[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Enforcing attribute ACL on add operations

To: ando@sys-net.it (Pierangelo Masarati)
Subject: Re: Enforcing attribute ACL on add operations
From: manu@netbsd.org (Emmanuel Dreyfus)
Date: Fri, 3 Oct 2008 18:02:43 +0200
Cc: openldap-devel@openldap.org
In-reply-to: <48E627E7.2050001@sys-net.it>
User-agent: MacSOUP/2.7 (unregistered for 622 days)

Pierangelo Masarati <ando@sys-net.it> wrote:

> I mean: test006 is broken now, we can no longer make test.  You should
> check why the test is broken and try to fix it :)  Probably, according
> to the old access rule, a user with "add" permission for entries is 
> adding an entry without having "add" permission on all the attributes.

The culprit is the ACL on attrs=objectclass at the top of the file:
access         to attrs=objectclass
                    by * =rsc stop

If I change it that way, test006 passes:
access         to attrs=objectclass
               by dn.exact="cn=Bjorn Jensen,ou=Information Technology
Division,ou=People,dc=example,dc=com" add
                by * =rsc stop

Not sure it is a correct fix, through.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org

Follow-Ups:
- Re: Enforcing attribute ACL on add operations
  - From: Pierangelo Masarati <ando@sys-net.it>

References:
- Re: Enforcing attribute ACL on add operations
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: Enforcing attribute ACL on add operations
Next by Date: Re: Fwd: RE24 testing
Index(es):
- Chronological
- Thread