[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: [LDAP-SOFTWARE] ACLand regex (matching self)

To: "'Ace Suares'" <ace@suares.nl>, <OpenLDAP-software@OpenLDAP.org>
Subject: RE: [LDAP-SOFTWARE] ACLand regex (matching self)
From: "Howard Chu" <hyc@highlandsun.com>
Date: Sun, 23 Feb 2003 16:33:30 -0800
Importance: Normal
In-reply-to: <200302231933.10626.ace@suares.nl>

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Ace Suares

> The simplest ACL I can devise is this:
>
> # protect all userPasswords.
> # qwido: managers have access to all passwords
> access to attr=userpassword
> 	by self write
> 	by group="group=managers,app=qwido" write
> 	by anonymous auth
>
> access to dn="app=qwido"
> 	by dn="app=qwido" read
>
>
> I expect it to do the following:
>
> a. let every entry authenticate itself against it's password. If an
> 'anonymous' bind is done, it should authenticate. If an
> existing DN is
> binding, it should authenticate because of 'by self write'
> Forget about that group, for now, but it should be able to
> authenticate too.
>
> b. Let the one that binds to the database as 'app=qwido'
> (yes, that entry has
> it's own userpassword) read the entry app=qwido and anything under it.

No. 'access to dn="foo=bar"' gives access to exactly one entry "foo=bar" and
nothing else. If you want to give access to everything under it, use
	access to dn.sub="foo=bar"
instead.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Follow-Ups:
- Re: [LDAP-SOFTWARE] ACLand regex (matching self)
  - From: Ace Suares <ace@suares.nl>

References:
- Re: [LDAP-SOFTWARE] ACLand regex (matching self)
  - From: Ace Suares <ace@suares.nl>

Prev by Date: StartTLS downgrading
Next by Date: RE: StartTLS downgrading
Index(es):
- Chronological
- Thread