[Fedora-directory-devel] Attribute to determine allowed write attributes?

Andrew Bartlett abartlet at samba.org
Thu Nov 2 20:42:02 UTC 2006 

On Thu, 2006-11-02 at 16:07 +0100, Pierangelo Masarati wrote:
> Andrew Bartlett wrote:
> > Using Samba's ldbsearch:
> >
> > bin/ldbsearch -H ldap://win2k3dc.win2k3.abartlet.net cn=administrator
> > allowedAttributes allowedAttributesEffective allowedClasses
> > AllowedClassesEffective -Uadministrator%penguin
> >   
> What's the -U for?  My guess is -U<user>%<cred>, is it correct?

That's the samba syntax for username and password, for a SASL bind.

> > allowedAttributesEffective: adminDisplayName
> >   
> What identity does the "Effective" refer to?  That of the client 
> performing the request?  

Yes, the access that would be given to this connection, if it were to
try write access to these attributes.

> How would this deal with ACL that depend on the 
> value of the data?  How would this deal with ACLs that do not just 
> depend on the object and on the client's identity?

It should return the attributes that may be written to.  Remember, the
purpose is to allow a GUI client to grey out read-only fields, and
reduce user frustration.

> Moreover, I believe this type of operation should be itself protected by 
> ACLs, i.e. implementations should be able to restrict identities that 
> can get this info.  

This may well be.  For my purposes, all users with access to write
should be able to know what they may write to.  Users with read only
access would get a empty list, and the total list of allowed attributes
can be calculated by schema introspection.

> With an ACL model that accounts for attribute values 
> (like any serious implementation should provide), the list itself could 
> be incomplete if access to specific values of allowedAttributes or 
> allowedAttributesEffective is itself restricted.

Sorry, this seems a bit recursive.  I'm lost.  

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-directory-devel/attachments/20061103/9a3f11c5/attachment.sig>

More information about the Fedora-directory-devel mailing list