[Date Prev][Date Next] [Chronological] [Thread] [Top]

R: Re: R: Re: R: Enforcing attribute ACL on add operations



----- Howard Chu <hyc@symas.com> ha scritto:
> Emmanuel Dreyfus wrote:
> > Howard Chu<hyc@symas.com>  wrote:
> >
> >> I think Emmanuel's patch looks correct, and the corresponding patch needs to
> >> be made for a lot of other backends.
> >
> > Cool, I can do that.
> > Two other questions:
> >
> > 1) do we want an option to enable this behavior? The change could affect
> > existing setups that rely on this "feature"
> 
> I'm inclined not to have a particular option for this. It's simply plugging a 
> long-standing hole.

As I said, I agrfee about the hole; however, I remember raising this issue myself earlier and receiving a satisfactory response about the fact that the current software complies with specs.  I need to dig this out.

> > 2) should modrdn be fixed the same way? Other operations?
> 
> I'm not yet convinced. What's the scenario you see here?

Unless one uses authzTo/authzFrom as a naming attribute, I don't see any issue.  I haven't checked, but I believe modrdn already needs to comply with ACLs in a manner that allows finge-grain enough control.  In fact, modrdn needs to pass access control both for the old and the new (r)dn, and the use of filters, sets and so allows to condition access on the entry's content.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------