[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Enforcing attribute ACL on add operations



Emmanuel Dreyfus wrote:
Pierangelo Masarati <ando@sys-net.it> wrote:

In any case, I note that fixing this issue broke test006 (at least).

I think this is going to break many setups that had a security hole but
nobody was aware of it.

I mean: test006 is broken now, we can no longer make test. You should check why the test is broken and try to fix it :) Probably, according to the old access rule, a user with "add" permission for entries is adding an entry without having "add" permission on all the attributes.


A database option can make everyone happy, but is there anyone
complaining?

I'm not particularly in favor of a config option as soon as we're happy with the fix.


p.


Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------