directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <elecha...@gmail.com>
Subject Are non admin users allowed to read entries under ou=system ?
Date Sat, 24 Dec 2011 11:27:44 GMT
Hi,

we have a strange test that checks if a normal user (not the admin) can 
read under ou=system. This test is just totally wrong, as it uses the 
admin session, so I tried to fix it using a plain user. Sadly, oing so, 
I can read almost everyting under ou=system.

So I question the logic :
- can a normal user read something under ou=system (except his own record)
- should we instead forbid this user to read the 'uid=admin,ou=system', 
'ou=configuration,ou=system', 'ou=groups,ou=system' and 
'ou=users,ou=system' entries (and their children) ?
- or should we just allow this user to read everything except if the ACI 
subsystem is set ?

IMO, I'd rather go for the third option.

Note : the test is 
org.apache.directory.server.core.authz.AuthorizationServiceAsNonAdminIT.testNoSearchByNonAdmin

:
     /**
      * Makes sure non-admin cannot search under ou=system.
      *
      * @throws Exception if there are problems
      */
     @Test
     public void testNoSearchByNonAdmin() throws Exception
     {
         LdifEntry akarasulu = getUserAddLdif();

         getService().getAdminSession().add(
             new DefaultEntry( getService().getSchemaManager(), 
akarasulu.getEntry() ) );

         try
         {
             ExprNode filter = FilterParser.parse( 
getService().getSchemaManager(), "(objectClass=*)" );
             getService().getAdminSession().search( new Dn( "ou=system" 
), SearchScope.SUBTREE, filter , AliasDerefMode.DEREF_ALWAYS, null );
         }
         catch ( LdapNoPermissionException e )
         {
             assertNotNull( e );
         }
     }

It passes with flying colors, just because we don't check anything...

-- 
Regards,
Cordialement,
Emmanuel L├ęcharny
www.iktek.com


Mime
View raw message