[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: userPassword not SINGLE-VALUE ?

To: OpenLDAP Software List <openldap-software@OpenLDAP.org>
Subject: Re: userPassword not SINGLE-VALUE ?
From: Ace Suares <ace@suares.nl>
Date: Sat, 8 Nov 2003 14:38:37 -0400
Content-description: clearsigned data
Content-disposition: inline
In-reply-to: <200311081832.13116.peter@adpm.de>
Organization: Ace Suares' Internet Consultancy
References: <003601c3a5d1$64313440$1801a8c0@CELLO> <200311080947.28323.ace@suares.nl> <200311081832.13116.peter@adpm.de>
User-agent: KMail/1.5.1

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

> > This is something that bothers me - if a user wants to change a password,
> > he/she need write access and automagically has read access. Why is there
> > not such thing as 'change' access level ?
>
> Do not use the access levels, use privileges. Access levels  increase the
> rights with each step while privieges explicitely allow/forbid each right.
> Wth the privilege system you can give a user write rights with giving it
> read rights:  by self  =w
> At least if I unserstand the slapd.access man page correctly ;-)

I've been looking over that part several times and I didn't have a good 
understanding of it. Now you point me to this again, i did a little test:

when using ACL:
access to * 
	by dn.exact="qapp=qwido" =w stop
	by * none break

the command:
ldapsearch -LLL -xv  -D "qApp=qwido" -w abcd -b "qApp=qwido" "(objectclass=*)"

returns:
nothing. (as expected)

when using ACL:
access to * 
	by dn.exact="qapp=qwido" =r stop
	by * none break

the command:
ldapsearch -LLL -xv  -D "qApp=qwido" -w abcd -b "qApp=qwido" "(objectclass=*)"

returns:
nothing. (as NOT expected according to your theory)

when using ACL:
access to * 
	by dn.exact="qapp=qwido" =scr stop
	by * none break

the command:
ldapsearch -LLL -xv  -D "qApp=qwido" -w abcd -b "qApp=qwido" "(objectclass=*)"

returns:
all entries with all attributes. (as expected in any theory).

Anyone with a final word on how 'priviliges' differ from 'levels' ?

My conclusion thus far is that you need all underlying privileges, so if you 
want w, you need scr too. 

_Ace

>
> I think with the access levels/privileges to entries you are right:
> Operations on entries that are not pure attribute modifications are Create,
> Rename and Delete. It looks like they cannot be allowed/forbidded
> separately.
>
> Let me suggest the letters that start these operations (in uppercase)  as
> an extension to the privilege system: C=create, R=rename, D=delete  ;-)))

website: http://www.suares.nl * http://www.qwikzite.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)

iD8DBQE/rTgty7boE8xtIjURAlO0AJ4hdPTXVyMURjEkLXuNkDvD8TVnkwCdHk2J
CfOu7xRc1FEfivIbLGFxI5Q=
=xylD
-----END PGP SIGNATURE-----

References:
- RE: userPassword not SINGLE-VALUE ?
  - From: "Howard Chu" <hyc@symas.com>
- Re: userPassword not SINGLE-VALUE ?
  - From: Ace Suares <ace@suares.nl>
- Re: userPassword not SINGLE-VALUE ?
  - From: Peter Marschall <peter@adpm.de>

Prev by Date: Probable newb problem
Next by Date: Re: Question on ldap_add: No such object error
Index(es):
- Chronological
- Thread