On Sat, Dec 24, 2011 at 4:57 PM, Emmanuel Lecharny <[email protected]> wrote: > Hi, > > we have a strange test that checks if a normal user (not the admin) can read > under ou=system. This test is just totally wrong, as it uses the admin > session, so I tried to fix it using a plain user. Sadly, oing so, I can read > almost everyting under ou=system. > > So I question the logic : > - can a normal user read something under ou=system (except his own record) > - should we instead forbid this user to read the 'uid=admin,ou=system', > 'ou=configuration,ou=system', 'ou=groups,ou=system' and 'ou=users,ou=system' > entries (and their children) ? > - or should we just allow this user to read everything except if the ACI > subsystem is set ? > > IMO, I'd rather go for the third option. > +1 > Note : the test is > org.apache.directory.server.core.authz.AuthorizationServiceAsNonAdminIT.testNoSearchByNonAdmin > : > /** > * Makes sure non-admin cannot search under ou=system. > * > * @throws Exception if there are problems > */ > @Test > public void testNoSearchByNonAdmin() throws Exception > { > LdifEntry akarasulu = getUserAddLdif(); > > getService().getAdminSession().add( > new DefaultEntry( getService().getSchemaManager(), > akarasulu.getEntry() ) ); > > try > { > ExprNode filter = FilterParser.parse( > getService().getSchemaManager(), "(objectClass=*)" ); > getService().getAdminSession().search( new Dn( "ou=system" ), > SearchScope.SUBTREE, filter , AliasDerefMode.DEREF_ALWAYS, null ); > } > catch ( LdapNoPermissionException e ) > { > assertNotNull( e ); > } > } > > It passes with flying colors, just because we don't check anything... > > -- > Regards, > Cordialement, > Emmanuel Lécharny > www.iktek.com >
-- Kiran Ayyagari
