[Date Prev][Date Next] [Chronological] [Thread] [Top]

R: Re: R: Enforcing attribute ACL on add operations

To: Emmanuel Dreyfus <manu@netbsd.org>
Subject: R: Re: R: Enforcing attribute ACL on add operations
From: Pierangelo Masarati <ando@sys-net.it>
Date: Sat, 27 Sep 2008 21:55:11 +0200 (CEST)
Cc: openldap-devel@openldap.org
In-reply-to: <1inxxqj.11b6m7w7l7lbcM%manu@netbsd.org>

----- Emmanuel Dreyfus <manu@netbsd.org> ha scritto:
> Pierangelo Masarati <ando@sys-net.it> wrote:
> 
> > See ITS#4556 for discussion.
> 
> So this is not considered a security hole. But as far as I understand,
> anyone that is allowed to add an entry anywhere can add a user with
> random privileges. Did I miss something here? Can that be avoided?

I'm not necessarily saying that.  For the problem you highlight, setting

authz-policy from

would cure it (one could only add an entry and authorize as that entry, but not add an entry and use it to authorize as some other existing one).

What I'm saying that apparently the "right" manner to handle the problem you pose consists in implementing DIT content rules.

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

Follow-Ups:
- Re: R: Re: R: Enforcing attribute ACL on add operations
  - From: Howard Chu <hyc@symas.com>
- Re: R: Re: R: Enforcing attribute ACL on add operations
  - From: manu@netbsd.org (Emmanuel Dreyfus)

References:
- Re: R: Enforcing attribute ACL on add operations
  - From: manu@netbsd.org (Emmanuel Dreyfus)

Prev by Date: Re: R: Enforcing attribute ACL on add operations
Next by Date: Re: R: Re: R: Enforcing attribute ACL on add operations
Index(es):
- Chronological
- Thread