OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Documentation/7795
Full headers

From: quanah@openldap.org
Subject: "manage" access right needs better description
Compose comment
Download message
State:
0 replies:
8 followups: 1 2 3 4 5 6 7 8

Major security issue: yes  no

Notes:

Notification:


Date: Fri, 31 Jan 2014 16:49:26 +0000
From: quanah@openldap.org
To: openldap-its@OpenLDAP.org
Subject: "manage" access right needs better description
Full_Name: Quanah Gibson-Mount
Version: 2.4.39
OS: Linux 2.6
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (75.111.58.125)


The documentation in the Admin guide and the man pages for the "manage" ACL
setting has virtual no documentation.  The only definitive statement is a very
vague:

" thus manage grants all access including administrative access"

What does administrative access mean?

Followup 1

Download message
Date: Fri, 31 Jan 2014 18:08:51 +0100
From: Pierangelo Masarati <pierangelo.masarati@polimi.it>
To: <quanah@OpenLDAP.org>
CC: <openldap-its@OpenLDAP.org>
Subject: Re: (ITS#7795) "manage" access right needs better description
On 01/31/2014 05:49 PM, quanah@OpenLDAP.org wrote:
> Full_Name: Quanah Gibson-Mount
> Version: 2.4.39
> OS: Linux 2.6
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (75.111.58.125)
>
>
> The documentation in the Admin guide and the man pages for the "manage" ACL
> setting has virtual no documentation.  The only definitive statement is a
very
> vague:
>
> " thus manage grants all access including administrative access"
>
> What does administrative access mean?

It allows write when write is granted and the "relax" control is 
present.  In practice, those who have "manage" access can perform those 
normally "prohibited" operations described in draft-zeilenga-ldap-relax.

p.

-- 
Pierangelo Masarati
Associate Professor
Dipartimento di Scienze e Tecnologie Aerospaziali
Politecnico di Milano



Followup 2

Download message
Date: Fri, 31 Jan 2014 18:11:11 +0100
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: openldap-its@openldap.org
Subject: Re: (ITS#7795) "manage" access right needs better description
quanah@OpenLDAP.org wrote:
> What does administrative access mean?

I can't describe the full meaning, only a specific use case:

In some deployments I grant certain admins the right to remove 'pwdHistory'
attribute from an entry. Since this is an operational attribute one has to
grant also manage privilege for letting the client remove the attribute in
case it sends the Relax Rules control along with the modify request.

(yes, web2ldap implements this particular use case ;-)

Example:

access to
  attrs=pwdHistory
    by group="cn=all-mighty admins,dc=example,dc=com" =zm
    by * none

AFAIK this also applies to altering other operational attributes by using
Relax Rules control.

Maybe you can take this as a start for a more general text.

Ciao, Michael.



Followup 3

Download message
Date: Fri, 31 Jan 2014 09:19:31 -0800
From: Quanah Gibson-Mount <quanah@zimbra.com>
To: Pierangelo Masarati <pierangelo.masarati@polimi.it>
cc: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7795) "manage" access right needs better description
--On Friday, January 31, 2014 6:08 PM +0100 Pierangelo Masarati 
<pierangelo.masarati@polimi.it> wrote:

> On 01/31/2014 05:49 PM, quanah@OpenLDAP.org wrote:
>> Full_Name: Quanah Gibson-Mount
>> Version: 2.4.39
>> OS: Linux 2.6
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (75.111.58.125)
>>
>>
>> The documentation in the Admin guide and the man pages for the "manage"
>> ACL setting has virtual no documentation.  The only definitive
statement
>> is a very vague:
>>
>> " thus manage grants all access including administrative access"
>>
>> What does administrative access mean?
>
> It allows write when write is granted and the "relax" control is present.
> In practice, those who have "manage" access can perform those normally
> "prohibited" operations described in draft-zeilenga-ldap-relax.

Excellent, thank you very much. ;)

--Quanah

--

Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration



Followup 4

Download message
Date: Fri, 31 Jan 2014 09:36:24 -0800
From: Quanah Gibson-Mount <quanah@zimbra.com>
To: michael@stroeder.com, openldap-its@openldap.org
Subject: Re: (ITS#7795) "manage" access right needs better description
--On Friday, January 31, 2014 5:11 PM +0000 michael@stroeder.com wrote:

> quanah@OpenLDAP.org wrote:
>> What does administrative access mean?
>
> I can't describe the full meaning, only a specific use case:
>
> In some deployments I grant certain admins the right to remove
> 'pwdHistory' attribute from an entry. Since this is an operational
> attribute one has to grant also manage privilege for letting the client
> remove the attribute in case it sends the Relax Rules control along with
> the modify request.
>
> (yes, web2ldap implements this particular use case ;-)
>
> Example:
>
> access to
>   attrs=pwdHistory
>     by group="cn=all-mighty admins,dc=example,dc=com" =zm
>     by * none
>
> AFAIK this also applies to altering other operational attributes by using
> Relax Rules control.
>
> Maybe you can take this as a start for a more general text.

