[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: R: Re: R: Re: R: Enforcing attribute ACL on add operations

To: ando@sys-net.it (Pierangelo Masarati), hyc@symas.com (Howard Chu)
Subject: Re: R: Re: R: Re: R: Enforcing attribute ACL on add operations
From: manu@netbsd.org (Emmanuel Dreyfus)
Date: Sun, 28 Sep 2008 10:58:10 +0200
Cc: openldap-devel@openldap.org
In-reply-to: <31123591.48731222587095519.JavaMail.root@mail2.sys-net.it>
User-agent: MacSOUP/2.7 (unregistered for 617 days)

Pierangelo Masarati <ando@sys-net.it> wrote:

> Unless one uses authzTo/authzFrom as a naming attribute, I don't see any
> issue.  I haven't checked, but I believe modrdn already needs to comply
> with ACLs in a manner that allows finge-grain enough control.  In fact,
> modrdn needs to pass access control both for the old and the new (r)dn,
> and the use of filters, sets and so allows to condition access on the
> entry's content.

Looking at the code for back-bdb, it requires you have:
- write access to old parent
- write access to new superior parent
- write access to old entry 
- and there is a call to bdb_modify_internal() that will check for
attribute ACL, and it this seems to be for the old location in the tree,
not the new one.

So if you have an attribute ACL that applies only to the new location,
it can be circunvented by a modrdn. I am not sure this is really a bug,
though, perhaps just an unspecfied area. 

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org

References:
- R: Re: R: Re: R: Enforcing attribute ACL on add operations
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: R: Re: R: Re: R: Enforcing attribute ACL on add operations
Next by Date: Re: R: Re: R: Enforcing attribute ACL on add operations
Index(es):
- Chronological
- Thread