[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Weird access list entries
OpenLDAP 2.2.17 under test, 2.0.25 in production.
I've been cleaning up some messes made by a predecessor, when I noticed
these odd ACLs; let's see if my understanding is correct:
access to attrs=userPassword
by self write
by dn.regex="^uid=.*,ou=CIAdmin,dc=..,dc=company,dc=com$" write
by anonymous auth
by * search
This allows anyone to write their own password, and allows a CIAdmin to
set (and read!) someone else's. What would be the point of the "search"?
To look for weak passwords or something, which means *anyone* can?
access to attrs=entry
by self write
by dn.regex="^uid=.*,ou=CIAdmin,dc=..,dc=company,dc=com$" write
by * read
This allows any entry to modify itself, and allows a CIAdmin to do it for
them. All information (except userPassword) is public.
access to dn.regex="^uid=.*,ou=CIAdmin,dc=..,dc=company,dc=com$"
by self write
by * read
A CIAdmin can modify his/her own entry, but not that of any other.
access to dn.regex="^uid=.*,dc=.*,dc=company,dc=com$"
by self write
by dn.regex="^uid=.*,ou=CIAdmin,dc=..,dc=company,dc=com$" write
by * read
Any user can update their own entry (isn't this implied by the previous
attrs=entry?), a CIAdmin can do it for them (redundant again?), and all
information (except userPassword) is public (ditto?). In short, the
entire ACL is redundant?
access to dn.regex="^ciHost=[a-z][a-z]*,dc=company,dc=com$"
by self write
by anonymous auth
by * none
A computer can update itself (redundant?), can bind, and the "* none" is
implied anyway.
access to *
by dn.regex="^uid=.*,ou=CIAdmin,dc=..,dc=company,dc=com$" write
by * read
Looks like another redundant ACL...
--
Dave Horsfall DTM VK2KFU daveh@ci.com.au Ph: +61 2 8425-5508 (d) -5500 (sw)
Corinthian Engineering, Level 1, 401 Pacific Hwy, Artarmon, NSW 2064, Australia