[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Enforcing attribute ACL on add operations

Emmanuel Dreyfus wrote:
Pierangelo Masarati <ando@sys-net.it> wrote:

I mean: test006 is broken now, we can no longer make test. You should
check why the test is broken and try to fix it :) Probably, according
to the old access rule, a user with "add" permission for entries is adding an entry without having "add" permission on all the attributes.

The culprit is the ACL on attrs=objectclass at the top of the file: access to attrs=objectclass by * =rsc stop

If I change it that way, test006 passes:
access         to attrs=objectclass
               by dn.exact="cn=Bjorn Jensen,ou=Information Technology
Division,ou=People,dc=example,dc=com" add
                by * =rsc stop

Not sure it is a correct fix, through.

Sounds correct. I mean: since no objectClass modification was performed in the test, given the expected behavior of access control for add operations, there was no need to give anyone add permission on objectClass. What you suggest seems to be the minimal add permission to let the test pass, and I think it's fine to re-enable that test right now. Should the test change (more add operations) acls will be tweaked further.

Go ahead and commit :)


Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it