[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: @OC notation in ACLs: does it include the OC itself?

On Wed, 2006-05-24 at 16:59 -0300, Andreas Hasenack wrote:
> (openldap-2.3.23)
> If I have an ACL like this:
> access to dn.subtree="dc=example,dc=com"
> 	attrs=@shadowAccount
> 	by group.exact="cn=LDAP Admins,ou=System Groups,dc=example,dc=com"
> 	by * none
> Would it be equivalent to, instead of using @shadowAccount, just listing all
> attributes of that class?


>  Or does the above ACL also require that the entry has
> the shadowAccount object class?


> I ask because attributes are shared among different object classes. For
> example, both posixAccount and shadowAccount use userPassword.
> So, would the above ACL let a member of LDAP Admins update the userPassword
> attribute in this sample entry?
> dn: uid=foo,ou=People,dc=example,dc=com
> uid: foo
> objectClass: inetOrgPerson
> objectClass: posixAccount
> cn: foo
> sn: foo
> userPassword: secret <-----
> (...)

As soon as shadowAccount contains "userPassword" as either a required or
an allowed attribute, yes.  What access checking code does when
encountering a "@objectClassName" attribute is check if the attribute is
listed as either a required or an allowed attribute for that
objectClass.  Consider "@objectClassName" as a shortcut for a complete
listing of that objectClass' attributes.


Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it