 2
# numEntries: 1

$ ldapmodify -x -D "cn=rex,dc=example,dc=org" -W < modify.data
Enter LDAP Password:
modifying entry "cn=hinvisib,dc=example,dc=org"
ldap_modify: Insufficient access
        additional info: modify ACL check: permission denied
 
ldif_record() = 50

$ ldapmodify -x -D "cn=hinvisib,dc=example,dc=org" -W < modify.data
Enter LDAP Password:
modifying entry "cn=hinvisib,dc=example,dc=org"

Regards,

Xavier

Attachment: back-shell.patch.gz
Description: Patch to servers/slapd/back-shell