[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [LDAP-SOFTWARE] ACLand regex (matching self)

To: Ace Suares <ace@suares.nl>
Subject: Re: [LDAP-SOFTWARE] ACLand regex (matching self)
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 24 Feb 2003 11:21:49 -0800
Cc: OpenLDAP-software@OpenLDAP.org
In-reply-to: <200302232255.25078.ace@suares.nl>
References: <5.2.0.9.0.20030223171917.02851a78@127.0.0.1> <5.2.0.9.0.20030223105006.02778b50@127.0.0.1> <5.2.0.9.0.20030223171917.02851a78@127.0.0.1>

At 10:55 AM 2/23/2003, Ace Suares wrote:
>In 2.1.12 in doc/man5/slapd.access.5 is some information, the same as in the 
>ldap admin guide 2.1 as far as I can see. It's not clear to me where the 
>'system' entries are listed and that there are system entires at all and how 
>to put ACL's on them.

The admin guide clarifies this:
        As this is the first database, the controls also apply
        to entries not held in any database (such as the Root DSE).

I've added a clarification to slapd.access(5) as well.

>Which one do you refer to as STAT ? (256 or 512 ?)

256.  But 512 may be useful as well.

>In the openldap admin guide 2.1, the phrase 'root DSE' appears exactly once, 
>and not in an explanatory context.

Explaining the X.500/LDAP directory models and its terms is beyond
the scope of the admin guide.

>The acronym 'DSE' appears 3 times.  (including the above phrase). 
>
>Until now I assumed that the root DSE the top entry is in the database, in my 
>case: app=qwido. Is that right ?

No.  The root DSE (DSA-specific entry) is the entry at the
root of the DSA Information Tree.  DSA here means "directory
server agent".  The empty DN refers to the root DSE.

>> >Feb 23 18:13:16 curacao slapd[1057]: => acl_get: [1] check attr
>> > objectClass
>{snip}
>> >But, what's that [1] doing there ?
>>
>> [1] means slapd is looking at the 1st access statement in the list,
>> checking if the target attribute matches.
>
>So, the 'thing being matched' is 'attr objectClass' and it is matched against 
>the first ACL in the list ?

Yes, the "what" matches the target.  And the "who" matches the subject.

>So, even if I say 'defaultaccess=write' but have at least 1 access rule (ACL) 
>specified, then the defaultaccess will be ignored, even if nothing matches 
>that rule !?

Yes.

>(I had a totally different idea of what defautlaccess meant !)

likely you are retaining outdated knowledge from your OpenLDAP 1.x days...

>rule a:
>
>> >access to attr=userpassword
>> >        by self write
>> >        by group="group=managers,app=qwido" write
>> >        by anonymous auth
>> >
>{snip}
>> Rule a actually says: "allow self and managers to modify
>> userPassword; allow anonymous to authentication"
>
>by 'modify' you mean 'add (if it's not there), delete (if it's there) or 
>change (if it's there)' (assuming that the schema allows it) ??

Yes.

>This question comes around to my misconception about the 'write' privilige - 
>in many cases 'write' means not only modify (change) but also add and delete.

In OpenLDAP, write permission is needed to update content.

>rule b:
>> >access to dn="app=qwido"
>> >        by dn="app=qwido" read
>
>{snip}
>>
>> Rule b actually says: "allow app=qwido to read app=qwido".  It
>> is equivalent to saying:
>>         access to dn.exact="app=qwido" by self read
>
>I assume it is equally equivalent to
>         access to dn="app=qwido" by self read
>
>or... not ?

Yes.  I was just avoiding the unnecessary regex(7) use.

Kurt

References:
- Re: [LDAP-SOFTWARE] ACLand regex (matching self)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: [LDAP-SOFTWARE] ACLand regex (matching self)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: [LDAP-SOFTWARE] ACLand regex (matching self)
  - From: Ace Suares <ace@suares.nl>

Prev by Date: Re: Problem storing and retrieving data from DB
Next by Date: Re: autoconf under openldap-2.1.8
Index(es):
- Chronological
- Thread