Re: R: Re: R: Enforcing attribute ACL on add operations
Pierangelo Masarati wrote:
----- Emmanuel Dreyfus<manu(a)netbsd.org> ha scritto:
> Pierangelo Masarati<ando(a)sys-net.it> wrote:
>
>> See ITS#4556 for discussion.
> So this is not considered a security hole. But as far as I understand,
> anyone that is allowed to add an entry anywhere can add a user with
> random privileges. Did I miss something here? Can that be avoided?
I'm not necessarily saying that. For the problem you highlight, setting
authz-policy from
would cure it (one could only add an entry and authorize as that entry, but not add an
entry and use it to authorize as some other existing one).
What I'm saying that apparently the "right" manner to handle the problem
you
pose consists in implementing DIT content rules.
I disagree.
http://www.openldap.org/lists/openldap-devel/200709/msg00079.html
ditContentRules and ditStructutreRules don't give you the fine-grained control
that's required here.
I think Emmanuel's patch looks correct, and the corresponding patch needs to
be made for a lot of other backends.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/