[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACM permission

To: "Skovgaard, Erik" <Erik.Skovgaard@icn.siemens.com>
Subject: Re: ACM permission
From: Mark Davidson <markd@pwd.hp.com>
Date: Fri, 06 Jul 2001 17:31:31 +0100
Cc: ietf-ldapext@netscape.com
Organization: Hewlett-Packard
References: <H00002a208d17a2b.0994436317.hpopd.pwd.hp.com@MHS>

> I think you will need at least a Filter Matching permission for attributes
> as well.  A classical way to break security in a directory is to search for
> entries with userPassword=*joan* (or whatever...).
> 
> Should there be a permission for Compare operations as well?  Denying
> compare on operational information could be used to keep curious users from
> poking at the ACIs themselves.

You could cover all this with the attribute level read. I kow this is
not as
fine grained as the permissions in the current draft, but it is alot
less
complex to admin. So in the cases you have mentioned:

deny:r#OID.userPassword,OID.subtreeACI,OID.entryACI#authnLevel:none:public:

Mark

Prev by Date: RE: ACM permission
Next by Date: RE: ACM permission
Index(es):
- Chronological
- Thread