[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapsearch by access rights?

To: <ace@suares.nl>
Subject: Re: ldapsearch by access rights?
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Mon, 19 Apr 2004 14:55:37 +0200 (CEST)
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <200404190803.02309.ace@suares.nl>
References: <Pine.LNX.4.21.0404191212480.21058-100000@kehillah.jewish.org.pl> <33238.131.175.154.56.1082373973.squirrel@webmail.sys-net.it> <200404190803.02309.ace@suares.nl>

> If P. really wants to write a
> serious application  to test and view ACL's, I'd be really happy!

I think the idea of discovering access privileges over ldapsearch, besides
representing an extension of the protocol, is per se dangerous.  What I'm
thinking about is a slaptool that does it for you.  In this case, it
wouldn't be any more dangerous than having read access to slapd.conf,
which is required to run most of the tools (slappasswd is the only
exception, by now).  What I mean is a slapacl (or slapaccess) that parses
the slapd.conf and tells what access an authcID has on a specific
DN[+attr(s)] by applying ACLs exactly the same way slapd would do at
runtime.  This is different from knowing what access one has for all
attributes of all entries in a database, but can be of utmost help when
debugging ACLs, and does not require protocol modifications nor discovers
sensitive info.  The rest is skating on thin ice.
But it's only my opinion.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

Follow-Ups:
- Re: ldapsearch by access rights?
  - From: Ace Suares <ace@suares.nl>

References:
- ldapsearch by access rights?
  - From: Piotr Wadas <pwadas@jewish.org.pl>
- Re: ldapsearch by access rights?
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: ldapsearch by access rights?
  - From: Ace Suares <ace@suares.nl>

Prev by Date: RE : RE : Log level and performances
Next by Date: Re: AW: AW: 'add user to group' validation
Index(es):
- Chronological
- Thread