[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with ACL and regex

To: Openldap list <openldap-software@OpenLDAP.org>
Subject: Re: Problem with ACL and regex
From: Tony Earnshaw <tonye@billy.demon.nl>
Date: Wed, 10 Mar 2004 22:18:41 +0100
In-reply-to: <63643.81.72.89.40.1078949249.squirrel@webmail.sys-net.it>
Organization: Billy
References: <32969.193.22.120.35.1078840826.squirrel@193.22.120.35> <Pine.GSO.4.58.0403090937590.20536@math209.math.gatech.edu> <40668.193.22.120.35.1078845856.squirrel@193.22.120.35> <Pine.GSO.4.58.0403091204210.20536@math209.math.gatech.edu> <10089.193.22.120.35.1078905172.squirrel@193.22.120.35> <Pine.GSO.4.58.0403100725400.17297@oak.math.gatech.edu> <39963.193.22.120.35.1078925998.squirrel@193.22.120.35> <63156.81.72.89.40.1078928602.squirrel@webmail.sys-net.it> <63169.81.72.89.40.1078930084.squirrel@webmail.sys-net.it> <Pine.GSO.4.58.0403100953180.17401@oak.math.gatech.edu> <1078941903.5395.107.camel@localhost> <63643.81.72.89.40.1078949249.squirrel@webmail.sys-net.it>

ons, 10.03.2004 kl. 21.07 skrev Pierangelo Masarati:

> > In fact, the 2.2.x implementation is far more logical and thus easy to
> > implement. But nowhere is this documented.
> 
> ... except in the most logical place: slapd.access(5), which, since
> its creation, is maintained as much as possible aligned with the code.

I should have mentioned slapd.access, sorry. That's where I go to
*confirm* what I've already found out for myself, not how to do things.
For example, a certain doctor of mathematics at a certain Romanian
Institute pointed out to me (in another connection) that granting
across-the-board ACL write access to the saslAuthzTo attribute ("what on
earth is that?") constituted a large security risk. He was right. It's
described in slapd.access. I hadn't seen it, and it isn't certain
reading the Admin Guide what saslAuthzTo actually does (yes, it mentions
saslAuthzTo, but not with any example).

> > You have to find out that
> > your old ACLs simply don't work any longer and work out for yourself
> > why. If you're lucky, you were half way there in 2.1.x already, so you
> > can guess the rest and try. If you go solely by the Admin guide, you're
> > sold.
> 
> The admin guide has always been one step behind the code, because
> it takes a larger effort to update it.  trust the man pages, they're
> actively maintained.

I *trust* the man pages :)

--Tonni

-- 

mail: billy - at - billy.demon.nl
http://www.billy.demon.nl

References:
- Problem with ACL and regex
  - From: "Michael Hamann" <mail@mhamann.net>
- Re: Problem with ACL and regex
  - From: "Michael Hamann" <mail@mhamann.net>
- Re: Problem with ACL and regex
  - From: Diego Julian Remolina <dijuremo@math.gatech.edu>
- Re: Problem with ACL and regex
  - From: "Michael Hamann" <mail@mhamann.net>
- Re: Problem with ACL and regex
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: Problem with ACL and regex
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: Problem with ACL and regex
  - From: Diego Julian Remolina <dijuremo@math.gatech.edu>
- Re: Problem with ACL and regex
  - From: Tony Earnshaw <tonye@billy.demon.nl>
- Re: Problem with ACL and regex
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Re: migrating passwd from NIS to LDAP
Next by Date: Re: migrating passwd from NIS to LDAP
Index(es):
- Chronological
- Thread