[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACIs problem when allowing "read" but restricting "updates" in specific entries

To: <openldap-software@openldap.org>
Subject: ACIs problem when allowing "read" but restricting "updates" in specific entries
From: "Antonio Alonso" <antonio.alonso@ericsson.com>
Date: Thu, 13 Mar 2008 08:03:59 +0100
Content-class: urn:content-classes:message
Thread-index: AciE2Gk9sOZ8XePCSleLtMB92AN/ww==
Thread-topic: ACIs problem when allowing "read" but restricting "updates" in specific entries

Title: ACIs problem when allowing "read" but restricting "updates" in specific entries

Hi !

I need some help with a pair of ACIs I have prepared (using openldap 2.4.7 in a SuSE9 server)

I have created a DIT where several subscribers were provisioned. Under each subscriber entry
there are two different entries ("application=data1" and "application=data2"):

application=data1,subscriberId=<xxx>,ou=subscribers,dc=company,dc=com
application=data2,subscriberId=<xxx>,ou=subscribers,dc=company,dc=com

And I have defined four different users (to bind to the system .. apart from the "rootdn", of course)

- uid=data1owner,ou=users,dc=company,dc=com
Can read and modify attribute values in "application=data1, ..." entries

- uid=data2owner,ou=users,dc=company,dc=com
Can read and modify attribute values in "application=data2, ..." entries

- uid=data1checker,ou=users,dc=company,dc=com
Can read attribute values in "application=data1, ..." entries but can NOT modify them

- uid=admin,ou=users,dc=company,dc=com
Can read and modify attribute values in "application=data1, ..." and "application=data2, ..." entries

I have included the following ACIs in "slapd.conf" file (to get the behaviour explained above)

##
## Policy Rule [1]
##      Access to "application=data1,,..." entries
##
access to dn.regex="appName=data1,.+$"
       by dn.exact="uid=data1owner,ou=users,dc=company,dc=com" write stop
       by dn.exact="uid=data1checker,ou=users,dc=company,dc=com" read stop
       by dn.exact="uid=admin,ou=users,dc=company,dc=com" manage stop

##
## Policy Rule [2]
##      Access to "application=data2,..." entries
##
access to dn.regex="application=data2,.+$"
       by dn.exact="uid=data2owner,ou=users,dc=company,dc=com" write stop
       by dn.exact="uid=admin,ou=users,dc=company,dc=com" manage stop

I am getting the desired behaviour except for the "uid=data1checker" user. He only see "application=data1"
entries ("application=data2" are not visible for him) but he can ALSO modify attribute values in
"application=data1" entries (i.e. it is exactely the same behaviour as "uid=data1owner" in spite of the
first one having ONLY "read" access privileges and the second one "write" access privileges
for the "application=data1, ..." entries (????)

Please, could you any of you help me with this issue.

Thanks in advance

BR / Antonio

Antonio Alonso Alarcón
CUDB System Engineer/Technical Product Manager

Ericsson España, S.A.           Phone: +34 91339 3085
Via de los Poblados 13         Mobile: +34 609640579 (66215)
28033 Madrid, Spain                           Fax: +34 91339 1636
E-mail: Antonio.Alonso@ericsson.com

Follow-Ups:
- Re: ACIs problem when allowing "read" but restricting "updates" in specific entries
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: ACIs problem when allowing "read" but restricting "updates" in specific entries
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: null_callbacks after initial sync
Next by Date: syncrepl not syncing [ CSN older or equal to ctx ]
Index(es):
- Chronological
- Thread