[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACIs problem when allowing "read" but restricting "updates" in specific entries

To: openldap-software@openldap.org
Subject: Re: ACIs problem when allowing "read" but restricting "updates" in specific entries
From: "Dieter Kluenter" <dieter@dkluenter.de>
Date: Sat, 15 Mar 2008 12:20:04 +0100
In-reply-to: <C2DCE841B201E7468E0DFAB1651A851C016965DD@eesmdmw020.eemea.ericsson.se> (Antonio Alonso's message of "Fri, 14 Mar 2008 23:00:55 +0100")
References: <C2DCE841B201E7468E0DFAB1651A851C01638B99@eesmdmw020.eemea.ericsson.se> <47DA725F.80602@stroeder.com> <B1B2BC58B9C9EEC8F1E026DC@[192.168.1.198]> <C2DCE841B201E7468E0DFAB1651A851C016965DD@eesmdmw020.eemea.ericsson.se>
User-agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b28 (linux)

"Antonio Alonso" <antonio.alonso@ericsson.com> writes:

> Hi !
>
>    First of all, thanks for the answers ;-))
>
>    Yes, it is true, I had a mistake with the nomenclature. The fact is that the
> problem is NOT (as far as I tested it) in the regular expressions I am using
> (I also checked it tracing the slapd execution with the "-d 128" option ... an
> checked the matching is ok).
>
>   I find the problem with the "read" access privilege for "data1checker" user.
>
>> ##
>> ## Policy Rule [1]
>> ##      Access to "application=data1,,..." entries  
>> ##
>> access to dn.regex="appName=data1,.+$"
>>        by dn.exact="uid=data1owner,ou=users,dc=company,dc=com" write stop
>>        by dn.exact="uid=data1checker,ou=users,dc=company,dc=com" read stop
>>        by dn.exact="uid=admin,ou=users,dc=company,dc=com" manage stop
>  
>   
>    "uid=data1owner" is able to read an modify attributes values in entries matching
> this regular expression (it is ok) ... but it is exactely the same behaviour a 
> "uid=data1checker" in spite this last one has ONLY read privileges (???)
>
>    I interpreted (after reading manual pages and openldap-related FAQs) that "read"
> privilege only allows to read (but NOT modify) attribute values for entries
> matching the rule .. but it is NOT what I am getting ...
>
>  Am I understanding "read" privilege worngly ?

No, read access only includes auth and compare but not modify and add.
If you run slapd with -d 128 let uid=data1checker add ore modify
an entry and follow the access rules parsing, this will show you the
access rule that is applied to this write session.

-Dieter
-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6

References:
- ACIs problem when allowing "read" but restricting "updates" in specific entries
  - From: "Antonio Alonso" <antonio.alonso@ericsson.com>
- Re: ACIs problem when allowing "read" but restricting "updates" in specific entries
  - From: Michael Ströder <michael@stroeder.com>
- Re: ACIs problem when allowing "read" but restricting "updates" in specific entries
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- RE: ACIs problem when allowing "read" but restricting "updates" in specific entries
  - From: "Antonio Alonso" <antonio.alonso@ericsson.com>

Prev by Date: Re: slurpd does not sync master and slave
Next by Date: Re: New error (ldap_get_values_len returns NULL)
Index(es):
- Chronological
- Thread