directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: Are non admin users allowed to read entries under ou=system ?
Date Sat, 24 Dec 2011 11:44:07 GMT
On Sat, Dec 24, 2011 at 4:57 PM, Emmanuel Lecharny <elecharny@gmail.com> wrote:
> Hi,
>
> we have a strange test that checks if a normal user (not the admin) can read
> under ou=system. This test is just totally wrong, as it uses the admin
> session, so I tried to fix it using a plain user. Sadly, oing so, I can read
> almost everyting under ou=system.
>
> So I question the logic :
> - can a normal user read something under ou=system (except his own record)
> - should we instead forbid this user to read the 'uid=admin,ou=system',
> 'ou=configuration,ou=system', 'ou=groups,ou=system' and 'ou=users,ou=system'
> entries (and their children) ?
> - or should we just allow this user to read everything except if the ACI
> subsystem is set ?
>
> IMO, I'd rather go for the third option.
>
+1
> Note : the test is
> org.apache.directory.server.core.authz.AuthorizationServiceAsNonAdminIT.testNoSearchByNonAdmin
> :
>    /**
>     * Makes sure non-admin cannot search under ou=system.
>     *
>     * @throws Exception if there are problems
>     */
>    @Test
>    public void testNoSearchByNonAdmin() throws Exception
>    {
>        LdifEntry akarasulu = getUserAddLdif();
>
>        getService().getAdminSession().add(
>            new DefaultEntry( getService().getSchemaManager(),
> akarasulu.getEntry() ) );
>
>        try
>        {
>            ExprNode filter = FilterParser.parse(
> getService().getSchemaManager(), "(objectClass=*)" );
>            getService().getAdminSession().search( new Dn( "ou=system" ),
> SearchScope.SUBTREE, filter , AliasDerefMode.DEREF_ALWAYS, null );
>        }
>        catch ( LdapNoPermissionException e )
>        {
>            assertNotNull( e );
>        }
>    }
>
> It passes with flying colors, just because we don't check anything...
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>



-- 
Kiran Ayyagari

Mime
View raw message