upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2026-01-07 23:51:21 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add disclose and manage to ABNF and table of access levels

Browse source
This commit is contained in:
Kurt Zeilenga 2006-04-12 23:33:04 +00:00
parent c08f05f0c0
commit f2aae492a8
2 changed files with 38 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

45
doc/guide/admin/slapdconf2.sdf
View file

@ -1032,8 +1032,8 @@ The general form of the olcAccess configuration is:
> [set=<setspec>]
> [aci=<attrname>]
> <access> ::= [self]{<level>|<priv>}
> <level> ::= none | auth | compare | search | read | write
> <priv> ::= {=|+|-}{w|r|s|c|x|0}+
> <level> ::= none | disclose | auth | compare | search | read | write | manage
> <priv> ::= {=|+|-}{m|w|r|s|c|x|d|0}+
> <control> ::= [stop | continue | break]
where the <what> part selects the entries and/or attributes to which
@ -1166,25 +1166,25 @@ As these can easily spoofed, the domain factor should not be avoided.
H3: The access to grant
The kind of <access> granted can be one of the following:
!block table; colaligns="LRL"; coltags="EX,EX,N"; align=Center; \
title="Table 5.4: Access Levels"
Level Privileges Description
none =0 no access
auth =x needed to bind
compare =cx needed to compare
search =scx needed to apply search filters
read =rscx needed to read search results
write =wrscx needed to modify/rename
Level Privileges Description
none =0 no access
disclose =d needed for information disclosure on error
auth =dx needed to authenticate (bind)
compare =cdx needed to compare
search =scdx needed to apply search filters
read =rscdx needed to read search results
write =wrscdx needed to modify/rename
manage =mwrscdx needed to manage
!endblock
Each level implies all lower levels of access. So, for
example, granting someone {{EX:write}} access to an entry also
grants them {{EX:read}}, {{EX:search}}, {{EX:compare}}, and
{{EX:auth}} access. However, one may use the privileges specifier
Each level implies all lower levels of access. So, for example,
granting someone {{EX:write}} access to an entry also grants them
{{EX:read}}, {{EX:search}}, {{EX:compare}}, {{EX:auth}} and
{{EX:disclose}} access. However, one may use the privileges specifier
to grant specific permissions.
@ -1192,15 +1192,16 @@ H3: Access Control Evaluation
When evaluating whether some requester should be given access to
an entry and/or attribute, slapd compares the entry and/or attribute
to the {{EX:<what>}} selectors given in the configuration.
For each entry, access controls provided in the database which holds
to the {{EX:<what>}} selectors given in the configuration. For
each entry, access controls provided in the database which holds
the entry (or the first database if not held in any database) apply
first, followed by the global access directives (which are held in
the {{EX:frontend}} database definition). Within this
priority, access directives are examined in the order in which they
appear in the configuration attribute. Slapd stops with the first {{EX:<what>}}
selector that matches the entry and/or attribute. The corresponding
access directive is the one slapd will use to evaluate access.
the {{EX:frontend}} database definition). Within this priority,
access directives are examined in the order in which they appear
in the configuration attribute. Slapd stops with the first
{{EX:<what>}} selector that matches the entry and/or attribute. The
corresponding access directive is the one slapd will use to evaluate
access.
Next, slapd compares the entity requesting access to the {{EX:<who>}}
selectors within the access directive selected above in the order

30
doc/guide/admin/slapdconfig.sdf
View file

@ -705,8 +705,8 @@ access line is:
> [set=<setspec>]
> [aci=<attrname>]
> <access> ::= [self]{<level>|<priv>}
> <level> ::= none | auth | compare | search | read | write
> <priv> ::= {=|+|-}{w|r|s|c|x|0}+
> <level> ::= none | disclose | auth | compare | search | read | write | manage
> <priv> ::= {=|+|-}{m|w|r|s|c|x|d|0}+
> <control> ::= [stop | continue | break]
where the <what> part selects the entries and/or attributes to which
@ -839,25 +839,25 @@ As these can easily spoofed, the domain factor should not be avoided.
H3: The access to grant
The kind of <access> granted can be one of the following:
!block table; colaligns="LRL"; coltags="EX,EX,N"; align=Center; \
title="Table 5.4: Access Levels"
Level Privileges Description
none =0 no access
auth =x needed to bind
compare =cx needed to compare
search =scx needed to apply search filters
read =rscx needed to read search results
write =wrscx needed to modify/rename
Level Privileges Description
none =0 no access
disclose =d needed for information disclosure on error
auth =dx needed to authenticate (bind)
compare =cdx needed to compare
search =scdx needed to apply search filters
read =rscdx needed to read search results
write =wrscdx needed to modify/rename
manage =mwrscdx needed to manage
!endblock
Each level implies all lower levels of access. So, for
example, granting someone {{EX:write}} access to an entry also
grants them {{EX:read}}, {{EX:search}}, {{EX:compare}}, and
{{EX:auth}} access. However, one may use the privileges specifier
Each level implies all lower levels of access. So, for example,
granting someone {{EX:write}} access to an entry also grants them
{{EX:read}}, {{EX:search}}, {{EX:compare}}, {{EX:auth}} and
{{EX:disclose}} access. However, one may use the privileges specifier
to grant specific permissions.