[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Unclear attribute: entry

On 05/08/2010 10:59, Klaus Ethgen wrote:

Dieter Kluenter<dieter@dkluenter.de>  schrieb:
So my question is what is the rights that are needed for which entry
attribute (in tree) to allow read, write, search or other access to
other attributes?
entry and children are so called pseudo attributes. They are mainly
used to allow access to children of an entry. As example you have an
entry ouers,dcample,dcm and want to allow access to children
of this entry but no read or write access to the entry itself, a rule
set could be

access to dn.onelevelers,dcample,dcm
        by users write
        by anonymous auth
access to dn.baseers,dcample,dcm attrstry,children
        by users write
        by anonymous auth

Thanks for your answer. But it do not makes that clear for me. I did
found some examples with entry and children but the description about
ist not clear for me.

The children attribute might be somewhat clear. But the real mysteric is
the entry attribute and as the logic seems to be somewhat identical also
the real meaning of children.

For example:
[1] access to attrs=sn
	   by * read

[2] access to attrs=entry,sn
            by * read

[1] will not allow to read the attribute sn. Only with [2] that will
work. However, _I_ would expect that all attributes of that particular
entry would be readable with [2] but only the sn attribute with [1]. And
exactly there is my problem with the understanding.

Indeed. Reading any object requires access to the entry pseudo attribute.

All the requirements regarding these two pseudo attributes are documented in the man page, slapd.access(5), under "OPERATION REQUIREMENTS".

For example, for searching and reading attributes:
       The search operation, requires search (=s) privileges on  the  entry  pseudo-attribute  of  the  searchBase
       (NOTE: this was introduced with OpenLDAP 2.4).  Then, for each entry, it requires search (=s) privileges on
       the attributes that are defined in the filter.  The resulting entries are  finally  tested  for  read  (=r)
       privileges  on the pseudo-attribute entry (for read access to the entry itself) and for read (=r) access on
       each value of each attribute that is requested.

Jonathan CLARKE
44 rue Cauchy, 94110 Arcueil, France
Telephone:  +33 (0)1 83 62 26 96
Web:        http://www.normation.com/