[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapd ACL defintion for access to specific object class

To: openldap-technical@openldap.org
Subject: slapd ACL defintion for access to specific object class
From: Space One <space@wechall.net>
Date: Thu, 22 Mar 2018 15:52:04 +0100
Content-language: de-DE
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0

Hello,

I have a problem configuring correct ACL's:

If you want to grant access to a specific attribute and allow adding the
necessary object class for it, we could define:

Assuming objectClass is "O" and Attribute name is "A":

access to attrs=@O by self write by * +0 break

This works but it allows also access to any value in the "objectClass"
attribute and is therefor a massive security hole.

An alternative would be, which the manpage seem to describe
(https://linux.die.net/man/5/slapd.access):

access to attrs=objectClass value="O" by self write by * +0 break
access to attrs=A by self write by * +0 break

But when I apply this, and want to add the object class, I simply get
the INSUFFICIENT_ACCESS error code.

Maybe one can help?
If it's not possible I think the manpage should be adjusted and mention
this more explicit. Maye there is a exception for "objectClass"? Or it's
a bug in the implementation?

Best regards
spaceone

Prev by Date: Re: OpenLDAP: ACLs using sockname and DN?
Next by Date: Re: OpenLDAP: ACLs using sockname and DN?
Index(es):
- Chronological
- Thread