[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: userPassword not SINGLE-VALUE ?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

> > This is something that bothers me - if a user wants to change a password,
> > he/she need write access and automagically has read access. Why is there
> > not such thing as 'change' access level ?
>
> Do not use the access levels, use privileges. Access levels  increase the
> rights with each step while privieges explicitely allow/forbid each right.
> Wth the privilege system you can give a user write rights with giving it
> read rights:  by self  =w
> At least if I unserstand the slapd.access man page correctly ;-)

I've been looking over that part several times and I didn't have a good 
understanding of it. Now you point me to this again, i did a little test:

when using ACL:
access to * 
	by dn.exact="qapp=qwido" =w stop
	by * none break

the command:
ldapsearch -LLL -xv  -D "qApp=qwido" -w abcd -b "qApp=qwido" "(objectclass=*)"

returns:
nothing. (as expected)

when using ACL:
access to * 
	by dn.exact="qapp=qwido" =r stop
	by * none break

the command:
ldapsearch -LLL -xv  -D "qApp=qwido" -w abcd -b "qApp=qwido" "(objectclass=*)"

returns:
nothing. (as NOT expected according to your theory)

when using ACL:
access to * 
	by dn.exact="qapp=qwido" =scr stop
	by * none break

the command:
ldapsearch -LLL -xv  -D "qApp=qwido" -w abcd -b "qApp=qwido" "(objectclass=*)"

returns:
all entries with all attributes. (as expected in any theory).

Anyone with a final word on how 'priviliges' differ from 'levels' ?

My conclusion thus far is that you need all underlying privileges, so if you 
want w, you need scr too. 

_Ace

>
> I think with the access levels/privileges to entries you are right:
> Operations on entries that are not pure attribute modifications are Create,
> Rename and Delete. It looks like they cannot be allowed/forbidded
> separately.
>
> Let me suggest the letters that start these operations (in uppercase)  as
> an extension to the privilege system: C=create, R=rename, D=delete  ;-)))

website: http://www.suares.nl * http://www.qwikzite.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQE/rTgty7boE8xtIjURAlO0AJ4hdPTXVyMURjEkLXuNkDvD8TVnkwCdHk2J
CfOu7xRc1FEfivIbLGFxI5Q=
=xylD
-----END PGP SIGNATURE-----