Hi,
we have a strange test that checks if a normal user (not the admin) can
read under ou=system. This test is just totally wrong, as it uses the
admin session, so I tried to fix it using a plain user. Sadly, oing so,
I can read almost everyting under ou=system.
So I question the logic :
- can a normal user read something under ou=system (except his own record)
- should we instead forbid this user to read the 'uid=admin,ou=system',
'ou=configuration,ou=system', 'ou=groups,ou=system' and
'ou=users,ou=system' entries (and their children) ?
- or should we just allow this user to read everything except if the ACI
subsystem is set ?
IMO, I'd rather go for the third option.
Note : the test is
org.apache.directory.server.core.authz.AuthorizationServiceAsNonAdminIT.testNoSearchByNonAdmin
:
/**
* Makes sure non-admin cannot search under ou=system.
*
* @throws Exception if there are problems
*/
@Test
public void testNoSearchByNonAdmin() throws Exception
{
LdifEntry akarasulu = getUserAddLdif();
getService().getAdminSession().add(
new DefaultEntry( getService().getSchemaManager(),
akarasulu.getEntry() ) );
try
{
ExprNode filter = FilterParser.parse(
getService().getSchemaManager(), "(objectClass=*)" );
getService().getAdminSession().search( new Dn( "ou=system"
), SearchScope.SUBTREE, filter , AliasDerefMode.DEREF_ALWAYS, null );
}
catch ( LdapNoPermissionException e )
{
assertNotNull( e );
}
}
It passes with flying colors, just because we don't check anything...
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
