[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4556) ACLs related to the content of *new* entries

Full_Name: Andreas Hasenack
Version: 2.3.23
OS: linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

I think this is an enhancement request and not a bug, because as far as I can
see the behaviour I'm about to describe matches the documentation.

I would like to be able to prevent the creation of certain *new* entries.
Currently, acls only allow me to filter this via "attrs=children" and
"attrs=entry" (and RDN), with no regards to content.

Thus, in this sample scenario:
access to dn.sub="ou=dns,@SUFFIX@"
	by group.exact="cn=DNS Admins,ou=System Groups,@SUFFIX@" write
        by * read

members of the "DNS Admins" group are able to create any entry at all, with any
objectClass, under ou=dns. But after the entry is created, they can only touch
the attributes of the dNSZone object class as expected.

I would like for these members to not be able to create entries under ou=dns
other than those with the dNSZone OC and its attributes. This would minimize
risks in setups where, for example, nss_ldap was wrongly configured to do
subtree searches starting at @SUFFIX@. This would be a security issue, because
the DNS Admins could create a posixAccount entry under ou=dns and give anyone
they want root access (uidNumber 0).

Having the ability to prevent the creation of specific entries would help
prevent such scenarios.