Great example, thanks!

--Quanah


--

Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration



Followup 5

Download message
Date: Fri, 31 Jan 2014 18:43:45 +0100
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: pierangelo.masarati@polimi.it, openldap-its@openldap.org
Subject: Re: (ITS#7795) "manage" access right needs better description
pierangelo.masarati@polimi.it wrote:
> On 01/31/2014 05:49 PM, quanah@OpenLDAP.org wrote:
>> What does administrative access mean?
> 
> It allows write when write is granted and the "relax" control is 
> present.  In practice, those who have "manage" access can perform those 
> normally "prohibited" operations described in draft-zeilenga-ldap-relax.

I wish this explanation would catch all cases.

I vaguely remember that before the birth of draft-zeilenga-ldap-relax some
(overlays?) misused the Manage DSA IT control for that purpose.

Ciao, Michael.



Followup 6

Download message
Date: Fri, 31 Jan 2014 09:54:23 -0800
From: Quanah Gibson-Mount <quanah@zimbra.com>
To: openldap-its@openldap.org
Subject: Re: (ITS#7795) "manage" access right needs better description
--On Friday, January 31, 2014 5:36 PM +0000 quanah@zimbra.com wrote:

Additional notes:

[09:07] <hyc> manage access gives you permission to use the Relax control 
on a modify request
[09:07] <hyc> to write to an attribute that is otherwise not user-writable
[09:07] <hyc> only a small set of operational attributes are manageable
[09:08] <hyc> createtimestamp, modifytimestamp, creatorsname, 
modifiersname, entryUUID, entryTTL
[09:09] <hyc> otherwise, the relax control is useless
[09:09] <hyc> hm, the ppolicy opattrs are also manageable


--

Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration



Followup 7

Download message
Date: Fri, 31 Jan 2014 19:10:27 +0100
From: Pierangelo Masarati <pierangelo.masarati@polimi.it>
To: <michael@stroeder.com>
CC: <openldap-its@openldap.org>
Subject: Re: (ITS#7795) "manage" access right needs better description
On 01/31/2014 06:44 PM, michael@stroeder.com wrote:
> pierangelo.masarati@polimi.it wrote:
>> On 01/31/2014 05:49 PM, quanah@OpenLDAP.org wrote:
>>> What does administrative access mean?
>>
>> It allows write when write is granted and the "relax" control is
>> present.  In practice, those who have "manage" access can perform those
>> normally "prohibited" operations described in
draft-zeilenga-ldap-relax.
>
> I wish this explanation would catch all cases.
>
> I vaguely remember that before the birth of draft-zeilenga-ldap-relax some
> (overlays?) misused the Manage DSA IT control for that purpose.

"manageDIT" was renamed to "relax" because it was too similar to 
"manageDSAit".  Besides, although its use is intrinsically related to 
performing administrative operations, it is specifically meant to work 
around rules that make sense from a data model point of view but may 
need to be circumvented *during* "special" operations.

A clear example is the one in the draft, about turning a "person" 
objectClass into an "account" objectClass.  Changing the 
structuralObjectClass of an object is not allowed by the data model; 
however, an administrator (i.e. someone with "manage" privileges) can do 
it using the "relax" control, thus making the entry inconsistent during 
the operation but perfectly consistent before *and* after.

p.

-- 
Pierangelo Masarati
Associate Professor
Dipartimento di Scienze e Tecnologie Aerospaziali
Politecnico di Milano



Followup 8

Download message
Date: Fri, 31 Jan 2014 19:22:21 +0100
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: pierangelo.masarati@polimi.it, openldap-its@openldap.org
Subject: Re: (ITS#7795) "manage" access right needs better description
pierangelo.masarati@polimi.it wrote:
> On 01/31/2014 06:44 PM, michael@stroeder.com wrote:
>> pierangelo.masarati@polimi.it wrote:
>>> On 01/31/2014 05:49 PM, quanah@OpenLDAP.org wrote:
>>>> What does administrative access mean?
>>>
>>> It allows write when write is granted and the "relax" control is
>>> present.  In practice, those who have "manage" access can perform
those
>>> normally "prohibited" operations described in
draft-zeilenga-ldap-relax.
>>
>> I wish this explanation would catch all cases.
>>
>> I vaguely remember that before the birth of draft-zeilenga-ldap-relax
some
>> (overlays?) misused the Manage DSA IT control for that purpose.
> 
> "manageDIT" was renamed to "relax" because it was too similar to 
> "manageDSAit".

Yes, I know. I meant it literally mentioning "Manage DSA IT control".

Ciao, Michael.


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org