[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
slapd ACL defintion for access to specific object class
- To: openldap-technical@openldap.org
- Subject: slapd ACL defintion for access to specific object class
- From: Space One <space@wechall.net>
- Date: Thu, 22 Mar 2018 15:52:04 +0100
- Content-language: de-DE
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
Hello,
I have a problem configuring correct ACL's:
If you want to grant access to a specific attribute and allow adding the
necessary object class for it, we could define:
Assuming objectClass is "O" and Attribute name is "A":
access to attrs=@O by self write by * +0 break
This works but it allows also access to any value in the "objectClass"
attribute and is therefor a massive security hole.
An alternative would be, which the manpage seem to describe
(https://linux.die.net/man/5/slapd.access):
access to attrs=objectClass value="O" by self write by * +0 break
access to attrs=A by self write by * +0 break
But when I apply this, and want to add the object class, I simply get
the INSUFFICIENT_ACCESS error code.
Maybe one can help?
If it's not possible I think the manpage should be adjusted and mention
this more explicit. Maye there is a exception for "objectClass"? Or it's
a bug in the implementation?
Best regards
spaceone