[Systems] LDAP access rights

Sascha Silbe sascha-ml-reply-to-2010-3 at silbe.org
Fri Sep 10 06:39:22 EDT 2010


For my work on an OpenID provider with public key authentication
support, I would like to give users the permission to modify an
attribute (tls-public-key) of their LDAP entry themselves.

I couldn't find any ACL [1] in our configuration. This means I need to
generate a new ACL that matches the old, implied one first (so I can
expand it to allow modifying tls-public-key).

The documentation suggests that "access to * by * read" is the default:

> Also note that if no access to directive matches or no by <who> clause,
> access is denied. That is, every access to directive ends with an
> implicit by * none clause.
> When dealing with an access list, because the global access list is
> effectively appended to each per-database list, if the resulting list
> is non-empty then the access list will end with an implicit access to
> * by * none directive. If there are no access directives applicable to
> a backend, then a default read is used.

Is that right? If so, why can our password changer web frontend [2]
change the password by binding to the user?


[1] http://www.openldap.org/doc/admin24/access-control.html
[2] https://shell.sugarlabs.org/passwd

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
Url : http://lists.sugarlabs.org/private/systems/attachments/20100910/66f7ecee/attachment.pgp 

More information about the Systems mailing list