[Date Prev][Date Next]
overpowered rights for suffix when one suffix name contains another one's (ITS#2520)
Full_Name: Thomas Eskenazi
OS: debian woody 6.3
Submission from: (NULL) (18.104.22.168)
I created the suffixes "dc=toto" and "dc=toto2".
The corresponding bind DNs are "cn=admin,dc=toto" and "cn=admin,dc=toto2" and
have different credentials.
When I make a ldapadd or ldapdelete with the bind DN "cn=admin,dc=toto2" on the
"dc=toto" suffix, it works (which, I think, is not good)!
on the other hand, when I make a ldapadd or ldapdelete with the bindDN
"cn=admin,dc=toto" on the "dc=toto2" suffix, it doesn't.
I then created a "dc=toto23" with "cn=admin,dc=toto23" as bind DN.
As I thought, When I make a ldapadd or ldapdelete with the bind DN
"cn=admin,dc=toto23" on the "dc=toto" suffix or the "dc=toto2", it works.
I have come to the conclusion that if a suffix name contains another existing
suffix on your directory or if a bind DN name contains another existing bind DN
name, then the first one have sufficent acces to both suffixes.
I didn't see anything about this on the documentation, please inform me if I'm