Re: [LDAP-SOFTWARE] ACLand regex (matching self)

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Tuesday, March 04, 2003 6:36 PM +0400 Ace Suares <ace@suares.nl> wrote:

> Peter,
>
> thanks for your answers.
>
> I'll have to study mentioned RFC now (which I hoped would not be
> necessary for  admins/users).
>
> I'll get back on this after I've studied it.
>
> The 'access to attr=entry' that Quanah mentioned, is likely a different
> way of  specifiying access to "', don't you agree ?
>
> In any case, I don't want read access to attr=entry for my entire tree,
> so I  hope Quanah is just as confused as I am and there is a more secure
> and  elegant solution to this.
>
> BTW you mention namingContext, is this also a dn of it's own ?
> (You don't have to answer if it's in the RFC, I'll find it then ;-)

Ace,

No it is not the same thing.  It looks like you are using 2.0 and I'm using 
2.1, so I don't think it applies in your case.  Anyhow, as I noted, "entry" 
doesn't exist in anything, therefore giving read to entry by * does nothing 
security wise.  However, if I wanted to say, give access to uid, and 
someone didn't have access to read entry, they couldn't read the contents 
of uid, even if I said access to uid by * read.  I also have the dn."" read 
entry in my slapd.conf.  I still required the access to entry by * read bit 
as well.

--Quanah



--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html