[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: overpowered rights for suffix when one suffix name contains another one's (ITS#2520)

To: openldap-its@OpenLDAP.org
Subject: Re: overpowered rights for suffix when one suffix name contains another one's (ITS#2520)
From: Kurt@OpenLDAP.org
Date: Thu, 15 May 2003 16:08:02 GMT

This issue will be closed as not indicative of a bug in
OpenLDAP Software.  Please direct questions about the
use of OpenLDAP Software to the openldap-software mailing
list <http://www.openldap.org/lists/>.

Kurt

At 08:34 AM 5/15/2003, teskenazi@omnikles.com wrote:
>Full_Name: Thomas Eskenazi
>Version: 2.0.33
>OS: debian woody 6.3
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (81.80.101.104)
>
>
>Hi,
>
>I created the suffixes "dc=toto" and "dc=toto2".
>
>The corresponding bind DNs are "cn=admin,dc=toto" and "cn=admin,dc=toto2" and
>have different credentials.
>
>When I make a ldapadd or ldapdelete  with the bind DN "cn=admin,dc=toto2" on the
>"dc=toto" suffix, it works (which, I think, is not good)!
>
>on the other hand, when I make a ldapadd or ldapdelete  with the bindDN
>"cn=admin,dc=toto" on the "dc=toto2" suffix, it doesn't.
>
>I then created a "dc=toto23" with "cn=admin,dc=toto23" as bind DN.
>
>As I thought, When I make a ldapadd or ldapdelete  with the bind DN
>"cn=admin,dc=toto23" on the "dc=toto" suffix or the "dc=toto2", it works.
>
>I have come to the conclusion that if a suffix name contains another existing
>suffix on your directory or if a bind DN name contains another existing bind DN
>name, then the first one have sufficent acces to both suffixes.
>
>I didn't see anything about this on the documentation, please inform me if I'm
>wrong.
>
>Regards,
>Thomas

Prev by Date: overpowered rights for suffix when one suffix name contains another one's (ITS#2520)
Next by Date: more helpfully logfile entry (<attributename>=undefined) (ITS#2521)
Index(es):
- Chronological
- Thread