[prev in list] [next in list] [prev in thread] [next in thread]
List: ldap
Subject: Re: access list order
From: Kai Qu <ee_kuq () sal ! lamar ! edu>
Date: 1998-05-27 18:53:03
[Download RAW message or body]
hi,
very right! thanks.
I know your analysis is right because when I put more access clause, I can
exchange the relative position (within the constrain of the
"specific-ness rule", of course) of other clauses, but not the first one.
Also, if I use "defaultaccess read", everything is also fine.
So, I conludes that if I keep the first clause always having "by * read" as
the last item (if no one, I can always make one, it is more restrictive
than "defaultaccess read").
However, this raises another question: why "read entry" is enough for
write? On the other hand, why "compare" does not need "compare entry"?
--as your suggestion implies.
thanks!!
Kai
On Wed, 27 May 1998, Kurt Spanier wrote:
> Hi,
>
> I know from the UMich slapd that 'entry' in the acl clause is used like
> any other attribute for defining access rights. Secondly, the first
> matching rule is taken, and nothing else. That means, having 'compare
> entry' (that is the interpretation of the 'entry,userpassword' rule!)
> will prevent entries from beeing searched for any other attribute.
> Delete the entry-'attribute' from the compare clause, and anything will
> work as you might expect. Userpassword will not be compromised by the
> deletion!
>
>
> Hope that helps,
>
> Kurt
>
>
> On Wed, 27 May 1998, Kai Qu wrote:
>
> > Date: Wed, 27 May 1998 11:59:54 -0500 (CDT)
> > From: Kai Qu <ee_kuq@sal.lamar.edu>
> > To: ldap@UMICH.EDU
> > Subject: access list order
> >
> > hi,
> >
> > can anybody explain why it works:
> >
> > *******************************
> > defaultaccess none
> >
> > access to * attrs=entry,mail,telephonenumber
> > by self write
> > by dn="cn=Manager,o=Lamar University,c=US" write
> > by * read
> >
> > access to * attrs=entry,userpassword
> > by self write
> > by dn="cn=Manager,o=Lamar University,c=US" write
> > by * compare
> > *******************************
> >
> >
> > but it does not work if the order is reversed:
> > (I can not get mail an telephonenumber anymore by anonymous serach)
> >
> > *******************************
> > defaultaccess none
> >
> > access to * attrs=entry,userpassword
> > by self write
> > by dn="cn=Manager,o=Lamar University,c=US" write
> > by * compare
> >
> > access to * attrs=entry,mail,telephonenumber
> > by self write
> > by dn="cn=Manager,o=Lamar University,c=US" write
> > by * read
> > *******************************
> >
> >
> > thanks!!!
> >
> > Kai
> >
>
>
> ----------==========#########>>>>>ZDV<<<<<#########==========----------
>
> X.500: Tel.:
> Kurt Spanier, Zentrum fuer Datenverarbeitung, +49 7071 29-70334
> Universitaet Tuebingen, DE
> SMTP-Mail: FAX.:
> kurt.spanier@zdv.uni-tuebingen.de +49 7071 29-5912
> Snail-Mail:
> Dr. Kurt Spanier, Zentrum fuer Datenverarbeitung,
> Universitaet Tuebingen, Waechterstrasse 76, D-72074 Tuebingen
> PGP-Public-Key:
> finger "Kurt Spanier"@x500.uni-tuebingen.de
>
> ----------==========##########>>>>>@<<<<<##########==========----------
>
>
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic