[prev in list] [next in list] [prev in thread] [next in thread]
List: openldap-technical
Subject: Re: question about access control
From: Shawn McKinney <smckinney () symas ! com>
Date: 2022-12-10 14:33:21
Message-ID: 3483AA59-7203-4A69-AEA6-958D46F83B6D () symas ! com
[Download RAW message or body]
> On Dec 8, 2022, at 6:46 PM, Alex Samad - Yieldbroker <Alex.Samad@yieldbroker.com> \
> wrote:
> Hi
>
> From the online doco re
> > Level Privileges Description
> > none = 0 no access
> > disclose = d needed for information disclosure on error
> > auth = dx needed to authenticate (bind)
> > compare = cdx needed to compare
> > search = scdx needed to apply search filters
> > read = rscdx needed to read search results
> > write = wrscdx needed to modify/rename
> > manage = mwrscdx needed to manage
>
> I couldn't find out what the difference between manage and write is what does the \
> M allow for.
> olcAccess: to dn.subtree="ou=Users,"
> by dn.exact="cn=directory,ou=Roles," manage by * break
>
>
> so for the subtree ou=User
>
> I want to allow cn=directory to add / modify / delete any children of ou=Users. \
> Reading the doco its seems like I only need to give it write access, what can I do \
> extra with manage ?
Hello Alex,
```
man slapd.access
...
THE <ACCESS> FIELD
…
thus manage grants all access including administrative access. This access allows \
some modifications which would otherwise be prohibited by the LDAP data model or the \
directory schema, e.g. changing the structural objectclass of an entry, or modifying \
an operational attribute that is defined as not user modifiable.
The write access is actually the combination of add and delete, which respectively \
restrict the write privilege to add or delete the specified <what>. ```
Write access should suffice. You probably won't need to grant service accounts manage \
access. You can always add it later if need be.
>
> Also for userPassword attr to write to it do I need to have the read or can I just \
> have =wd
``` man (cont)
The level access model relies on an incremental interpretation of the access \
privileges. The possible levels are none, disclose, auth, compare, search, read, \
write, and manage. Each access level implies all the preceding ones ```
Cheers
—
Shawn
> Thanks
> Alex
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic