[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: access control after upgrade
The semantics of ACLs significantly changed since 2.0; in detail, the
default for DNs and more is now "exact" rather than "regex". I note
that since you never specified any style in your clauses, the behavior
between the two versions will be quite different. I wonder if your
original setup was working by design or by some fortunate chance,
because your rules look quite "naive". Let me analyze them shortly:
> access to dn="ou=corporate,ou=accounts,dc=local,dc=net"
^^^ this, in 2.0, was matching anything with
"ou=corporate,ou=accounts,dc=local,dc=net" in between, on both sides;
now it only matches that entry exactly.
> by dn="cn=corpuser,dc=local,dc=net" write
^^^ this, in 2.0, was matching anything with
"cn=corpuser,dc=local,dc=net" in between, on both sides; now it only
matches that entry exactly.
> by anonymous read
^^^ this is quite odd, because you give write privileges to a special
"courpuser" user, read privileges to anonymous, and no privileges to
regular users. Is this the intended behavior?
> access to dn="ou=subscriber,ou=accounts,dc=local,dc=net"
> by dn="cn=subuser,dc=local,dc=net" write
> by anonymous read
^^^ same as above.
> access to *
> by dn="cn=Manager,dc=local,dc=net" write
^^^ if "cn=Manager,dc=local,dc=net" is the "rootdn", as it seems to be,
this rule is useless and actually it's a waste of time, because the
rootdn, as specified everywhere in the documentation and in the sample
slapd.conf files, bypasses access checking, while regular users have to
undergo an extra "by" checking.
> by self write
> by anonymous read
^^^ same as above: "self" can write, "anonymous" can read, other users don't.
I would rework them this way, assuming this is what you need:
access to dn.subtree="ou=corporate,ou=accounts,dc=local,dc=net"
by dn.exact="cn=corpuser,dc=local,dc=net" write
by * read
access to dn.subtree="ou=subscriber,ou=accounts,dc=local,dc=net"
by dn.exact="cn=subuser,dc=local,dc=net" write
by * read
access to *
by self write
by * read
assuming that my guesses are consistent with your data model.
p.
On Thu, 2005-11-10 at 15:17 -0600, Aaron Thoreson wrote:
> ( DB MOCKUP )
> dc=local,dc=net
> |
> ou=accounts
> | |
> | |
> | ou=corporate
> |
> ou=subscriber
> ( /DB MOCKUP )
>
> -----------------------
> These controls worked perfectly in 2.0.22:
>
> access to dn="ou=corporate,ou=accounts,dc=local,dc=net"
> by dn="cn=corpuser,dc=local,dc=net" write
> by anonymous read
> access to dn="ou=subscriber,ou=accounts,dc=local,dc=net"
> by dn="cn=subuser,dc=local,dc=net" write
> by anonymous read
> access to *
> by dn="cn=Manager,dc=local,dc=net" write
> by self write
> by anonymous read
>
> In this way, I could have an admin that could manage the corporate
> entries, and a seperate admin to manage the subscriber entries.
>
> In 2.3.11, 'cn=corpuser,dc=local,dc=net' can only read itself and can't
> update anything under "ou=corporate,ou=accounts,dc=local,dc=net" I've
> tried varying degrees of dn.subtree and dn.exact etc.
>
> The only difference between the old config and the new one is this:
>
> access to dn="ou=corporate,ou=accounts,dc=local,dc=net"
> by dn="cn=corpuser,dc=local,dc=net" write
> by anonymous read
> access to dn="ou=subscriber,ou=accounts,dc=local,dc=net"
> by dn="cn=subuser,dc=local,dc=net" write
> by anonymous read
> access to *
> by dn="cn=Syncuser,dc=local,dc=net" read
>
> The Manager line in the old config was admittedly unnecessary, but I put
> Syncuser in its place for synrepl replication ( which is working great!
> ). Is this Syncuser overrunning the permissions of the two subtree
> managers?
>
> I've read slapd.access a fair bit and it seems everythings geared toward
> reading attributes of a one OU directory.
>
Ing. Pierangelo Masarati
Responsabile Open Solution
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati@sys-net.it
------------------------------------------