Hi,
Just wanted to ask/clarify about few things related to ACLs:
1) @extensibleObject
In one of the faq entries, namely:
https://www.openldap.org/faq/data/cache/1140.html
there is a construct that looks superfluous:
access to dn.onelevel="cn=bar,ou=Stuff,dc=example,dc=com" attrs=entry,@extensibleObject
Doesn't @extensibleObject include everything - entry, children and regular attributes - by default ?
That's what I'd imply from the official documentation that states that not explicitly specifying attrs= is equivalent to attrs=@extensibleObject
If so, then the above is equivalent to just: access to dn.onelevel="cn=bar,ou=Stuff,dc=example,dc=com"
2) entry pseudo-attribute vs writing to regular attributes
This is one thing that somewhat surprises me - as the read/search access explicitly requires relevant access to entry pseudo-attribute (as per OPERATION REQUIREMENTS from slapd.access manpage).
The write access on the other hand doesn't mention any requirements besides add/delete/write to the attribute itself. This actually holds true right ?
3) attr based access
In one of the examples (8.4.5. Granting access to a subset of attributes), question regarding:
# immediate children: only self can add/delete entries under this entry access to attrs=children by self write
# entry itself: self may write, all may read access to attrs=entry by self write by * read
They still do require other ACLs, as "selfs" in both cases are different, right ? E.g. if self matches parent, it won't match children being created and vice-versa (and as per the manual page - 'add' is required both for parent's 'children' as well as new entry's 'entry'). ITOW if we bind as the entity wanting to create new entry underneath, the above is not enough - and we need something more elaborate like in e.g. address book example.
4) access rights required for deeper searches
suppose we have structure like:
ou=A, dc=example, dc=com ou=B, ou=A, dc=example, dc=com uid=msl, ou=B, ou=A, dc=example, dc=com
If we do search for uid using 'ou=A, dc=example, dc=com' as a search base (with subtree scope), what (if any) access rights do we need on 'ou=B, ou=A, dc=example, dc=com' ?
5) sets
Is this feature assumed safe to use ? As - it's still formally undocumented (man pages), but there are examples on the website and syntax explanation in the faq.
On 7/9/20 2:59 PM, Michal Soltys wrote:
Hi,
Just wanted to ask/clarify about few things related to ACLs:
Did some experiments, so to answer some of my questions (in case they are useful for someone else). In each case the bind is being done to "cn=Amene,ou=MSL-Test,dc=touk,dc=pl".
- @extensibleObject
In one of the faq entries, namely: <...>
Yes, @extensibleObject includes everything (so that faq example is somewhat superfluous).
- entry pseudo-attribute vs writing to regular attributes
This is one thing that somewhat surprises me - as the read/search access explicitly requires relevant access to entry pseudo-attribute (as per OPERATION REQUIREMENTS from slapd.access manpage).
The write access on the other hand doesn't mention any requirements besides add/delete/write to the attribute itself. This actually holds true right ?
Yes, simple:
olcAccess: to dn.exact=cn=Amene,ou=MSL-Test,dc=touk,dc=pl attrs=userPassword by anonymous auth
olcAccess: to dn.exact=cn=touklab,ou=level2,ou=level1,ou=MSL-Test,dc=touk,dc=pl attrs=roomNumber by users =w
olcAccess: to * by dn.exact=cn=Amene,ou=MSL-Test,dc=touk,dc=pl none by * break
is sufficient to e.g. replace roomNumber with different value.
- access rights required for deeper searches
suppose we have structure like:
ou=A, dc=example, dc=com ou=B, ou=A, dc=example, dc=com uid=msl, ou=B, ou=A, dc=example, dc=com
If we do search for uid using 'ou=A, dc=example, dc=com' as a search base (with subtree scope), what (if any) access rights do we need on 'ou=B, ou=A, dc=example, dc=com' ?
No access of any sort whatsoever is required for intermediate levels. The following is the minimal set of access rights required to return roomNumber:
olcAccess: to dn.exact=cn=Amene,ou=MSL-Test,dc=touk,dc=pl attrs=userPassword by anonymous auth
olcAccess: to dn.exact=ou=MSL-Test,dc=touk,dc=pl attrs=entry by users =s olcAccess: to dn.exact=cn=touklab,ou=level2,ou=level1,ou=MSL-Test,dc=touk,dc=pl attrs=objectClass by users =s olcAccess: to dn.exact=cn=touklab,ou=level2,ou=level1,ou=MSL-Test,dc=touk,dc=pl attrs=entry,roomNumber by users =r
olcAccess: to * by dn.exact=cn=Amene,ou=MSL-Test,dc=touk,dc=pl none by * break
Important note that might not be immediately obvious from the man page - search access on objectClass is also required required due to implied "filter: (objectclass=*)".
openldap-technical@openldap.org
-
Michal Soltys