[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: More granular privileges in ACLs (now ITS#3631)

Kurt D. Zeilenga wrote:

In your patch, it appears that modify/replace only requires
add. However, as modify/replace deletes existing values,
it should require delete as well.

I'm missing the point where this happens. As far as I can see, access for ldap_modify is checked in acl_check_modlist(). In fact I see a problem, but different from the one you mention: in case of replace (case LDAP_MOD_REPLACE), first ACL_WRITE (which implies both ADD and DELETE) is checked; then the control falls thru LDAP_MOD_ADD which checks again for ACL_WADD. It would be more appropriate to check for ACL_WDEL the first time. One thing I forgot, which I've placed in a follow-on to that patch, is acess control to modifications occurring because of a modrdn. I've applied the above patch to all backends and to all occurrences of ACL_WRITE.

Also, I think the syntax is cumbersome, because to have an access corresponding to the "read" level plus "a" or "z" capability requires extra configurtion and run-time overhead. So I added a configuration directive, and a level-like form of "add" and "delete" which in terms of level corresponds to "write" (i.e. all levels below are implied) but only adds respectively the "add" and the "delete" capability at write level. I'll post the patch ASAP.


SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497