On 7/9/20 2:59 PM, Michal Soltys wrote:
Hi,
Just wanted to ask/clarify about few things related to ACLs:
Did some experiments, so to answer some of my questions (in case they are useful for someone else). In each case the bind is being done to "cn=Amene,ou=MSL-Test,dc=touk,dc=pl".
- @extensibleObject
In one of the faq entries, namely: <...>
Yes, @extensibleObject includes everything (so that faq example is somewhat superfluous).
- entry pseudo-attribute vs writing to regular attributes
This is one thing that somewhat surprises me - as the read/search access explicitly requires relevant access to entry pseudo-attribute (as per OPERATION REQUIREMENTS from slapd.access manpage).
The write access on the other hand doesn't mention any requirements besides add/delete/write to the attribute itself. This actually holds true right ?
Yes, simple:
olcAccess: to dn.exact=cn=Amene,ou=MSL-Test,dc=touk,dc=pl attrs=userPassword by anonymous auth
olcAccess: to dn.exact=cn=touklab,ou=level2,ou=level1,ou=MSL-Test,dc=touk,dc=pl attrs=roomNumber by users =w
olcAccess: to * by dn.exact=cn=Amene,ou=MSL-Test,dc=touk,dc=pl none by * break
is sufficient to e.g. replace roomNumber with different value.
- access rights required for deeper searches
suppose we have structure like:
ou=A, dc=example, dc=com ou=B, ou=A, dc=example, dc=com uid=msl, ou=B, ou=A, dc=example, dc=com
If we do search for uid using 'ou=A, dc=example, dc=com' as a search base (with subtree scope), what (if any) access rights do we need on 'ou=B, ou=A, dc=example, dc=com' ?
No access of any sort whatsoever is required for intermediate levels. The following is the minimal set of access rights required to return roomNumber:
olcAccess: to dn.exact=cn=Amene,ou=MSL-Test,dc=touk,dc=pl attrs=userPassword by anonymous auth
olcAccess: to dn.exact=ou=MSL-Test,dc=touk,dc=pl attrs=entry by users =s olcAccess: to dn.exact=cn=touklab,ou=level2,ou=level1,ou=MSL-Test,dc=touk,dc=pl attrs=objectClass by users =s olcAccess: to dn.exact=cn=touklab,ou=level2,ou=level1,ou=MSL-Test,dc=touk,dc=pl attrs=entry,roomNumber by users =r
olcAccess: to * by dn.exact=cn=Amene,ou=MSL-Test,dc=touk,dc=pl none by * break
Important note that might not be immediately obvious from the man page - search access on objectClass is also required required due to implied "filter: (objectclass=*)".