[Date Prev][Date Next]
Re: [LDAP-SOFTWARE] ACLand regex (matching self)
--On Tuesday, March 04, 2003 6:36 PM +0400 Ace Suares <email@example.com> wrote:
thanks for your answers.
I'll have to study mentioned RFC now (which I hoped would not be
necessary for admins/users).
I'll get back on this after I've studied it.
The 'access to attr=entry' that Quanah mentioned, is likely a different
way of specifiying access to "', don't you agree ?
In any case, I don't want read access to attr=entry for my entire tree,
so I hope Quanah is just as confused as I am and there is a more secure
and elegant solution to this.
BTW you mention namingContext, is this also a dn of it's own ?
(You don't have to answer if it's in the RFC, I'll find it then ;-)
No it is not the same thing. It looks like you are using 2.0 and I'm using
2.1, so I don't think it applies in your case. Anyhow, as I noted, "entry"
doesn't exist in anything, therefore giving read to entry by * does nothing
security wise. However, if I wanted to say, give access to uid, and
someone didn't have access to read entry, they couldn't read the contents
of uid, even if I said access to uid by * read. I also have the dn."" read
entry in my slapd.conf. I still required the access to entry by * read bit
Senior Systems Administrator
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html