[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACIs problem when allowing "read" but restricting "updates" in specific entries

To: openldap-software@openldap.org
Subject: Re: ACIs problem when allowing "read" but restricting "updates" in specific entries
From: "Dieter Kluenter" <dieter@dkluenter.de>
Date: Fri, 14 Mar 2008 09:09:52 +0100
In-reply-to: <C2DCE841B201E7468E0DFAB1651A851C01638B99@eesmdmw020.eemea.ericsson.se> (Antonio Alonso's message of "Thu, 13 Mar 2008 08:03:59 +0100")
References: <C2DCE841B201E7468E0DFAB1651A851C01638B99@eesmdmw020.eemea.ericsson.se>
User-agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b28 (linux)

Hi,

"Antonio Alonso" <antonio.alonso@ericsson.com> writes:

> Hi !
>
>    I need some help with a pair of ACIs I have prepared (using openldap 2.4.7
> in a SuSE9 server)
>  
>    I have created a DIT where several subscribers were provisioned. Under each
> subscriber entry
> there are two different entries ("application=data1" and "application=data2"):
>
>         application=data1,subscriberId=<xxx>,ou=subscribers,dc=company,dc=com
>         application=data2,subscriberId=<xxx>,ou=subscribers,dc=company,dc=com
>
>    And I have defined four different users (to bind to the system .. apart
> from the "rootdn", of course)
>
>         - uid=data1owner,ou=users,dc=company,dc=com
>                 Can read and modify attribute values in "application=data1,
> ..." entries
>
>         - uid=data2owner,ou=users,dc=company,dc=com
>                 Can read and modify attribute values in "application=data2,
> ..." entries
>
>         - uid=data1checker,ou=users,dc=company,dc=com
>                 Can read attribute values in "application=data1, ..." entries
> but can NOT modify them
>
>         - uid=admin,ou=users,dc=company,dc=com
>                 Can read and modify attribute values in "application=data1,
> ..." and "application=data2, ..." entries
>
>   I have included the following ACIs in "slapd.conf" file (to get the
> behaviour explained above)
>
> ##
> ## Policy Rule [1]
> ##      Access to "application=data1,,..." entries  
> ##
> access to dn.regex="appName=data1,.+$"
>        by dn.exact="uid=data1owner,ou=users,dc=company,dc=com" write stop
>        by dn.exact="uid=data1checker,ou=users,dc=company,dc=com" read stop
>        by dn.exact="uid=admin,ou=users,dc=company,dc=com" manage stop
>
> ##
> ## Policy Rule [2]
> ##      Access to "application=data2,..." entries  
> ##
> access to dn.regex="application=data2,.+$"
>        by dn.exact="uid=data2owner,ou=users,dc=company,dc=com" write stop
>        by dn.exact="uid=admin,ou=users,dc=company,dc=com" manage stop
>
>   I am getting the desired behaviour except for the "uid=data1checker" user.
> He only see "application=data1"
> entries ("application=data2" are not visible for him) but he can ALSO modify
> attribute values in
> "application=data1" entries (i.e. it is exactely the same behaviour as "uid=
> data1owner" in spite of the
> first one having  ONLY "read" access privileges and the second one "write"
> access privileges
> for the "application=data1, ..." entries (????)
>
>    Please, could you any of you help me with this issue.

run slapacl(8) and set debug level to 128

-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6

References:
- ACIs problem when allowing "read" but restricting "updates" in specific entries
  - From: "Antonio Alonso" <antonio.alonso@ericsson.com>

Prev by Date: Re: syncrepl not syncing [ CSN older or equal to ctx ]
Next by Date: Re: Grace period for inactive accounts?
Index(es):
- Chronological
- Thread