[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Global ACLs - Impacts access control and SLAPI (ITS#3100)

To: openldap-its@OpenLDAP.org
Subject: Re: Global ACLs - Impacts access control and SLAPI (ITS#3100)
From: ando@sys-net.it
Date: Tue, 20 Apr 2004 14:37:11 GMT

Let me elaborate just a bit more: I'm not saying the code is wrong;
actually, the current behavior never looked even strange to me because
when I usually design ACLs I don't happen to trigger this type of
problems.  I was playing with my new slapacl toy, and I noticed
this behavior was a bit counterintuitive for my usual ACL coding
style.

Usually I do:

access to *
  by * read

database xxx
suffix <namingContext>

access to <specific>
  by <who> <level>

# ...

access to <namingContext>
  by <who> <level>

so there's never any problem, because all database rules stop at
<namingContext>.  I had one when as last database rule I used

access to *
  by * read

which shadowed the global rules when accessing "cn=subschema", but it's
not something I'm going to exploit in real deployments.  If I don't add
this rule, then global rules catch all at the end.  What disturbs me is
when I'm testing access to something that's outside the namingContext the
database rules were designed for.

p.


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

Prev by Date: Re: Global ACLs - Impacts access control and SLAPI (ITS#3100)
Next by Date: JLDAP DSMLWriter doesn't handle XML special characters (ITS#3099)
Index(es):
- Chronological
- Thread