[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ACIs problem when allowing "read" but restricting "updates" in specific entries

To: "Quanah Gibson-Mount" <quanah@zimbra.com>, Michael Ströder <michael@stroeder.com>
Subject: RE: ACIs problem when allowing "read" but restricting "updates" in specific entries
From: "Antonio Alonso" <antonio.alonso@ericsson.com>
Date: Fri, 14 Mar 2008 23:00:55 +0100
Cc: openldap-software@openldap.org
Content-class: urn:content-classes:message
In-reply-to: <B1B2BC58B9C9EEC8F1E026DC@[192.168.1.198]>
References: <C2DCE841B201E7468E0DFAB1651A851C01638B99@eesmdmw020.eemea.ericsson.se> <47DA725F.80602@stroeder.com> <B1B2BC58B9C9EEC8F1E026DC@[192.168.1.198]>
Thread-index: AciGFF/23q1LigPLRpmFqw2NFHiCEwACDTEg
Thread-topic: ACIs problem when allowing "read" but restricting "updates" in specific entries

Hi !

   First of all, thanks for the answers ;-))

   Yes, it is true, I had a mistake with the nomenclature. The fact is that the
problem is NOT (as far as I tested it) in the regular expressions I am using
(I also checked it tracing the slapd execution with the "-d 128" option ... an
checked the matching is ok).

  I find the problem with the "read" access privilege for "data1checker" user.

> ##
> ## Policy Rule [1]
> ##      Access to "application=data1,,..." entries  
> ##
> access to dn.regex="appName=data1,.+$"
>        by dn.exact="uid=data1owner,ou=users,dc=company,dc=com" write stop
>        by dn.exact="uid=data1checker,ou=users,dc=company,dc=com" read stop
>        by dn.exact="uid=admin,ou=users,dc=company,dc=com" manage stop

   "uid=data1owner" is able to read an modify attributes values in entries matching
this regular expression (it is ok) ... but it is exactely the same behaviour a 
"uid=data1checker" in spite this last one has ONLY read privileges (???)

   I interpreted (after reading manual pages and openldap-related FAQs) that "read"
privilege only allows to read (but NOT modify) attribute values for entries
matching the rule .. but it is NOT what I am getting ...

 Am I understanding "read" privilege worngly ?

Thanks in advance

BR / Antonio

P.S: I also tested with openLDAP3.2.8, but it is the same behaviour ... and I almost
sure the error is NOT in the regexp being used (I was testing it in deep to be sure
about that).

-----Original Message-----
From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] 
Sent: viernes, 14 de marzo de 2008 21:46
To: Michael Ströder; Antonio Alonso
Cc: openldap-software@openldap.org
Subject: Re: ACIs problem when allowing "read" but restricting "updates" in specific entries

--On Friday, March 14, 2008 1:41 PM +0100 Michael Ströder <michael@stroeder.com> wrote:

> Antonio Alonso wrote:
>>
>>    I need some help with a pair of ACIs I have prepared (using 
>> openldap
>> 2.4.7 in a SuSE9 server)
>
> Note that ACI support does not get this much attention by the 
> developers like ACLs in slapd.conf. So I'd rather recommend to do want 
> you want with ACLs. This definitely is possible. See examples for 
> regex-based ACLs in the FAQ-O-MATIC:

He was using ACLs.  He just called them ACI's.  You may want to read his entire email.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Follow-Ups:
- Re: ACIs problem when allowing "read" but restricting "updates" in specific entries
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

References:
- ACIs problem when allowing "read" but restricting "updates" in specific entries
  - From: "Antonio Alonso" <antonio.alonso@ericsson.com>
- Re: ACIs problem when allowing "read" but restricting "updates" in specific entries
  - From: Michael Ströder <michael@stroeder.com>
- Re: ACIs problem when allowing "read" but restricting "updates" in specific entries
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: ACIs problem when allowing "read" but restricting "updates" in specific entries
Next by Date: Re: Grace period for inactive accounts?
Index(es):
- Chronological
- Thread