[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL the 3rd try...

To: "Mario Ohnewald" <mario.Ohnewald@gmx.de>
Subject: Re: ACL the 3rd try...
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Tue, 29 Jun 2004 17:13:46 +0200 (CEST)
Cc: openldap-software@OpenLDAP.org
Importance: Normal
In-reply-to: <14687.1088518798@www17.gmx.net>
References: <14687.1088518798@www17.gmx.net>
User-agent: SquirrelMail/1.4.3a-1

> Hi!
>
> OpenLDAP: 2.2.14
> Evolution: 1.4.5
>
> I would like to be able to modify my own entry (as self write).
> My own dn is:  cn=Arbeiter 1,ou=produktion,o=adressbuch,dc=abmas,dc=biz
>
> Here is my ACL
>
> ## let users read userPassword in order to Auth
> access to dn="ou=produktion,o=adressbuch,dc=abmas,dc=biz"
> attr=userPassword
>  by self write
>  by anonymous auth
>
> ## Allow Manager to write everything under production.
> ## Allow self to write
> ## rest read access
> access to dn.subtree="ou=produktion,o=adressbuch,dc=abmas,dc=biz"
>  by dn="cn=Manager,ou=produktion,o=adressbuch,dc=abmas,dc=biz" write
>  by self write
>  by * read

the first rule says that the password of the entry
"ou=produktion,o=adressbuch,dc=abmas,dc=biz" must be
accessible "auth" by anonymous and writable by self;

the second rule states that everything below that entry,
including the entry itself, must be readable by everybody
and writable by self; I guess
"cn=Manager,ou=produktion,o=adressbuch,dc=abmas,dc=biz"
is the rootdn of your database, so you can strtip that
"by" clause since it's implicit (and well documented
since UMich's ldap-3.3, as far as I remember).

As a consequence, assuming your entry is somewhere below
"ou=produktion,o=adressbuch,dc=abmas,dc=biz", you're using
simple bind with credentials in userPassword, then I don't
see any problems in modifying your own entry; moreover,
everybody should be able to read your password since
you allow read access to any attribute of any entry below
"ou=produktion,o=adressbuch,dc=abmas,dc=biz".

You should check:
- what does your identity look like (hint: try with
  ldapwhoami)
- are you sure you're binding correctly? (hint: look at
  the logs; -d 256 should suffice)
- otherwise, have a look at the logs with -d 128, to see
  what ACL processing looks like.

More sane ACLs would look like:

## let users read userPassword in order to Auth
access to dn.subtree="ou=produktion,o=adressbuch,dc=abmas,dc=biz"
        attr=userPassword
    by self =xw
    by anonymous auth

## Allow Manager to write everything under production.
## Allow self to write
## rest read access
access to dn.subtree="ou=produktion,o=adressbuch,dc=abmas,dc=biz"
    by self write
    by * read

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- Re: ACL the 3rd try...
  - From: Tony Earnshaw <tonye@billy.demon.nl>

References:
- ACL the 3rd try...
  - From: "Mario Ohnewald" <mario.Ohnewald@gmx.de>

Prev by Date: Re: Openldap using Active Directory Kerberos password
Next by Date: Showing ALL attribute values && ACI's
Index(es):
- Chronological
- Thread