[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: 2.4.6 ACLs and Extented Operations

To: Gavin Henry <ghenry@OpenLDAP.org>
Subject: Re: 2.4.6 ACLs and Extented Operations
From: Andreas Hasenack <ahasenack@terra.com.br>
Date: Thu, 01 Nov 2007 13:08:35 -0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <49171.212.159.59.85.1193928299.squirrel@webmail.suretecsystems.com>
References: <49171.212.159.59.85.1193928299.squirrel@webmail.suretecsystems.com>
User-agent: Thunderbird 2.0.0.6 (X11/20070914)

Gavin Henry escreveu:

Dear All,

It this a bad ACL?:

access to dn="ou=Users,dc=suretecsystems,dc=com"
        by self write
        by users read
        by anonymous auth

If a .subtree match is implied, this could be bad from a security point of view, perhaps. It allows an authenticated user to change any aspect of his/her own entry. Depending on what you have there, an user could make him/herself root for example.

Perhaps previously an unqualified "to dn" would be equal to "to dn.sub", while now it is equal to "to dn.exact"?

References:
- 2.4.6 ACLs and Extented Operations
  - From: "Gavin Henry" <ghenry@OpenLDAP.org>

Prev by Date: 2.4.6 ACLs and Extented Operations
Next by Date: Re: 2.4.6 ACLs and Extented Operations
Index(es):
- Chronological
- Thread