[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapACI permissions

To: ietf-ldapext@netscape.com
Subject: Re: ldapACI permissions
From: Kyungae_Lim@iris.com
Date: Wed, 22 Mar 2000 08:24:03 -0500
Cc: djbyrne@us.ibm.com
Resent-date: Wed, 22 Mar 2000 05:21:38 -0800 (PST)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <Jw3Yp.A.NVF.VjM24@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

> < djb > I agree with your analysis that having both delete and add
> permission on the object essentially means that one could delete the
> object, and re-add it, filling in attributes, and access control as it
> liked.    If the concern is that users would circumvent the access
control
> checks by doing this sort of thing, I might suggest that an auditing
> facility is needed for that directory.

> Is the suggestion here that  when creating an entry, a user can only set
> the values on those attributes to which he also has 'write' permission?
> Does this also mean the user needs 'write/delete' permission on all
> attributes which have values when he is deleting the entry?

I think both 'add' on entry and 'write' on attributes SHOULD be checked
when creating an entry.  Otherwise there is no way to prevent a user with
'add' permission only from filling in ldapACI or other security-sensitive
attribute values.
Auditing can help detecting the problem( after the fact), but shouldn't be
a substitue for access checking.

Prev by Date: Re: Detecting errors in ldap_get_values
Next by Date: Re: Detecting errors in ldap_get_values
Index(es):
- Chronological
- Thread