[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7347) Exclusive bit masks for: ACL_WADD, ACL_WDEL, and ACL_WRITE

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7347) Exclusive bit masks for: ACL_WADD, ACL_WDEL, and ACL_WRITE
From: daniel@pluta.biz
Date: Wed, 8 Aug 2012 12:08:40 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Applying the patch accessible here: 
ftp://ftp.openldap.org/incoming/Daniel-Pluta-120808.patch together with 
the acl set below obsoletes ITS#6900.

In combination they enable the mode of operation we described in section 
VI, subsection G. of the previously linked paper.

to dn.base="ou=groups,o=test" attrs=children  by users write  by * none
to dn.one="ou=groups,o=test" attrs=owner  by dnattr=owner write continue 
  by dnattr=owner self-z  by * none break
to dn.one="ou=groups,o=test"  attrs=entry,@groupOfNames  by dnattr=owner 
write  by * none

The patch enables support to independently substract the privileges 'z' 
or 'a' from 'w', while 'a' or 'z' remain in the resulting bit mask. The 
other way around, adding 'a' or 'z' privs is also supported.

Nevertheless, in the sense of the subject of this ITS the patch 
represents only a workaround. A clean solution (separating the 'a', 'z' 
and 'w' bitmasks) is of course preferable.




LDIF test cases using ldapmodify command:

ldapmodify -x -D "cn=000001,ou=persons,o=test" ...

#create group entry (should fail)
dn: cn=its7347-fail,ou=groups,o=test
changetype: add
cn: its7347
objectClass: top
objectClass: groupOfNames
member: cn=000001,ou=persons,o=test
owner: cn=000002,ou=persons,o=test

#create group entry (should succeed)
dn: cn=its7347-success,ou=groups,o=test
changetype: add
cn: its7347
objectClass: top
objectClass: groupOfNames
member: cn=000001,ou=persons,o=test
owner: cn=000001,ou=persons,o=test

#add another owner (should succeed)
dn: cn=its7347-success,ou=groups,o=test
changetype: modify
add: owner
owner: cn=000002,ou=persons,o=test

#delete the other owner (should succeed)
dn: cn=its7347-success,ou=groups,o=test
changetype: modify
delete: owner
owner: cn=000002,ou=persons,o=test

#delete the entry (should succeed)
dn: cn=its7347-success,ou=groups,o=test
changetype: delete

#restore the group (should succeed)
dn: cn=its7347-success,ou=groups,o=test
changetype: add
cn: its7347
objectClass: top
objectClass: groupOfNames
member: cn=000001,ou=persons,o=test
owner: cn=000001,ou=persons,o=test
owner: cn=000002,ou=persons,o=test

#delete the entry (should succeed)
dn: cn=its7347-success,ou=groups,o=test
changetype: delete

#again restore the entry (should succeed)
dn: cn=its7347-success,ou=groups,o=test
changetype: add
cn: its7347
objectClass: top
objectClass: groupOfNames
member: cn=000001,ou=persons,o=test
owner: cn=000001,ou=persons,o=test
owner: cn=000002,ou=persons,o=test

#try to delete the owner (should fail)
dn: cn=its7347-success,ou=groups,o=test
changetype: modify
delete: owner
owner: cn=000001,ou=persons,o=test

#delete the entry (should succeed)
dn: cn=its7347-success,ou=groups,o=test
changetype: delete

Prev by Date: Re: (ITS#7348) enhancement: check_password contrib module
Next by Date: (ITS#7349) openldap not supporting CAMELLIA ciphers
Index(es):
- Chronological
- Thread