[Date Prev][Date Next]
Re: (ITS#4556) ACLs related to the content of *new* entries
> Full_Name: Andreas Hasenack
> Version: 2.3.23
> OS: linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (220.127.116.11)
> I think this is an enhancement request and not a bug, because as far as I can
> see the behaviour I'm about to describe matches the documentation.
> I would like to be able to prevent the creation of certain *new* entries.
> Currently, acls only allow me to filter this via "attrs=children" and
> "attrs=entry" (and RDN), with no regards to content.
> Thus, in this sample scenario:
> access to dn.sub="ou=dns,@SUFFIX@"
> by group.exact="cn=DNS Admins,ou=System Groups,@SUFFIX@" write
> by * read
> members of the "DNS Admins" group are able to create any entry at all, with any
> objectClass, under ou=dns. But after the entry is created, they can only touch
> the attributes of the dNSZone object class as expected.
> I would like for these members to not be able to create entries under ou=dns
> other than those with the dNSZone OC and its attributes. This would minimize
> risks in setups where, for example, nss_ldap was wrongly configured to do
> subtree searches starting at @SUFFIX@. This would be a security issue, because
> the DNS Admins could create a posixAccount entry under ou=dns and give anyone
> they want root access (uidNumber 0).
> Having the ability to prevent the creation of specific entries would help
> prevent such scenarios.
The scenario you describe is mitigated though, because no users can read
any attributes besides those that are in the dnsZone objectclass.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/