[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: @OC notation in ACLs: does it include the OC itself?
On Wed, 2006-05-24 at 16:59 -0300, Andreas Hasenack wrote:
> (openldap-2.3.23)
>
> If I have an ACL like this:
>
> access to dn.subtree="dc=example,dc=com"
> attrs=@shadowAccount
> by group.exact="cn=LDAP Admins,ou=System Groups,dc=example,dc=com"
> by * none
>
> Would it be equivalent to, instead of using @shadowAccount, just listing all
> attributes of that class?
Yes.
> Or does the above ACL also require that the entry has
> the shadowAccount object class?
No.
> I ask because attributes are shared among different object classes. For
> example, both posixAccount and shadowAccount use userPassword.
>
> So, would the above ACL let a member of LDAP Admins update the userPassword
> attribute in this sample entry?
>
> dn: uid=foo,ou=People,dc=example,dc=com
> uid: foo
> objectClass: inetOrgPerson
> objectClass: posixAccount
> cn: foo
> sn: foo
> userPassword: secret <-----
> (...)
As soon as shadowAccount contains "userPassword" as either a required or
an allowed attribute, yes. What access checking code does when
encountering a "@objectClassName" attribute is check if the attribute is
listed as either a required or an allowed attribute for that
objectClass. Consider "@objectClassName" as a shortcut for a complete
listing of that objectClass' attributes.
p.
Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati@sys-net.it
------------------------------------------