[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4556) ACLs related to the content of *new* entries

On Thu, 2006-05-18 at 19:29 +0000, ahasenack@terra.com.br wrote:

> I think this is an enhancement request and not a bug, because as far as I can
> see the behaviour I'm about to describe matches the documentation.
> I would like to be able to prevent the creation of certain *new* entries.
> Currently, acls only allow me to filter this via "attrs=children" and
> "attrs=entry" (and RDN), with no regards to content.
> Thus, in this sample scenario:
> access to dn.sub="ou=dns,@SUFFIX@"
> 	attrs=children,entry,@dNSZone
> 	by group.exact="cn=DNS Admins,ou=System Groups,@SUFFIX@" write
>         by * read
> members of the "DNS Admins" group are able to create any entry at all, with any
> objectClass, under ou=dns. But after the entry is created, they can only touch
> the attributes of the dNSZone object class as expected.
> I would like for these members to not be able to create entries under ou=dns
> other than those with the dNSZone OC and its attributes. This would minimize
> risks in setups where, for example, nss_ldap was wrongly configured to do
> subtree searches starting at @SUFFIX@. This would be a security issue, because
> the DNS Admins could create a posixAccount entry under ou=dns and give anyone
> they want root access (uidNumber 0).
> Having the ability to prevent the creation of specific entries would help
> prevent such scenarios.

I think the reason ACLs don't muck with the contents of an entry being
added is that ACLs apply to entries in a naming context, while an entry
being added does not belong to a naming context until it's added (catch
22?).  What you need is something like DIT structure rules (see draft-
ietf-ldapbis-models for details), which AFAIK is not implemented in
OpenLDAP yet.


Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it