[Date Prev][Date Next]
(ITS#4556) ACLs related to the content of *new* entries
Full_Name: Andreas Hasenack
Submission from: (NULL) (18.104.22.168)
I think this is an enhancement request and not a bug, because as far as I can
see the behaviour I'm about to describe matches the documentation.
I would like to be able to prevent the creation of certain *new* entries.
Currently, acls only allow me to filter this via "attrs=children" and
"attrs=entry" (and RDN), with no regards to content.
Thus, in this sample scenario:
access to dn.sub="ou=dns,@SUFFIX@"
by group.exact="cn=DNS Admins,ou=System Groups,@SUFFIX@" write
by * read
members of the "DNS Admins" group are able to create any entry at all, with any
objectClass, under ou=dns. But after the entry is created, they can only touch
the attributes of the dNSZone object class as expected.
I would like for these members to not be able to create entries under ou=dns
other than those with the dNSZone OC and its attributes. This would minimize
risks in setups where, for example, nss_ldap was wrongly configured to do
subtree searches starting at @SUFFIX@. This would be a security issue, because
the DNS Admins could create a posixAccount entry under ou=dns and give anyone
they want root access (uidNumber 0).
Having the ability to prevent the creation of specific entries would help
prevent such scenarios.