[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slurpd access control problems



On Fri, Jan 19, 2007 at 09:47:10PM -0800, Howard Chu wrote:
> Alex Samad wrote:
> >On Fri, Jan 19, 2007 at 07:16:39PM -0500, Aaron Richton wrote:
> >>>I get problems with access control, however, that prevent it from 
> >>>working.
> >>Yes...given
> >>>access to * by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write
> >>>access to * by * none
> >
> >Think what you need here is
> >
> >access to *
> >	by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write
> >	by * break 
> >
> >access to attrs=userPassword
> >	by anonymous auth
> >	by self write
> >	by * none
> >
> >access to *
> >	by * none
> >
> Yes, but sloppy. Don't use rules you don't need, and write rules that work 
> with the natural order of processing:
> 
>  access to attrs=userPassword
> 	by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write
>  	by self write
> 	by anonymous auth
> 
>  access to *
>  	by dn="uid=slurp,ou=users,dc=xxxxxxxx,dc=xx" write
> 
> I.e., don't throw in gratuitous "break" statements when you don't need to.

agreed for this simple solution, but when you have a whole bundle of different
attributes that you want uid=slurp to have root style access one not place it
at the top.  Otherwise you have to place it in 5-10 or 20-30 different access
control blocks.


I suppose what would be nice is if you could define macros to be placed in
access control block.





> 
> -- 
>   -- Howard Chu
>   Chief Architect, Symas Corp.  http://www.symas.com
>   Director, Highland Sun        http://highlandsun.com/hyc
>   OpenLDAP Core Team            http://www.openldap.org/project/
> 

Attachment: signature.asc
Description: Digital signature