upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-12-24 00:29:35 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

ITS#5512 Doc contribution for search privileges in 2.4

Browse source
This commit is contained in:
Gavin Henry 2008-05-15 21:35:13 +00:00
parent 1fc3f1c130
commit 2f76f6ce23
2 changed files with 22 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
doc/guide/admin/access-control.sdf
View file

@ -137,7 +137,9 @@ attribute name and also using a value selector:
There are two special {{pseudo}} attributes {{EX:entry}} and
{{EX:children}}. To read (and hence return) a target entry, the
subject must have {{EX:read}} access to the target's {{entry}}
attribute. To add or delete an entry, the subject must have
attribute. To perform a search, the subject must have
{{EX:search}} access to the search base's {{entry}} attribute.
To add or delete an entry, the subject must have
{{EX:write}} access to the entry's {{EX:entry}} attribute AND must
have {{EX:write}} access to the entry's parent's {{EX:children}}
attribute. To rename an entry, the subject must have {{EX:write}}
@ -552,7 +554,9 @@ attribute name and also using a value selector:
There are two special {{pseudo}} attributes {{EX:entry}} and
{{EX:children}}. To read (and hence return) a target entry, the
subject must have {{EX:read}} access to the target's {{entry}}
attribute. To add or delete an entry, the subject must have
attribute. To perform a search, the subject must have
{{EX:search}} access to the search base's {{entry}} attribute.
To add or delete an entry, the subject must have
{{EX:write}} access to the entry's {{EX:entry}} attribute AND must
have {{EX:write}} access to the entry's parent's {{EX:children}}
attribute. To rename an entry, the subject must have {{EX:write}}

16
doc/guide/admin/appendix-upgrading.sdf
View file

@ -37,6 +37,22 @@ entries like below, just remove them from the relevant ldif file.
> olcReplicationInterval: value #0: <olcReplicationInterval> keyword is obsolete (ignored)
H2: ACLs: searches require privileges on the search base
Search operations now require "search" privileges on the "entry" pseudo-attribute of the search
base. While upgrading from 2.3.x, make sure your ACLs grant such privileges to all desired search
bases.
For example, assuming you have the following ACL:
> access to dn.sub="ou=people,dc=example,dc=com" by * search
Searches using a base of "dc=example,dc=com" will only be allowed if you add the following ACL:
> access to dn.base="dc=example,dc=com" attrs=entry by * search
Note: The {{slapd.access}}(5) man page states that this requirement was introduced
with OpenLDAP 2.3. However, it is the default behavior only since 2.4.