[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: read ACL working but write ACL not-[write access denied by read(=rscx)]

To: JOYDEEP <j.bakshi@unlimitedmail.org>
Subject: Re: read ACL working but write ACL not-[write access denied by read(=rscx)]
From: Philip Guenther <guenther+ldapsoft@sendmail.com>
Date: Mon, 9 Jul 2007 12:56:16 -0600
Cc: ghenry@suretecsystems.com, dieter@dkluenter.de, openldap-software@openldap.org
In-reply-to: <46921C6B.202@unlimitedmail.org>
References: <46921C6B.202@unlimitedmail.org>

On Mon, 9 Jul 2007, JOYDEEP wrote:

I have mentioned in my last mail that I had ACL like

################ personal ACL #######################
###################### read #######################
access to
dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=contacts,virtualDomain=([^,]+),dc=suse,dc=ldap$"
 by dn.exact,expand="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap"
read
 by * none

Since that has no control field, it defaults to 'stop', so that checks that match the <what> clauses (just a dn.regex clause, in this case) will stop after processing that access directive. Later directives that might also match will not be processed.

######################## write ############################
access to
dn.regex="cn=([^,]+),ou=personal,ou=contacts,ou=contacts,virtualDomain=([^,]+),dc=suse,dc=ldap"

attr=children,entry,@inetOrgPerson,@posixAccount,@mozillaAbPersonAlpha,@evolutionPerson
  by
dn.exact,expand="uid=$1,ou=users,virtualDomain=$2,dc=suse,dc=ldap"  write
  by users none

(That should be "attrs=children,etc..", as "attr=" is undocumented, though tolerated by slapd)

the problem if writing was it reports

Jul  9 11:59:33 lvps87-230-8-228 slapd[5147]: => access_allowed: write
access denied by read(=rscx)

So I disabled the read ACL and the problem disappeared.

Right, because the first access directive wasn't letting the processing reach the second access directive.

However, that second directive only gives access to some of the attributes, unlike your first access directive which gives access to all of them. To permit read access to all attributes and write access to only some then you'll need to access directive, at least one of which has a control field of 'break'. Whether they both require that depends on whether later access directives should also be applied to that same DN.

I have a question here that why we need the read ACL at all more over thing is not so easy for Group ACL.


I cannot parse that sentence at all.

If I follow the same technique for group ACL then though the group has no delete option it can delete the entries easily.

"delete option"? There isn't a 'delete' access level. To quote the slapd.access(5) manpage: The delete operation requires write (=w) privileges on the pseudo-attribute entry of the entry being deleted, and write (=w) privileges on the children pseudo-attribute of the entry's parent.

Note that those are the exact same privileges as are needed to add an entry. It appears that you can't give someone permission to add an entry but not delete it.


Philip Guenther

References:
- Re: read ACL working but write ACL not-[write access denied by read(=rscx)]
  - From: JOYDEEP <j.bakshi@unlimitedmail.org>

Prev by Date: Re: using openldap as a translation layer.
Next by Date: using a proxy/rewrite to obviate the need for a legacy suffix?
Index(es):
- Chronological
- Thread