[Date Prev][Date Next] [Chronological] [Thread] [Top]

overpowered rights for suffix when one suffix name contains another one's (ITS#2520)

To: openldap-its@OpenLDAP.org
Subject: overpowered rights for suffix when one suffix name contains another one's (ITS#2520)
From: teskenazi@omnikles.com
Date: Thu, 15 May 2003 15:34:26 GMT

Full_Name: Thomas Eskenazi
Version: 2.0.33
OS: debian woody 6.3
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (81.80.101.104)


Hi,

I created the suffixes "dc=toto" and "dc=toto2".

The corresponding bind DNs are "cn=admin,dc=toto" and "cn=admin,dc=toto2" and
have different credentials.

When I make a ldapadd or ldapdelete  with the bind DN "cn=admin,dc=toto2" on the
"dc=toto" suffix, it works (which, I think, is not good)!

on the other hand, when I make a ldapadd or ldapdelete  with the bindDN
"cn=admin,dc=toto" on the "dc=toto2" suffix, it doesn't.

I then created a "dc=toto23" with "cn=admin,dc=toto23" as bind DN.

As I thought, When I make a ldapadd or ldapdelete  with the bind DN
"cn=admin,dc=toto23" on the "dc=toto" suffix or the "dc=toto2", it works.

I have come to the conclusion that if a suffix name contains another existing
suffix on your directory or if a bind DN name contains another existing bind DN
name, then the first one have sufficent acces to both suffixes.

I didn't see anything about this on the documentation, please inform me if I'm
wrong.

Regards,
Thomas

Prev by Date: Re: Idletimeout value broken (ITS#2374)
Next by Date: Re: overpowered rights for suffix when one suffix name contains another one's (ITS#2520)
Index(es):
- Chronological
- Thread