[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: more access permission

To: "Douglas B. Jones" <douglas@gpc.edu>
Subject: Re: more access permission
From: Frank Swasey <Frank.Swasey@uvm.edu>
Date: Thu, 29 Jan 2004 13:01:22 -0500 (EST)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <PHEKJLKKDLGCAEJLJPHMKEDKCDAA.douglas@gpc.edu>
References: <PHEKJLKKDLGCAEJLJPHMKEDKCDAA.douglas@gpc.edu>

Today at 12:17pm, Douglas B. Jones wrote:

> (&(uid=john)(objectClass=person))

> (uid=john)
>
> Now, is are there any security concerns about putting in the
> access rules read to 'objectClass', such as:
>
> access  to attrs=entry,uid,sn,mail,ou,cn,givenname,objectClass
>         by users read
>         by anonymous read

The hole you are opening is that by knowing the objectClass(es) the
entry has, one can find out what attributes that entry must and may
have.  Therefore, if that bothers you, then I'd recommend the following:

access to attrs=objectClass
    by * compare

access to attrs=entry,uid,sn,mail,ou,cn,givenname
    by * read

That will force the *bad people* to do an explicit compare for every
possible objectClass to see what the entry has (unless giving read
access to the entry allows one to read everything -- dunno, haven't
played with "entry" in any of my ACL's).

I used "*" in those ACL's because that's really what you are doing,
anonymous is (I suppose) clearer to some folks.

-- 
Frank Swasey                    | http://www.uvm.edu/~fcs
Systems Programmer              | Always remember: You are UNIQUE,
University of Vermont           |    just like everyone else.
                    === God Bless Us All ===

References:
- more access permission
  - From: "Douglas B. Jones" <douglas@gpc.edu>

Prev by Date: Re: SLAPD stop working.
Next by Date: Re: SSL/TLS - Help Please
Index(es):
- Chronological
- Thread