[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#7347) Exclusive bit masks for: ACL_WADD, ACL_WDEL, and ACL_WRITE
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#7347) Exclusive bit masks for: ACL_WADD, ACL_WDEL, and ACL_WRITE
- From: daniel@pluta.biz
- Date: Wed, 8 Aug 2012 12:08:40 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Applying the patch accessible here:
ftp://ftp.openldap.org/incoming/Daniel-Pluta-120808.patch together with
the acl set below obsoletes ITS#6900.
In combination they enable the mode of operation we described in section
VI, subsection G. of the previously linked paper.
to dn.base="ou=groups,o=test" attrs=children by users write by * none
to dn.one="ou=groups,o=test" attrs=owner by dnattr=owner write continue
by dnattr=owner self-z by * none break
to dn.one="ou=groups,o=test" attrs=entry,@groupOfNames by dnattr=owner
write by * none
The patch enables support to independently substract the privileges 'z'
or 'a' from 'w', while 'a' or 'z' remain in the resulting bit mask. The
other way around, adding 'a' or 'z' privs is also supported.
Nevertheless, in the sense of the subject of this ITS the patch
represents only a workaround. A clean solution (separating the 'a', 'z'
and 'w' bitmasks) is of course preferable.
LDIF test cases using ldapmodify command:
ldapmodify -x -D "cn=000001,ou=persons,o=test" ...
#create group entry (should fail)
dn: cn=its7347-fail,ou=groups,o=test
changetype: add
cn: its7347
objectClass: top
objectClass: groupOfNames
member: cn=000001,ou=persons,o=test
owner: cn=000002,ou=persons,o=test
#create group entry (should succeed)
dn: cn=its7347-success,ou=groups,o=test
changetype: add
cn: its7347
objectClass: top
objectClass: groupOfNames
member: cn=000001,ou=persons,o=test
owner: cn=000001,ou=persons,o=test
#add another owner (should succeed)
dn: cn=its7347-success,ou=groups,o=test
changetype: modify
add: owner
owner: cn=000002,ou=persons,o=test
#delete the other owner (should succeed)
dn: cn=its7347-success,ou=groups,o=test
changetype: modify
delete: owner
owner: cn=000002,ou=persons,o=test
#delete the entry (should succeed)
dn: cn=its7347-success,ou=groups,o=test
changetype: delete
#restore the group (should succeed)
dn: cn=its7347-success,ou=groups,o=test
changetype: add
cn: its7347
objectClass: top
objectClass: groupOfNames
member: cn=000001,ou=persons,o=test
owner: cn=000001,ou=persons,o=test
owner: cn=000002,ou=persons,o=test
#delete the entry (should succeed)
dn: cn=its7347-success,ou=groups,o=test
changetype: delete
#again restore the entry (should succeed)
dn: cn=its7347-success,ou=groups,o=test
changetype: add
cn: its7347
objectClass: top
objectClass: groupOfNames
member: cn=000001,ou=persons,o=test
owner: cn=000001,ou=persons,o=test
owner: cn=000002,ou=persons,o=test
#try to delete the owner (should fail)
dn: cn=its7347-success,ou=groups,o=test
changetype: modify
delete: owner
owner: cn=000001,ou=persons,o=test
#delete the entry (should succeed)
dn: cn=its7347-success,ou=groups,o=test
changetype: delete