[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL for DIT structure rules



On Tue, Dec 02, 2008 at 03:30:27PM +0000, Andrew Findlay wrote:

> The basic idea is to restrict what can be created in each part of the
> DIT. Suppose you have a node called cn=people,dc=example,dc=org and
> you want to make sure that all nodes under it describe people. You might
> write rules like this:
> 
> access to dn.exact="cn=people,dc=example,dc=org"
>         attrs=children
>         by dn.exact="cn=admin,cn=people,dc=example,dc=org" write
>         by * read
> 
> access to dn.onelevel="cn=people,dc=example,dc=org"
>         filter="(objectClass=inetOrgPerson)"
>         by dn.exact="cn=admin,cn=people,dc=example,dc=org" write
>         by * read

> I have used rules of this sort in the past, but ITS#4556 suggests
> that there are cases where they do not work. See recent discussion:
> http://www.openldap.org/lists/openldap-devel/200811/msg00014.html

I have now done some more testing on this. Every version of OpenLDAP
that I tested (2.3.27 2.4.11 and some recent versions of HEAD) will
work with the rules above.

The problem mentioned in ITS#4556 comes up if you grant write access to
the 'entry' pseudo-attribute separately. All versions up to 2.4.12
will allow *any* entry to be created by a user that has write
permission on the 'entry' pseudo-attribute of the entry being created
and also the 'children' pseudo-attribute of the parent entry.

>From 2.4.13 onwards there is a per-database flag to enable full ACL
checking on added entries:
	add_content_acl yes

I would suggest always enabling that option. Here is an example that
does not work as expected without it:

# 1:
access to dn.exact="dc=people,dc=example,dc=org" attrs="children"
        by dn.exact="uid=admin,dc=people,dc=example,dc=org" write
        by * break
# 2:
access to dn.onelevel="dc=people,dc=example,dc=org" attrs="entry"
        by dn.exact="uid=admin,dc=people,dc=example,dc=org" write
        by * break
# 3:
access to dn.onelevel="dc=people,dc=example,dc=org"
	filter="(objectClass=inetOrgPerson)"
        by dn.exact="uid=admin,dc=people,dc=example,dc=org" write
        by * break

The only difference is that write access to attrs="entry" is granted
separately before the rule that applies to real attributes. Without
"add_content_acl yes" this masks the effect of rule 3 on add
operations.

Summary:

Using ACLs for structure control is possible, but for all versions
before 2.4.13 it is necessary to apply all the control via the "entry"
pseudo-attribute.

>From 2.4.13 onwards you should enable "add_content_acl yes".
I hope this will become the default in a future version.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------