[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL for only creating entry

To: <ace@suares.nl>
Subject: Re: ACL for only creating entry
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Mon, 15 Dec 2003 17:09:45 +0100 (CET)
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <200312151122.12840.ace@suares.nl>
References: <1343.209.16.240.20.1071385387.squirrel@mail.theoretic.com> <200312140634.11696.ace@suares.nl> <200312151122.12840.ace@suares.nl>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Pierangelo,
>
> do you consider yourself an ACL expert ? (For all I know, you might have
>  invented ACL's ! I am just a beginner (still, after one year fighting
> with  it) ).
>
> Because, I tested once again the following ACL's and it allowed me to
> create  an entry, but not read it.
>
> If you are such an expert and know for sure that 'attrs=entry' is
> meaningless,  in this case, please be so kind an explain to me WHY. It
> seems to work. Maybe  my test setup is wrong - that happened to me
> before.

Access to "entry" is usually checked any time before checking
access to specific attibutes.  If you give "entry" access,
but don't give access to specific attributes, then there's
no chance your operation will succeed.  Consider it a shortcut
to deny access to an entire entry without incurring into the
overhead of having every single value of every attribute tested
for permission.

1) to add an entry you need "entry" write privileges to it
   and "children" write privileges to its parent
2) to delete an entry you need "entry" write privileges to it
   and "children" write privileges to its parent
3) to modrdn an entry you need "entry" write privileges to it
   and "children" write privileges to its old and new parent
4) to modify an entry you need write privileges to each attribute
5) to return an entry you need "entry" read privileges on it;
   then each attribute is checked for specific read privileges

I was concerned about the administrative identity being
able to modify the entry as well.  Of course, if you want it
to be able to just create (and delete) it, you must use the
"entry" attribute and deny access to the specific attributes.

p.

>
> I haven't tested your suggestion yet (setting =xcsw) but previous test
> that I  did turned out to always include r if you set w.
>
> _Ace
>
> # Allow read access of root DSE to ALL
> access to dn=""
>  	by * read
> #Allow read access of 'cn=Subschema' to ALL
> access to dn="cn=Subschema"
> 	by * read
>
> access to
> 	dn.regex="^qwidoManager=.+,qwidoRole=qwidoManager,qwidoApp=qwido$"
> attrs=entry
>  	by dn.exact="qwidoApp=qwido" write
>  	by * none
>
> access to dn.regex=".*,qwidoRole=qwidoManager,qwidoApp=qwido$"
> 	by * none
>
> access to dn.base="qwidoRole=qwidoManager,qwidoApp=qwido" attrs=children
>  	by dn.exact="qwidoApp=qwido" write
>  	by * none
>
> access to dn.base="qwidoRole=qwidoManager,qwidoApp=qwido"
>  	by dn.exact="qwidoApp=qwido" write
>  	by * none
>
> access to dn.regex=".*,qwidoApp=qwido$"
>  	by * none
>
> access to dn.base="qwidoApp=qwido" attrs=userpassword
>  	by self read
>  	by anonymous auth
>  	by * none
>
> access to dn.base="qwidoApp=qwido" attrs=children
>  	by dn.exact="qwidoApp=qwido" write
>  	by * none
>
> access to dn.base="qwidoApp=qwido"
> 	by self read
>  	by * none
>
> access to *
> 	by * none
>
>
>
> Greetings,
> ace
>
> website: http://www.suares.nl * http://www.qwikzite.nl
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux)
>
> iD8DBQE/3dGky7boE8xtIjURAjBVAJ4i373NR4oCi/T3QZQ9szYSm1fksgCfRihZ
> UhiXqowHe9bmC13TO+Leij0=
> =S840
> -----END PGP SIGNATURE-----


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

References:
- ACL for only creating entry
  - From: <adamtheo@theoretic.com>
- Re: ACL for only creating entry
  - From: Ace Suares <ace@suares.nl>
- Re: ACL for only creating entry
  - From: Ace Suares <ace@suares.nl>

Prev by Date: do_abandon: bad msgid 0 error
Next by Date: slow reaction
Index(es):
- Chronological
- Thread