[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [LDAP-SOFTWARE] ACLand regex (matching self)
At 10:55 AM 2/23/2003, Ace Suares wrote:
>In 2.1.12 in doc/man5/slapd.access.5 is some information, the same as in the
>ldap admin guide 2.1 as far as I can see. It's not clear to me where the
>'system' entries are listed and that there are system entires at all and how
>to put ACL's on them.
The admin guide clarifies this:
As this is the first database, the controls also apply
to entries not held in any database (such as the Root DSE).
I've added a clarification to slapd.access(5) as well.
>Which one do you refer to as STAT ? (256 or 512 ?)
256. But 512 may be useful as well.
>In the openldap admin guide 2.1, the phrase 'root DSE' appears exactly once,
>and not in an explanatory context.
Explaining the X.500/LDAP directory models and its terms is beyond
the scope of the admin guide.
>The acronym 'DSE' appears 3 times. (including the above phrase).
>
>Until now I assumed that the root DSE the top entry is in the database, in my
>case: app=qwido. Is that right ?
No. The root DSE (DSA-specific entry) is the entry at the
root of the DSA Information Tree. DSA here means "directory
server agent". The empty DN refers to the root DSE.
>> >Feb 23 18:13:16 curacao slapd[1057]: => acl_get: [1] check attr
>> > objectClass
>{snip}
>> >But, what's that [1] doing there ?
>>
>> [1] means slapd is looking at the 1st access statement in the list,
>> checking if the target attribute matches.
>
>So, the 'thing being matched' is 'attr objectClass' and it is matched against
>the first ACL in the list ?
Yes, the "what" matches the target. And the "who" matches the subject.
>So, even if I say 'defaultaccess=write' but have at least 1 access rule (ACL)
>specified, then the defaultaccess will be ignored, even if nothing matches
>that rule !?
Yes.
>(I had a totally different idea of what defautlaccess meant !)
likely you are retaining outdated knowledge from your OpenLDAP 1.x days...
>rule a:
>
>> >access to attr=userpassword
>> > by self write
>> > by group="group=managers,app=qwido" write
>> > by anonymous auth
>> >
>{snip}
>> Rule a actually says: "allow self and managers to modify
>> userPassword; allow anonymous to authentication"
>
>by 'modify' you mean 'add (if it's not there), delete (if it's there) or
>change (if it's there)' (assuming that the schema allows it) ??
Yes.
>This question comes around to my misconception about the 'write' privilige -
>in many cases 'write' means not only modify (change) but also add and delete.
In OpenLDAP, write permission is needed to update content.
>rule b:
>> >access to dn="app=qwido"
>> > by dn="app=qwido" read
>
>{snip}
>>
>> Rule b actually says: "allow app=qwido to read app=qwido". It
>> is equivalent to saying:
>> access to dn.exact="app=qwido" by self read
>
>I assume it is equally equivalent to
> access to dn="app=qwido" by self read
>
>or... not ?
Yes. I was just avoiding the unnecessary regex(7) use.
Kurt