[Date Prev][Date Next]
Re: ACIs problem when allowing "read" but restricting "updates" in specific entries
"Antonio Alonso" <firstname.lastname@example.org> writes:
> Hi !
> First of all, thanks for the answers ;-))
> Yes, it is true, I had a mistake with the nomenclature. The fact is that the
> problem is NOT (as far as I tested it) in the regular expressions I am using
> (I also checked it tracing the slapd execution with the "-d 128" option ... an
> checked the matching is ok).
> I find the problem with the "read" access privilege for "data1checker" user.
>> ## Policy Rule 
>> ## Access to "application=data1,,..." entries
>> access to dn.regex="appName=data1,.+$"
>> by dn.exact="uid=data1owner,ou=users,dc=company,dc=com" write stop
>> by dn.exact="uid=data1checker,ou=users,dc=company,dc=com" read stop
>> by dn.exact="uid=admin,ou=users,dc=company,dc=com" manage stop
> "uid=data1owner" is able to read an modify attributes values in entries matching
> this regular expression (it is ok) ... but it is exactely the same behaviour a
> "uid=data1checker" in spite this last one has ONLY read privileges (???)
> I interpreted (after reading manual pages and openldap-related FAQs) that "read"
> privilege only allows to read (but NOT modify) attribute values for entries
> matching the rule .. but it is NOT what I am getting ...
> Am I understanding "read" privilege worngly ?
No, read access only includes auth and compare but not modify and add.
If you run slapd with -d 128 let uid=data1checker add ore modify
an entry and follow the access rules parsing, this will show you the
access rule that is applied to this write session.
Dieter Klünter | Systemberatung
GPG Key ID:8EF7B6C6