[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Access Control



Tony Earnshaw wrote:

>> I would be surprised if
> 
>> > cn=App1,cn=Torgeir,ou=people,ou=groups,dc=billy,dc=demon,dc=nl
>> > 
>> > access to
>> > dn=".*,cn=(.*),ou=people,ou=groups,dc=billy,dc=demon,dc=nl"
>> >         attrs=entry,children
>> >         by anonymous auth
>> >         by dn="cn=Admin,dc=billy,dc=demon,dc=nl" write
>> >         by dn="cn=$1,ou=people,ou=groups,dc=billy,dc=demon,dc=nl"
>> >         write
>  
>> would allow cn=(.*),ou=people,ou=groups,dc=billy,dc=demon,dc=nl
>> to be managed with this rule !
> 
> Life is full of surprises, Ace! But that is, in fact, exactly what
> happens. Try it for yourself.

I don't think so either. Taking the Example, the above rule will just 
give access to
dn=".*,cn=Torgeir,ou=people,ou=groups,dc=billy,dc=demon,dc=nl"
which does _not_ include
dn="cn=Torgeir,ou=people,ou=groups,dc=billy,dc=demon,dc=nl"

Correctly, the ACL could be written as

access to
   dn=".*cn=([^,]+),ou=people,ou=groups,dc=billy,dc=demon,dc=nl"
   by dn="cn=$1,ou=people,ou=groups,dc=billy,dc=demon,dc=nl" write

I think. (untested)
Or, but this is just a thought, may not work, and is untested too:

access to
   dn="cn=([^,]+),ou=people,ou=groups,dc=billy,dc=demon,dc=nl"
   attrs=entry,children
   by self write

> I *do* have a user
> cn=Billy,ou=people,ou=groups,dc=billy,dc=demon,dc=nl, and he can't
> touch what Torgeir has in his tree. Neither can I. But Torgeir can.

But can Torgeir change his/her/its own data?


Don't get me wrong, i believe, that you are experiencing the effect you 
describe, but i think it's due to another ACL line in your slapd.conf, 
or smth. like that.


curious,
daniel
-- 
... when men were men
and wrote their own device drivers ...
                -- Linus Benedict Torvalds