directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <>
Subject Are non admin users allowed to read entries under ou=system ?
Date Sat, 24 Dec 2011 11:27:44 GMT

we have a strange test that checks if a normal user (not the admin) can 
read under ou=system. This test is just totally wrong, as it uses the 
admin session, so I tried to fix it using a plain user. Sadly, oing so, 
I can read almost everyting under ou=system.

So I question the logic :
- can a normal user read something under ou=system (except his own record)
- should we instead forbid this user to read the 'uid=admin,ou=system', 
'ou=configuration,ou=system', 'ou=groups,ou=system' and 
'ou=users,ou=system' entries (and their children) ?
- or should we just allow this user to read everything except if the ACI 
subsystem is set ?

IMO, I'd rather go for the third option.

Note : the test is

      * Makes sure non-admin cannot search under ou=system.
      * @throws Exception if there are problems
     public void testNoSearchByNonAdmin() throws Exception
         LdifEntry akarasulu = getUserAddLdif();

             new DefaultEntry( getService().getSchemaManager(), 
akarasulu.getEntry() ) );

             ExprNode filter = FilterParser.parse( 
getService().getSchemaManager(), "(objectClass=*)" );
             getService().getAdminSession().search( new Dn( "ou=system" 
), SearchScope.SUBTREE, filter , AliasDerefMode.DEREF_ALWAYS, null );
         catch ( LdapNoPermissionException e )
             assertNotNull( e );

It passes with flying colors, just because we don't check anything...

Emmanuel L├ęcharny

View raw message