From 140b33927f7c5fb5db846e6deb02d6918e0d3478 Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Fri, 8 Apr 2005 19:27:22 +0000 Subject: [PATCH] more to partial fulfilment of ITS#3639 --- doc/man/man5/slapd-shell.5 | 83 +++++++++++++++++++++++++++++++++++++ doc/man/man5/slapd.access.5 | 50 +++++++--------------- 2 files changed, 97 insertions(+), 36 deletions(-) diff --git a/doc/man/man5/slapd-shell.5 b/doc/man/man5/slapd-shell.5 index c265616dc2..7be316ff33 100644 --- a/doc/man/man5/slapd-shell.5 +++ b/doc/man/man5/slapd-shell.5 @@ -134,6 +134,89 @@ where only RESULT is mandatory. The \fBsearch\fP RESULT should be preceded by the entries in LDIF format, each entry followed by a blank line. Lines starting with `#' or `DEBUG:' are ignored. +.SH ACCESS CONTROL +The +.B shell +backend does not honor all ACL semantics as described in +.BR slapd.access (5). +In general, access to objects is checked by using a dummy object +that contains only the DN, so access rules that rely on the contents +of the object are not honored. +In detail: +.LP +The +.B add +operation does not require +.B write (=w) +access to the +.B children +pseudo-attribute of the parent entry. +.LP +The +.B bind +operation requires +.B auth (=x) +access to the +.B entry +pseudo-attribute of the entry whose identity is being assessed; +.B auth (=x) +access to the credentials is not checked, but rather delegated +to the underlying shell script. +.LP +The +.B compare +operation requires +.B read (=r) +access (FIXME: wouldn't +.B compare (=c) +be a more appropriate choice?) +to the +.B entry +pseudo-attribute +of the object whose value is being asserted; +.B compare (=c) +access to the attribute whose value is being asserted is not checked. +.LP +The +.B delete +operation does not require +.B write (=w) +access to the +.B children +pseudo-attribute of the parent entry. +.LP +The +.B modify +operation requires +.B write (=w) +access to the +.B entry +pseudo-attribute; +.B write (=w) +access to the specific attributes that are modified is not checked. +.LP +The +.B modrdn +operation does not require +.B write (=w) +access to the +.B children +pseudo-attribute of the parent entry, nor to that of the new parent, +if different; +.B write (=w) +access to the distinguished values of the naming attributes +is not checked. +.LP +The +.B search +operation does not require +.B search (=s) +access to the +.B entry +pseudo_attribute of the searchBase; +.B search (=s) +access to the attributes and values used in the filter is not checked. + .SH EXAMPLE There is an example search script in the slapd/back-shell/ directory in the OpenLDAP source tree. diff --git a/doc/man/man5/slapd.access.5 b/doc/man/man5/slapd.access.5 index c4b02a9d31..dd27eb6faf 100644 --- a/doc/man/man5/slapd.access.5 +++ b/doc/man/man5/slapd.access.5 @@ -922,43 +922,20 @@ attribute of the authorizing identity and/or on the attribute of the authorized identity. .LP -Some backends do not honor all the above rules. In detail: +Access control to search entries is checked by the frontend, +so it is fully honored by all backends; for all other operations +and for the discovery phase of the search operation, +full ACL semantics is only supported by the primary backends, i.e. +.BR back-bdb (5), +.BR back-hdb (5), +and +.BR back-ldbm (5). -.TP -.B bacl-ldap/back-meta -\fIdo not check\fP -.B write (=w) -access, since it is delegated to the remote host(s) serving -the naming context. -The same applies to checking -.B search (=s) -access to the -.B entry -pseudo-attribute of the -.B searchBase -of a search operation, -.B search (=s) -access to the attributes used in the -.BR searchFilter , -and -.B disclose (=d) -access to the -.B entry -pseudo-attribute of any object in case of error: all those checks -are delegated to the remote host(s). -In any case, -.B read (=r) -access is honored locally by the frontend. - -.TP -.B back-shell -requires -.B write (=w) -access to the -.B entry -pseudo-attribute for the modify operation; in the meanwhile, -\fIwrite access to the specific attributes that are modified -is not checked\fP. +Some other backend, like +.BR back-sql (5), +may fully support them; others may only support a portion of the +described semantics, or even differ in some aspects. +The relevant details are described in the backend-specific man pages. .SH CAVEATS It is strongly recommended to explicitly use the most appropriate @@ -1038,6 +1015,7 @@ ETCDIR/slapd.conf default slapd configuration file .SH SEE ALSO .BR slapd (8), +.BR slapd-* (5), .BR slapacl (8), .BR regex (7), .BR re_format (7)