Re: ACLs - allowing a user to add a new attribute

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Tue, Apr 13, 2010 at 09:37:39PM +0200, Dieter Kluenter wrote:

> >>>From an ACL perspective there is really no difference between adding
> > an attribute and modifying its value.
> 
> No! you have to distinguish between level access model and privilege
> model, slapd.access(5)
> 
> <level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage
> <priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+

The privilege model is more flexible, but in the case that Matt describes
I do not see any relevant difference: he wants admins to add certain
attributes and also to modify them. Either action requires at least 'add'
privilge on the attribute, and changing existing values also requires
'delete' - thus 'write' is a reasonable level to choose.

> > One comment I would make about your ACLs is that in several places you
> > are granting read access to userPassword. This is not usually
> > necessary nor is it a good idea. You need 'by * auth' access to permit
> > authentication, but only need to give '=w' access to those who need to
> > change passwords. Remember that the 'write' keyword includes read access
> 
> '=w' just grants write privilege but no read privilege.

Exactly. Protecting password attributes is a case that the privilege
model handles much better than the level model.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------