[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs - allowing a user to add a new attribute



Andrew Findlay <andrew.findlay@skills-1st.co.uk> writes:

> On Mon, Apr 12, 2010 at 01:14:40PM -0400, Matt Ingram wrote:
>
[...]
>>>From an ACL perspective there is really no difference between adding
> an attribute and modifying its value.

No! you have to distinguish between level access model and privilege
model, slapd.access(5)

<level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage
<priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+

> One comment I would make about your ACLs is that in several places you
> are granting read access to userPassword. This is not usually
> necessary nor is it a good idea. You need 'by * auth' access to permit
> authentication, but only need to give '=w' access to those who need to
> change passwords. Remember that the 'write' keyword includes read access

'=w' just grants write privilege but no read privilege.

-Dieter

-- 
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6