directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <akaras...@apache.org>
Subject Re: Are non admin users allowed to read entries under ou=system ?
Date Sat, 24 Dec 2011 19:28:32 GMT
On Sat, Dec 24, 2011 at 1:27 PM, Emmanuel Lecharny <elecharny@gmail.com>wrote:

> Hi,
>
> we have a strange test that checks if a normal user (not the admin) can
> read under ou=system. This test is just totally wrong, as it uses the admin
> session, so I tried to fix it using a plain user. Sadly, oing so, I can
> read almost everyting under ou=system.
>
> So I question the logic :
> - can a normal user read something under ou=system (except his own record)
> - should we instead forbid this user to read the 'uid=admin,ou=system',
> 'ou=configuration,ou=system', 'ou=groups,ou=system' and
> 'ou=users,ou=system' entries (and their children) ?
> - or should we just allow this user to read everything except if the ACI
> subsystem is set ?
>
> IMO, I'd rather go for the third option.
>
>
Sounds good.


> Note : the test is org.apache.directory.server.**core.authz.**
> AuthorizationServiceAsNonAdmin**IT.testNoSearchByNonAdmin :
>    /**
>     * Makes sure non-admin cannot search under ou=system.
>     *
>     * @throws Exception if there are problems
>     */
>    @Test
>    public void testNoSearchByNonAdmin() throws Exception
>    {
>        LdifEntry akarasulu = getUserAddLdif();
>
>        getService().getAdminSession()**.add(
>            new DefaultEntry( getService().getSchemaManager(**),
> akarasulu.getEntry() ) );
>
>        try
>        {
>            ExprNode filter = FilterParser.parse(
> getService().getSchemaManager(**), "(objectClass=*)" );
>            getService().getAdminSession()**.search( new Dn( "ou=system"
> ), SearchScope.SUBTREE, filter , AliasDerefMode.DEREF_ALWAYS, null );
>        }
>        catch ( LdapNoPermissionException e )
>        {
>            assertNotNull( e );
>        }
>    }
>
> It passes with flying colors, just because we don't check anything...
>
>
Really odd we're searching as admin here because of the admin session. I
remember writing these tests a long long time ago and they should be
searching with the newly created non-admin user. I guess the tests were
altered over time to do just as you say: nothing at all.

-- 
Best Regards,
-- Alex

Mime
View raw message