Re: R: Re: R: Enforcing attribute ACL on add operations

[Howard Chu <hyc@symas.com>]

Pierangelo Masarati wrote:
> ----- Emmanuel Dreyfus<manu@netbsd.org>  ha scritto:
> > Pierangelo Masarati<ando@sys-net.it>  wrote:
> >
> > > See ITS#4556 for discussion.
> > So this is not considered a security hole. But as far as I understand,
> > anyone that is allowed to add an entry anywhere can add a user with
> > random privileges. Did I miss something here? Can that be avoided?
>
> I'm not necessarily saying that.  For the problem you highlight, setting
>
> authz-policy from
>
> would cure it (one could only add an entry and authorize as that entry, but not add an entry and use it to authorize as some other existing one).
>
> What I'm saying that apparently the "right" manner to handle the problem
> you
pose consists in implementing DIT content rules.

I disagree.
http://www.openldap.org/lists/openldap-devel/200709/msg00079.html

ditContentRules and ditStructutreRules don't give you the fine-grained control 
that's required here.

I think Emmanuel's patch looks correct, and the corresponding patch needs to 
be made for a lot of other backends.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/