[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SLAPD: Should access checks take place before filter matching?

To: Simon Spero <ses@tipper.oit.unc.edu>
Subject: Re: SLAPD: Should access checks take place before filter matching?
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Fri, 22 Jun 2001 11:34:09 -0700
Cc: openldap-devel@OpenLDAP.org
In-reply-to: <200106221718.f5MHIOQ01623@k-hole.ibiblio.org>
References: <5.1.0.14.0.20010621160140.0306bb20@127.0.0.1>

At 10:18 AM 6/22/2001, Simon Spero wrote:
>On Thursday, June 21, 2001, at 07:25 PM, Kurt D. Zeilenga wrote: 
>
>>At 08:58 AM 6/21/2001, Simon Spero wrote: 
>>>During the course of testing some other stuff I noticed that several functions in filter_entry check acl info before they test to see if the filter matches. 
>
>>In our ACM, one must have search permission to evaluate a filter 
>>and read permission to return the entry.  Search is dependent 
>>on the filter and checked during filter evaluation.  Read 
>>permissions apply only to matching entries. 
>
>The set of results returned by an implementation that checks access before checking the filter, and the set returned by one  that checks the filter before evaluating the access control are  precisely identical.

Not necessarily....  just because (X=foo) is allowed to be
evaluated does not mean that attribute X will be returned.
Permission to search (=x) is orthogonal to permission to
read (=r) and semantically quite different.

Kurt

Follow-Ups:
- Re: SLAPD: Should access checks take place before filter matching?
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Re: SLAPD: Should access checks take place before filter matching?
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: SLAPD: Should access checks take place before filter matching?
  - From: Simon Spero <ses@tipper.oit.unc.edu>

Prev by Date: Performance issue related to implementation of slap_op_add
Next by Date: Re: SLAPD: Should access checks take place before filter matching?
Index(es):
- Chronological
- Thread