'Re: question about access control'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-technical
Subject:    Re: question about access control
From:       Shawn McKinney <smckinney () symas ! com>
Date:       2022-12-10 14:33:21
Message-ID: 3483AA59-7203-4A69-AEA6-958D46F83B6D () symas ! com
[Download RAW message or body]


> On Dec 8, 2022, at 6:46 PM, Alex Samad - Yieldbroker <Alex.Samad@yieldbroker.com> \
> wrote: 
> Hi
> 
> From the online doco re 
> > Level         Privileges      Description
> > none =        0       no access
> > disclose =    d       needed for information disclosure on error
> > auth =        dx      needed to authenticate (bind)
> > compare =     cdx     needed to compare
> > search =      scdx    needed to apply search filters
> > read =        rscdx   needed to read search results
> > write =       wrscdx  needed to modify/rename
> > manage =      mwrscdx         needed to manage
> 
> I couldn't find  out what the difference between manage and write is what does the \
> M allow for. 
> olcAccess: to dn.subtree="ou=Users,"
> by dn.exact="cn=directory,ou=Roles," manage by * break
> 
> 
> so for the subtree ou=User
> 
> I want to allow cn=directory to add / modify / delete any children of ou=Users. \
> Reading the doco  its seems like I only need to give it write access, what can I do \
> extra with manage ?

Hello Alex,


```
man slapd.access

...
THE <ACCESS> FIELD
…

thus manage grants all access including administrative access. This access allows \
some modifications which would otherwise be prohibited by the LDAP data model or the \
directory schema, e.g. changing the structural objectclass of an entry, or modifying \
an operational attribute that is defined as not user modifiable.

The write access is actually the combination of add and delete, which  respectively \
restrict the write privilege to add or delete the specified <what>. ```

Write access should suffice. You probably won't need to grant service accounts manage \
access.  You can always add it later if need be.

> 
> Also for userPassword  attr to write to it do I need to have the read or can I just \
> have  =wd 


``` man (cont)
The level access model relies on an incremental interpretation of the access \
privileges. The possible levels are none, disclose, auth, compare, search, read, \
write, and manage. Each access  level  implies  all the  preceding  ones ```

Cheers

—
Shawn


> Thanks
> Alex


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic