Re: Enforcing attribute ACL on add operations

[Pierangelo Masarati <ando@sys-net.it>]

Emmanuel Dreyfus wrote:
> Pierangelo Masarati <ando@sys-net.it> wrote:
>
> > I mean: test006 is broken now, we can no longer make test.  You should
> > check why the test is broken and try to fix it :)  Probably, according
> > to the old access rule, a user with "add" permission for entries is 
> > adding an entry without having "add" permission on all the attributes.
>
> The culprit is the ACL on attrs=objectclass at the top of the file:
> access         to attrs=objectclass
>                     by * =rsc stop
>
> If I change it that way, test006 passes:
> access         to attrs=objectclass
>                by dn.exact="cn=Bjorn Jensen,ou=Information Technology
> Division,ou=People,dc=example,dc=com" add
>                 by * =rsc stop
>
> Not sure it is a correct fix, through.

Sounds correct.  I mean: since no objectClass modification was performed 
in the test, given the expected behavior of access control for add 
operations, there was no need to give anyone add permission on 
objectClass.  What you suggest seems to be the minimal add permission to 
let the test pass, and I think it's fine to re-enable that test right 
now.  Should the test change (more add operations) acls will be tweaked 
further.

Go ahead and commit :)

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------