Путеводитель по Руководству Linux

  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |



   slapd-meta    ( 5 )

бэкэнд метакаталога для slapd (metadirectory backend to slapd)

ACLs

Note on ACLs: at present you may add whatever ACL rule you desire
       to the Meta (and LDAP) backends.  However, the meaning of an ACL
       on a proxy may require some considerations.  Two philosophies may
       be considered:

a) the remote server dictates the permissions; the proxy simply passes back what it gets from the remote server.

b) the remote server unveils "everything"; the proxy is responsible for protecting data from unauthorized access.

Of course the latter sounds unreasonable, but it is not. It is possible to imagine scenarios in which a remote host discloses data that can be considered "public" inside an intranet, and a proxy that connects it to the internet may impose additional constraints. To this purpose, the proxy should be able to comply with all the ACL matching criteria that the server supports. This has been achieved with regard to all the criteria supported by slapd except a special subtle case (please file an ITS if you can find other exceptions: <http://www.openldap.org/its/>). The rule

access to dn="<dn>" attrs=<attr> by dnattr=<dnattr> read by * none

cannot be matched iff the attribute that is being requested, <attr>, is NOT <dnattr>, and the attribute that determines membership, <dnattr>, has not been requested (e.g. in a search)

In fact this ACL is resolved by slapd using the portion of entry it retrieved from the remote server without requiring any further intervention of the backend, so, if the <dnattr> attribute has not been fetched, the match cannot be assessed because the attribute is not present, not because no value matches the requirement!

Note on ACLs and attribute mapping: ACLs are applied to the mapped attributes; for instance, if the attribute locally known as "foo" is mapped to "bar" on a remote server, then local ACLs apply to attribute "foo" and are totally unaware of its remote name. The remote server will check permissions for "bar", and the local server will possibly enforce additional restrictions to "foo".