[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL for only creating entry

To: <adamtheo@theoretic.com>
Subject: Re: ACL for only creating entry
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Mon, 15 Dec 2003 11:54:52 +0100 (CET)
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <2048.209.16.240.20.1071481632.squirrel@mail.theoretic.com>
References: <2048.209.16.240.20.1071481632.squirrel@mail.theoretic.com>

> To Ace Suares:
>
> I tried your last suggestion of:
>
> # Make the user entry writable for WebRegister
> # make the user entry readable for users
> access to dn.regex="uid=(.+),ou=users,dc=theoretic,dc=com" attrs=entry
>   by dn.regex="uid=$1,ou=users,dc=theoretic,dc=com" read
>   by dn.base="uid=webregister,ou=services,dc=theoretic,dc=com" write by
> * none
>
> # Forbid access to the other attributes of individual user entries by #
> WebRegister
> access to dn.regex="uid=(.+),ou=users,dc=theoretic,dc=com"
>   by dn.regex="uid=$1,ou=users,dc=theoretic,dc=com" read
>   by * none
>
> # Grant access to WebRegister to create new users,
> #  even if it can't see them (above ACL)
> access to dn.base="ou=users,dc=example,dc=com" attrs=children
>   by dn.base="uid=webregister,ou=services,dc=theoretic,dc=com" write by
> * none
>
> But it only works as intended if I add the following 4th rule at the
> end, giving webregister write access to the grandparent node of the
> individual users (the parent of the node where users are created).
>
> ## Default to read access.
> access to dn=".*,dc=theoretic,dc=com"
>  by dn="uid=webregister,ou=services,dc=theoretic,dc=com" write
>  by self write

This rule is totally unnecessary.  It has nothing to do with
access to users, i.e entries below "ou=users,dc=theoretic,dc=com.

With the first rule on top you gave webregister write access
only to the "entry" meta-attribute, which is totally meaningless.
How can you expect the entri daya to be written if only access
to this meta-attribute is given?  You need to give full write
access to the entry attributes.  This is why you currently need
this last rule.  Try

access to dn.regex="uid=(.+),ou=users,dc=theoretic,dc=com"
   by dn.exact,expand="uid=$1,ou=users,dc=theoretic,dc=com" read
   by dn.exact="uid=webregister,ou=services,dc=theoretic,dc=com" write
   by * none

access to dn.base="ou=users,dc=example,dc=com" attrs=children
   by dn.base="uid=webregister,ou=services,dc=theoretic,dc=com" write
   by * none

Then webregister will have write access only below the
"ou=users,dc=example,dc=com" subtree.

p.

> I unfortunately can't afford to give webregister this access because
> then some crafty cracker could access info outside of the users (such as
> in my ou=services for non-human login accounts or ou=hosts for domains
> that my box controls). And I only get the intended results by giving
> webregister write acess, so it seems there is something it needs to
> write to not covered by the previous ACLs I can't seem to figure out
> why, though, after messing with it for a few hours.


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

Follow-Ups:
- Re: ACL for only creating entry
  - From: Ace Suares <ace@suares.nl>

References:
- ACL for only creating entry
  - From: <adamtheo@theoretic.com>

Prev by Date: make test failed: test004 (ldap modify)
Next by Date: RE: make test failed: test004 (ldap modify)
Index(es):
- Chronological
- Thread