[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: userPassword not SINGLE-VALUE ?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
> > This is something that bothers me - if a user wants to change a password,
> > he/she need write access and automagically has read access. Why is there
> > not such thing as 'change' access level ?
>
> Do not use the access levels, use privileges. Access levels increase the
> rights with each step while privieges explicitely allow/forbid each right.
> Wth the privilege system you can give a user write rights with giving it
> read rights: by self =w
> At least if I unserstand the slapd.access man page correctly ;-)
I've been looking over that part several times and I didn't have a good
understanding of it. Now you point me to this again, i did a little test:
when using ACL:
access to *
by dn.exact="qapp=qwido" =w stop
by * none break
the command:
ldapsearch -LLL -xv -D "qApp=qwido" -w abcd -b "qApp=qwido" "(objectclass=*)"
returns:
nothing. (as expected)
when using ACL:
access to *
by dn.exact="qapp=qwido" =r stop
by * none break
the command:
ldapsearch -LLL -xv -D "qApp=qwido" -w abcd -b "qApp=qwido" "(objectclass=*)"
returns:
nothing. (as NOT expected according to your theory)
when using ACL:
access to *
by dn.exact="qapp=qwido" =scr stop
by * none break
the command:
ldapsearch -LLL -xv -D "qApp=qwido" -w abcd -b "qApp=qwido" "(objectclass=*)"
returns:
all entries with all attributes. (as expected in any theory).
Anyone with a final word on how 'priviliges' differ from 'levels' ?
My conclusion thus far is that you need all underlying privileges, so if you
want w, you need scr too.
_Ace
>
> I think with the access levels/privileges to entries you are right:
> Operations on entries that are not pure attribute modifications are Create,
> Rename and Delete. It looks like they cannot be allowed/forbidded
> separately.
>
> Let me suggest the letters that start these operations (in uppercase) as
> an extension to the privilege system: C=create, R=rename, D=delete ;-)))
website: http://www.suares.nl * http://www.qwikzite.nl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
iD8DBQE/rTgty7boE8xtIjURAlO0AJ4hdPTXVyMURjEkLXuNkDvD8TVnkwCdHk2J
CfOu7xRc1FEfivIbLGFxI5Q=
=xylD
-----END PGP SIGNATURE-----