mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
more to partial fulfilment of ITS#3639
This commit is contained in:
parent
889ce515ad
commit
140b33927f
@ -134,6 +134,89 @@ where only RESULT is mandatory.
|
||||
The \fBsearch\fP RESULT should be preceded by the entries in LDIF
|
||||
format, each entry followed by a blank line.
|
||||
Lines starting with `#' or `DEBUG:' are ignored.
|
||||
.SH ACCESS CONTROL
|
||||
The
|
||||
.B shell
|
||||
backend does not honor all ACL semantics as described in
|
||||
.BR slapd.access (5).
|
||||
In general, access to objects is checked by using a dummy object
|
||||
that contains only the DN, so access rules that rely on the contents
|
||||
of the object are not honored.
|
||||
In detail:
|
||||
.LP
|
||||
The
|
||||
.B add
|
||||
operation does not require
|
||||
.B write (=w)
|
||||
access to the
|
||||
.B children
|
||||
pseudo-attribute of the parent entry.
|
||||
.LP
|
||||
The
|
||||
.B bind
|
||||
operation requires
|
||||
.B auth (=x)
|
||||
access to the
|
||||
.B entry
|
||||
pseudo-attribute of the entry whose identity is being assessed;
|
||||
.B auth (=x)
|
||||
access to the credentials is not checked, but rather delegated
|
||||
to the underlying shell script.
|
||||
.LP
|
||||
The
|
||||
.B compare
|
||||
operation requires
|
||||
.B read (=r)
|
||||
access (FIXME: wouldn't
|
||||
.B compare (=c)
|
||||
be a more appropriate choice?)
|
||||
to the
|
||||
.B entry
|
||||
pseudo-attribute
|
||||
of the object whose value is being asserted;
|
||||
.B compare (=c)
|
||||
access to the attribute whose value is being asserted is not checked.
|
||||
.LP
|
||||
The
|
||||
.B delete
|
||||
operation does not require
|
||||
.B write (=w)
|
||||
access to the
|
||||
.B children
|
||||
pseudo-attribute of the parent entry.
|
||||
.LP
|
||||
The
|
||||
.B modify
|
||||
operation requires
|
||||
.B write (=w)
|
||||
access to the
|
||||
.B entry
|
||||
pseudo-attribute;
|
||||
.B write (=w)
|
||||
access to the specific attributes that are modified is not checked.
|
||||
.LP
|
||||
The
|
||||
.B modrdn
|
||||
operation does not require
|
||||
.B write (=w)
|
||||
access to the
|
||||
.B children
|
||||
pseudo-attribute of the parent entry, nor to that of the new parent,
|
||||
if different;
|
||||
.B write (=w)
|
||||
access to the distinguished values of the naming attributes
|
||||
is not checked.
|
||||
.LP
|
||||
The
|
||||
.B search
|
||||
operation does not require
|
||||
.B search (=s)
|
||||
access to the
|
||||
.B entry
|
||||
pseudo_attribute of the searchBase;
|
||||
.B search (=s)
|
||||
access to the attributes and values used in the filter is not checked.
|
||||
|
||||
.SH EXAMPLE
|
||||
There is an example search script in the slapd/back-shell/ directory
|
||||
in the OpenLDAP source tree.
|
||||
|
@ -922,43 +922,20 @@ attribute of the authorizing identity and/or on the
|
||||
attribute of the authorized identity.
|
||||
|
||||
.LP
|
||||
Some backends do not honor all the above rules. In detail:
|
||||
|
||||
.TP
|
||||
.B bacl-ldap/back-meta
|
||||
\fIdo not check\fP
|
||||
.B write (=w)
|
||||
access, since it is delegated to the remote host(s) serving
|
||||
the naming context.
|
||||
The same applies to checking
|
||||
.B search (=s)
|
||||
access to the
|
||||
.B entry
|
||||
pseudo-attribute of the
|
||||
.B searchBase
|
||||
of a search operation,
|
||||
.B search (=s)
|
||||
access to the attributes used in the
|
||||
.BR searchFilter ,
|
||||
Access control to search entries is checked by the frontend,
|
||||
so it is fully honored by all backends; for all other operations
|
||||
and for the discovery phase of the search operation,
|
||||
full ACL semantics is only supported by the primary backends, i.e.
|
||||
.BR back-bdb (5),
|
||||
.BR back-hdb (5),
|
||||
and
|
||||
.B disclose (=d)
|
||||
access to the
|
||||
.B entry
|
||||
pseudo-attribute of any object in case of error: all those checks
|
||||
are delegated to the remote host(s).
|
||||
In any case,
|
||||
.B read (=r)
|
||||
access is honored locally by the frontend.
|
||||
.BR back-ldbm (5).
|
||||
|
||||
.TP
|
||||
.B back-shell
|
||||
requires
|
||||
.B write (=w)
|
||||
access to the
|
||||
.B entry
|
||||
pseudo-attribute for the modify operation; in the meanwhile,
|
||||
\fIwrite access to the specific attributes that are modified
|
||||
is not checked\fP.
|
||||
Some other backend, like
|
||||
.BR back-sql (5),
|
||||
may fully support them; others may only support a portion of the
|
||||
described semantics, or even differ in some aspects.
|
||||
The relevant details are described in the backend-specific man pages.
|
||||
|
||||
.SH CAVEATS
|
||||
It is strongly recommended to explicitly use the most appropriate
|
||||
@ -1038,6 +1015,7 @@ ETCDIR/slapd.conf
|
||||
default slapd configuration file
|
||||
.SH SEE ALSO
|
||||
.BR slapd (8),
|
||||
.BR slapd-* (5),
|
||||
.BR slapacl (8),
|
||||
.BR regex (7),
|
||||
.BR re_format (7)
|
||||
|
Loading…
Reference in New Issue
Block a user