On Tue, Apr 13, 2010 at 09:37:39PM +0200, Dieter Kluenter wrote:
> >>>From an ACL perspective there is really no difference between adding
> > an attribute and modifying its value.
>
> No! you have to distinguish between level access model and privilege
> model, slapd.access(5)
>
> <level> ::= none|disclose|auth|compare|search|read|{write|add|delete}|manage
> <priv> ::= {=|+|-}{0|d|x|c|s|r|{w|a|z}|m}+
The privilege model is more flexible, but in the case that Matt describes
I do not see any relevant difference: he wants admins to add certain
attributes and also to modify them. Either action requires at least 'add'
privilge on the attribute, and changing existing values also requires
'delete' - thus 'write' is a reasonable level to choose.
> > One comment I would make about your ACLs is that in several places you
> > are granting read access to userPassword. This is not usually
> > necessary nor is it a good idea. You need 'by * auth' access to permit
> > authentication, but only need to give '=w' access to those who need to
> > change passwords. Remember that the 'write' keyword includes read access
>
> '=w' just grants write privilege but no read privilege.
Exactly. Protecting password attributes is a case that the privilege
model handles much better than the level model.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
