[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Unclear attribute: entry
On 05/08/2010 10:59, Klaus Ethgen wrote:
Hi,
Dieter Kluenter<dieter@dkluenter.de> schrieb:
So my question is what is the rights that are needed for which entry
attribute (in tree) to allow read, write, search or other access to
other attributes?
entry and children are so called pseudo attributes. They are mainly
used to allow access to children of an entry. As example you have an
entry ouers,dcample,dcm and want to allow access to children
of this entry but no read or write access to the entry itself, a rule
set could be
access to dn.onelevelers,dcample,dcm
by users write
by anonymous auth
access to dn.baseers,dcample,dcm attrstry,children
by users write
by anonymous auth
Thanks for your answer. But it do not makes that clear for me. I did
found some examples with entry and children but the description about
ist not clear for me.
The children attribute might be somewhat clear. But the real mysteric is
the entry attribute and as the logic seems to be somewhat identical also
the real meaning of children.
For example:
[1] access to attrs=sn
by * read
[2] access to attrs=entry,sn
by * read
[1] will not allow to read the attribute sn. Only with [2] that will
work. However, _I_ would expect that all attributes of that particular
entry would be readable with [2] but only the sn attribute with [1]. And
exactly there is my problem with the understanding.
Indeed. Reading any object requires access to the entry pseudo attribute.
All the requirements regarding these two pseudo attributes are
documented in the man page, slapd.access(5), under "OPERATION REQUIREMENTS".
For example, for searching and reading attributes:
The search operation, requires search (=s) privileges on the entry pseudo-attribute of the searchBase
(NOTE: this was introduced with OpenLDAP 2.4). Then, for each entry, it requires search (=s) privileges on
the attributes that are defined in the filter. The resulting entries are finally tested for read (=r)
privileges on the pseudo-attribute entry (for read access to the entry itself) and for read (=r) access on
each value of each attribute that is requested.
Jonathan
--
==========================================
Jonathan CLARKE
------------------------------------------
Normation
44 rue Cauchy, 94110 Arcueil, France
------------------------------------------
Telephone: +33 (0)1 83 62 26 96
------------------------------------------
Web: http://www.normation.com/
==========================================