[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [LDAP-SOFTWARE] ACLand regex (matching self)

--On Tuesday, March 04, 2003 6:36 PM +0400 Ace Suares <ace@suares.nl> wrote:


thanks for your answers.

I'll have to study mentioned RFC now (which I hoped would not be
necessary for  admins/users).

I'll get back on this after I've studied it.

The 'access to attr=entry' that Quanah mentioned, is likely a different
way of  specifiying access to "', don't you agree ?

In any case, I don't want read access to attr=entry for my entire tree,
so I  hope Quanah is just as confused as I am and there is a more secure
and  elegant solution to this.

BTW you mention namingContext, is this also a dn of it's own ?
(You don't have to answer if it's in the RFC, I'll find it then ;-)


No it is not the same thing. It looks like you are using 2.0 and I'm using 2.1, so I don't think it applies in your case. Anyhow, as I noted, "entry" doesn't exist in anything, therefore giving read to entry by * does nothing security wise. However, if I wanted to say, give access to uid, and someone didn't have access to read entry, they couldn't read the contents of uid, even if I said access to uid by * read. I also have the dn."" read entry in my slapd.conf. I still required the access to entry by * read bit as well.


Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html