[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Problem, Insufficient access (50)

To: Alain Williams <addw@phcomp.co.uk>
Subject: Re: ACL Problem, Insufficient access (50)
From: Pierangelo Masarati <ando@sys-net.it>
Date: Fri, 23 Dec 2005 17:51:30 +0100
Cc: OpenLDAP-software@OpenLDAP.org, Amir.Saad@bibalex.org
In-reply-to: <20051223111709.GW20481@mint.phcomp.co.uk>
References: <20051223111709.GW20481@mint.phcomp.co.uk>

On Fri, 2005-12-23 at 11:17 +0000, Alain Williams wrote:

> Please take this as *constructive* criticism, it is not a flame.

OK, it was not you, but I hope I made the point.

Moreover, to make my reply a bit less cryptic:

> here is my ACL files: (manager is my rootdn)
> *************************************************************************************************************************
> access to dn.regex="uid=
> (.*),ou=People,dc=test,dc=domain,dc=mydomain,dc=org"
> attrs=userPassword
>     by dn="cn=Manager,dc=test,dc=domain,dc=mydomain,dc=org" write
>     by self write
>     by * auth
> access to dn.regex="uid=
> (.*),ou=People,dc=test,dc=domain,dc=mydomain,dc=org"
>     by * read
> access to dn.regex="uid=
> (.*),ou=People,dc=test,dc=domain,dc=mydomain,dc=org"
>     by self write
>     by * read
> ************************************************************************************************************************* 

- everywhere in the Admin Guide, in the example slapd.conf and in
slapd.access(5) it's clearly written that it's pointless to give write
access to the rootdn: it has write access to everything by definition,
since it actually skips ACL evaluation.  This __is__ documented.

- I'm not sure it's explicitly written anywhere, but it should be
straightforward: the second and the third rules have the __same__ <what>
part, so the one that comes first is used, the remaining is ignored.

- regexes as written in the initial message are unsafe, as indicated in
the CAVEATS section of slapd.access(5) and somewhere in the FAQ, because
they would match any string with the pattern inside; they're required if
one absolutely needs to enforce that "uid=" is in there, but using "uid=
(.*)" does not prevent any further level of subordination in between,
"uid=([^,]+)" should be used instead.

p.




Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

References:
- Re: ACL Problem, Insufficient access (50)
  - From: Alain Williams <addw@phcomp.co.uk>

Prev by Date: Re: ACL Problem, Insufficient access (50)
Next by Date: Re: documentation (Was: ACL Problem, Insufficient access (50))
Index(es):
- Chronological
- Thread