[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4556) ACLs related to the content of *new* entries

ahasenack@terra.com.br wrote:
> Full_Name: Andreas Hasenack
> Version: 2.3.23
> OS: linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (
> I think this is an enhancement request and not a bug, because as far as I can
> see the behaviour I'm about to describe matches the documentation.
> I would like to be able to prevent the creation of certain *new* entries.
> Currently, acls only allow me to filter this via "attrs=children" and
> "attrs=entry" (and RDN), with no regards to content.
> Thus, in this sample scenario:
> access to dn.sub="ou=dns,@SUFFIX@"
> 	attrs=children,entry,@dNSZone
> 	by group.exact="cn=DNS Admins,ou=System Groups,@SUFFIX@" write
>         by * read
> members of the "DNS Admins" group are able to create any entry at all, with any
> objectClass, under ou=dns. But after the entry is created, they can only touch
> the attributes of the dNSZone object class as expected.
> I would like for these members to not be able to create entries under ou=dns
> other than those with the dNSZone OC and its attributes. This would minimize
> risks in setups where, for example, nss_ldap was wrongly configured to do
> subtree searches starting at @SUFFIX@. This would be a security issue, because
> the DNS Admins could create a posixAccount entry under ou=dns and give anyone
> they want root access (uidNumber 0).
> Having the ability to prevent the creation of specific entries would help
> prevent such scenarios.

The scenario you describe is mitigated though, because no users can read 
any attributes besides those that are in the dnsZone objectclass.

  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/