[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)

To: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Subject: Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Mon, 04 Apr 2005 14:00:08 -0700
Cc: ando@sys-net.it, Howard Chu <hyc@symas.com>, openldap-devel@OpenLDAP.org
In-reply-to: <hbf.20050404vrcz@bombur.uio.no>
References: <200504020834.j328Y8WM008484@boole.openldap.org> <424E9AE0.2090203@sys-net.it> <6.2.1.2.0.20050402080426.072eef80@mail.openldap.org> <424ECED5.6010309@sys-net.it> <6.2.1.2.0.20050402090705.0278b3b8@mail.openldap.org> <424F14B9.9050306@symas.com> <424F1949.60301@sys-net.it> <424F28EC.7050001@symas.com> <424F29BC.3070803@sys-net.it> <424F3B3C.1010703@symas.com> <6.2.1.2.0.20050402181741.066d0b08@mail.openldap.org> <424F907B.7010609@sys-net.it> <6.2.1.2.0.20050403103607.08fb1c80@mail.openldap.org> <42515D2E.7030308@sys-net.it> <6.2.1.2.0.20050404085147.02fea068@mail.openldap.org> <42516552.8050105@sys-net.it> <6.2.1.2.0.20050404092145.026fd9e0@mail.openldap.org> <3610.151.29.219.164.1112641922.squirrel@151.29.219.164> <6.2.1.2.0.20050404122957.02b0e6c8@mail.openldap.org> <hbf.20050404vrcz@bombur.uio.no>

At 01:47 PM 4/4/2005, Hallvard B Furuseth wrote:
>Kurt D. Zeilenga writes:
>> In your patch, it appears that modify/replace only requires
>> add.  However, as modify/replace deletes existing values,
>> it should require delete as well.
>
>What if there is no attribute to delete?

The check is not done with knowledge of the entry,
so one has to assume the attribute exists and with
values different then those presented.

Now, if no values are presented, then just delete
can be required.


>What you say is consistent with current behaviour, but current
>behaviour does not look right to me:
>
>  access to attrs=foo val=bar by *    read
>  access to *                 by self write
>                              by *    read
>
>does not prevent replace:foo if the entry contains foo:bar.

Value level ACLs are, today, (I think) incomplete.

>It's documented, though.  But if it is the intended behaviour,
>I think slapd startup should at least try to warn about it.
>I'll file an ITS when I know what the error is:-)
>
>-- 
>Hallvard

References:
- More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Howard Chu <hyc@symas.com>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Howard Chu <hyc@symas.com>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Howard Chu <hyc@symas.com>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
Next by Date: Re: More granular privileges in ACLs (now ITS#3631)
Index(es):
- Chronological
- Thread