[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: 2.4.6 ACLs and Extented Operations

Gavin Henry escreveu:
Dear All,

It this a bad ACL?:

access to dn="ou=Users,dc=suretecsystems,dc=com"
        by self write
        by users read
        by anonymous auth

If a .subtree match is implied, this could be bad from a security point of view, perhaps. It allows an authenticated user to change any aspect of his/her own entry. Depending on what you have there, an user could make him/herself root for example.

Perhaps previously an unqualified "to dn" would be equal to "to dn.sub", while now it is equal to "to dn.exact"?