[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapsearch by access rights?



> On Mon, 19 Apr 2004, Pierangelo Masarati wrote:
>
>>
>> > Hello,
>> > Using openldap 2.1.29/i386/bdb 4.52 (debian).
>> >
>> > Is it possible to do ldapsearch returning only entries I have write
>> access to, not all readable?
>>
>> info about anyone's access.  I guess what you intend to do
>> is discover if your ACLs are doing fine.  If this is the
> Actually I'm trying to create web interface for editing ldap entries.
> But users which are going to use this interface are dummy-users - they
> don't know anything, as usually. So I need to create website, on which
> user will log in (php_ldap), and then edit entries which "belongs" to
> them, I mean which they can "administer". The simpliest would be just
> search for entries they can write, and setup ACL's properly, however
> looks like I'd have to find some other kind of search to retrieve only
> this entries which "belongs" to them - adding some attribute or similar.
> I'll probably try with setting ACI (aci) per entry, and after removing
> directoryUsage from scheme, searching for entries which have username in
> OpenLDAPAci
> attribute.. I'll see :)
> Regards Piotr.

directoryUsage doesn't imply they cannot be searched.  They cannot be
practically searched because they don't have any usable matching rule;
they only support OpenLDAPaciMatch (basically memcmp()) for exact match,
which is of no use.

I suggest you add a "owner" attribute to entries which contains the DN of
those who can modify the entry; you can then use it to perform access
control, e.g.

access to <what>
    by dnattr="owner" write
    by * read

Of course you need some trick to allow users to create new entries with
the appropriate "owner", to solve the obvious chicken-and-egg problem;
you also need a means to allow the "owner" attr to your entries.
There might be some issue about letting malicious users set "owner" of
other entries to themselves, thus gaining undesirable privileges, but I
need to consider this a bit more.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it