[Date Prev][Date Next] [Chronological] [Thread] [Top]

Weird access list entries



OpenLDAP 2.2.17 under test, 2.0.25 in production.

I've been cleaning up some messes made by a predecessor, when I noticed 
these odd ACLs; let's see if my understanding is correct:

access to attrs=userPassword
	by self write
	by dn.regex="^uid=.*,ou=CIAdmin,dc=..,dc=company,dc=com$" write
	by anonymous auth
	by * search

This allows anyone to write their own password, and allows a CIAdmin to 
set (and read!) someone else's.  What would be the point of the "search"?  
To look for weak passwords or something, which means *anyone* can?

access to attrs=entry
	by self write
	by dn.regex="^uid=.*,ou=CIAdmin,dc=..,dc=company,dc=com$" write
	by * read

This allows any entry to modify itself, and allows a CIAdmin to do it for 
them.  All information (except userPassword) is public.

access to dn.regex="^uid=.*,ou=CIAdmin,dc=..,dc=company,dc=com$"
	by self write
	by * read

A CIAdmin can modify his/her own entry, but not that of any other.

access to dn.regex="^uid=.*,dc=.*,dc=company,dc=com$"
	by self write
	by dn.regex="^uid=.*,ou=CIAdmin,dc=..,dc=company,dc=com$" write
	by * read

Any user can update their own entry (isn't this implied by the previous 
attrs=entry?), a CIAdmin can do it for them (redundant again?), and all 
information (except userPassword) is public (ditto?).  In short, the 
entire ACL is redundant?

access to dn.regex="^ciHost=[a-z][a-z]*,dc=company,dc=com$"
	by self write
	by anonymous auth
	by * none

A computer can update itself (redundant?), can bind, and the "* none" is 
implied anyway.

access to *
	by dn.regex="^uid=.*,ou=CIAdmin,dc=..,dc=company,dc=com$" write
	by * read

Looks like another redundant ACL...

-- 
Dave Horsfall  DTM  VK2KFU  daveh@ci.com.au  Ph: +61 2 8425-5508 (d) -5500 (sw)
Corinthian Engineering, Level 1, 401 Pacific Hwy, Artarmon, NSW 2064, Australia