[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldapsearch by access rights?

> If P. really wants to write a
> serious application  to test and view ACL's, I'd be really happy!

I think the idea of discovering access privileges over ldapsearch, besides
representing an extension of the protocol, is per se dangerous.  What I'm
thinking about is a slaptool that does it for you.  In this case, it
wouldn't be any more dangerous than having read access to slapd.conf,
which is required to run most of the tools (slappasswd is the only
exception, by now).  What I mean is a slapacl (or slapaccess) that parses
the slapd.conf and tells what access an authcID has on a specific
DN[+attr(s)] by applying ACLs exactly the same way slapd would do at
runtime.  This is different from knowing what access one has for all
attributes of all entries in a database, but can be of utmost help when
debugging ACLs, and does not require protocol modifications nor discovers
sensitive info.  The rest is skating on thin ice.
But it's only my opinion.


Pierangelo Masarati