more to partial fulfilment of ITS#3639

This commit is contained in:
Pierangelo Masarati 2005-04-08 19:27:22 +00:00
parent 889ce515ad
commit 140b33927f
2 changed files with 97 additions and 36 deletions

View File

@ -134,6 +134,89 @@ where only RESULT is mandatory.
The \fBsearch\fP RESULT should be preceded by the entries in LDIF
format, each entry followed by a blank line.
Lines starting with `#' or `DEBUG:' are ignored.
.SH ACCESS CONTROL
The
.B shell
backend does not honor all ACL semantics as described in
.BR slapd.access (5).
In general, access to objects is checked by using a dummy object
that contains only the DN, so access rules that rely on the contents
of the object are not honored.
In detail:
.LP
The
.B add
operation does not require
.B write (=w)
access to the
.B children
pseudo-attribute of the parent entry.
.LP
The
.B bind
operation requires
.B auth (=x)
access to the
.B entry
pseudo-attribute of the entry whose identity is being assessed;
.B auth (=x)
access to the credentials is not checked, but rather delegated
to the underlying shell script.
.LP
The
.B compare
operation requires
.B read (=r)
access (FIXME: wouldn't
.B compare (=c)
be a more appropriate choice?)
to the
.B entry
pseudo-attribute
of the object whose value is being asserted;
.B compare (=c)
access to the attribute whose value is being asserted is not checked.
.LP
The
.B delete
operation does not require
.B write (=w)
access to the
.B children
pseudo-attribute of the parent entry.
.LP
The
.B modify
operation requires
.B write (=w)
access to the
.B entry
pseudo-attribute;
.B write (=w)
access to the specific attributes that are modified is not checked.
.LP
The
.B modrdn
operation does not require
.B write (=w)
access to the
.B children
pseudo-attribute of the parent entry, nor to that of the new parent,
if different;
.B write (=w)
access to the distinguished values of the naming attributes
is not checked.
.LP
The
.B search
operation does not require
.B search (=s)
access to the
.B entry
pseudo_attribute of the searchBase;
.B search (=s)
access to the attributes and values used in the filter is not checked.
.SH EXAMPLE
There is an example search script in the slapd/back-shell/ directory
in the OpenLDAP source tree.

View File

@ -922,43 +922,20 @@ attribute of the authorizing identity and/or on the
attribute of the authorized identity.
.LP
Some backends do not honor all the above rules. In detail:
Access control to search entries is checked by the frontend,
so it is fully honored by all backends; for all other operations
and for the discovery phase of the search operation,
full ACL semantics is only supported by the primary backends, i.e.
.BR back-bdb (5),
.BR back-hdb (5),
and
.BR back-ldbm (5).
.TP
.B bacl-ldap/back-meta
\fIdo not check\fP
.B write (=w)
access, since it is delegated to the remote host(s) serving
the naming context.
The same applies to checking
.B search (=s)
access to the
.B entry
pseudo-attribute of the
.B searchBase
of a search operation,
.B search (=s)
access to the attributes used in the
.BR searchFilter ,
and
.B disclose (=d)
access to the
.B entry
pseudo-attribute of any object in case of error: all those checks
are delegated to the remote host(s).
In any case,
.B read (=r)
access is honored locally by the frontend.
.TP
.B back-shell
requires
.B write (=w)
access to the
.B entry
pseudo-attribute for the modify operation; in the meanwhile,
\fIwrite access to the specific attributes that are modified
is not checked\fP.
Some other backend, like
.BR back-sql (5),
may fully support them; others may only support a portion of the
described semantics, or even differ in some aspects.
The relevant details are described in the backend-specific man pages.
.SH CAVEATS
It is strongly recommended to explicitly use the most appropriate
@ -1038,6 +1015,7 @@ ETCDIR/slapd.conf
default slapd configuration file
.SH SEE ALSO
.BR slapd (8),
.BR slapd-* (5),
.BR slapacl (8),
.BR regex (7),
.BR re_format (7)