directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pierre-Arnaud Marcelot <paj...@gmail.com>
Subject Re: Are non admin users allowed to read entries under ou=system ?
Date Sat, 24 Dec 2011 16:40:13 GMT
Le 24 déc. 2011 à 12:44, Kiran Ayyagari <kayyagari@apache.org> a écrit :

> On Sat, Dec 24, 2011 at 4:57 PM, Emmanuel Lecharny <elecharny@gmail.com> wrote:
>> Hi,
>>
>> we have a strange test that checks if a normal user (not the admin) can read
>> under ou=system. This test is just totally wrong, as it uses the admin
>> session, so I tried to fix it using a plain user. Sadly, oing so, I can read
>> almost everyting under ou=system.
>>
>> So I question the logic :
>> - can a normal user read something under ou=system (except his own record)
>> - should we instead forbid this user to read the 'uid=admin,ou=system',
>> 'ou=configuration,ou=system', 'ou=groups,ou=system' and 'ou=users,ou=system'
>> entries (and their children) ?
>> - or should we just allow this user to read everything except if the ACI
>> subsystem is set ?
>>
>> IMO, I'd rather go for the third option.
>>
> +1

+1 too.

Regards,
Pierre-Arnaud

>> Note : the test is
>> org.apache.directory.server.core.authz.AuthorizationServiceAsNonAdminIT.testNoSearchByNonAdmin
>> :
>>    /**
>>     * Makes sure non-admin cannot search under ou=system.
>>     *
>>     * @throws Exception if there are problems
>>     */
>>    @Test
>>    public void testNoSearchByNonAdmin() throws Exception
>>    {
>>        LdifEntry akarasulu = getUserAddLdif();
>>
>>        getService().getAdminSession().add(
>>            new DefaultEntry( getService().getSchemaManager(),
>> akarasulu.getEntry() ) );
>>
>>        try
>>        {
>>            ExprNode filter = FilterParser.parse(
>> getService().getSchemaManager(), "(objectClass=*)" );
>>            getService().getAdminSession().search( new Dn( "ou=system" ),
>> SearchScope.SUBTREE, filter , AliasDerefMode.DEREF_ALWAYS, null );
>>        }
>>        catch ( LdapNoPermissionException e )
>>        {
>>            assertNotNull( e );
>>        }
>>    }
>>
>> It passes with flying colors, just because we don't check anything...
>>
>> --
>> Regards,
>> Cordialement,
>> Emmanuel Lécharny
>> www.iktek.com
>>
>
>
>
> --
> Kiran Ayyagari

Mime
View raw message