Return-Path: 
 <dev-return-39867-apmail-directory-dev-archive=directory.apache.org@directory.apache.org>
X-Original-To: apmail-directory-dev-archive@www.apache.org
Delivered-To: apmail-directory-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 2845C9FAD
	for <apmail-directory-dev-archive@www.apache.org>;
 Sat, 24 Dec 2011 11:44:36 +0000 (UTC)
Received: (qmail 58912 invoked by uid 500); 24 Dec 2011 11:44:35 -0000
Delivered-To: apmail-directory-dev-archive@directory.apache.org
Received: (qmail 58864 invoked by uid 500); 24 Dec 2011 11:44:35 -0000
Mailing-List: contact dev-help@directory.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@directory.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@directory.apache.org>
List-Post: <mailto:dev@directory.apache.org>
List-Id: <dev.directory.apache.org>
Reply-To: "Apache Directory Developers List" <dev@directory.apache.org>
Delivered-To: mailing list dev@directory.apache.org
Received: (qmail 58857 invoked by uid 99); 24 Dec 2011 11:44:35 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 24 Dec 2011 11:44:35 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=5.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of ayyagarikiran@gmail.com
 designates 209.85.210.178 as permitted sender)
Received: from [209.85.210.178] (HELO mail-iy0-f178.google.com)
 (209.85.210.178)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 24 Dec 2011 11:44:29 +0000
Received: by iagf6 with SMTP id f6so19687952iag.37
        for <dev@directory.apache.org>; Sat, 24 Dec 2011 03:44:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:sender:in-reply-to:references:date
         :x-google-sender-auth:message-id:subject:from:to:content-type
         :content-transfer-encoding;
        bh=VmPQ7eZujMR8HFMEV1Ohdhi7TxZMg9efvuzZ4H/JmUY=;
        b=MFpDAcOBXJr3i/5+WXyTJVQavKD7JiV8jUYeG5Oqcb91k7eIPwLdxWwevA2YKkA/3+
         1JJuRH4sw04AFnWvKlzjqHe5jgJWr1ikd+Bc7+Q9pGymsnzOfJSGKLNm5AtMf6rPTIDb
         xGj5tf1a2qh+YTSnpzDBt4r7GniJfVPPUb0Jw=
MIME-Version: 1.0
Received: by 10.43.47.135 with SMTP id us7mr18599210icb.31.1324727047783; Sat,
 24 Dec 2011 03:44:07 -0800 (PST)
Sender: ayyagarikiran@gmail.com
Received: by 10.231.180.133 with HTTP; Sat, 24 Dec 2011 03:44:07 -0800 (PST)
In-Reply-To: <4EF5B730.3090006@gmail.com>
References: <4EF5B730.3090006@gmail.com>
Date: Sat, 24 Dec 2011 17:14:07 +0530
X-Google-Sender-Auth: YDWT_Kuy3AH3pektJ2elKklS7QE
Message-ID: 
 <CABzFU-eex6D_qBVKyUc07JusPoBZ5dBxsVy8or_VL9U-HA1UKQ@mail.gmail.com>
Subject: Re: Are non admin users allowed to read entries under ou=system ?
From: Kiran Ayyagari <kayyagari@apache.org>
To: Apache Directory Developers List <dev@directory.apache.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Virus-Checked: Checked by ClamAV on apache.org

On Sat, Dec 24, 2011 at 4:57 PM, Emmanuel Lecharny <elecharny@gmail.com> wr=
ote:
> Hi,
>
> we have a strange test that checks if a normal user (not the admin) can r=
ead
> under ou=3Dsystem. This test is just totally wrong, as it uses the admin
> session, so I tried to fix it using a plain user. Sadly, oing so, I can r=
ead
> almost everyting under ou=3Dsystem.
>
> So I question the logic :
> - can a normal user read something under ou=3Dsystem (except his own reco=
rd)
> - should we instead forbid this user to read the 'uid=3Dadmin,ou=3Dsystem=
',
> 'ou=3Dconfiguration,ou=3Dsystem', 'ou=3Dgroups,ou=3Dsystem' and 'ou=3Duse=
rs,ou=3Dsystem'
> entries (and their children) ?
> - or should we just allow this user to read everything except if the ACI
> subsystem is set ?
>
> IMO, I'd rather go for the third option.
>
+1
> Note : the test is
> org.apache.directory.server.core.authz.AuthorizationServiceAsNonAdminIT.t=
estNoSearchByNonAdmin
> :
> =A0 =A0/**
> =A0 =A0 * Makes sure non-admin cannot search under ou=3Dsystem.
> =A0 =A0 *
> =A0 =A0 * @throws Exception if there are problems
> =A0 =A0 */
> =A0 =A0@Test
> =A0 =A0public void testNoSearchByNonAdmin() throws Exception
> =A0 =A0{
> =A0 =A0 =A0 =A0LdifEntry akarasulu =3D getUserAddLdif();
>
> =A0 =A0 =A0 =A0getService().getAdminSession().add(
> =A0 =A0 =A0 =A0 =A0 =A0new DefaultEntry( getService().getSchemaManager(),
> akarasulu.getEntry() ) );
>
> =A0 =A0 =A0 =A0try
> =A0 =A0 =A0 =A0{
> =A0 =A0 =A0 =A0 =A0 =A0ExprNode filter =3D FilterParser.parse(
> getService().getSchemaManager(), "(objectClass=3D*)" );
> =A0 =A0 =A0 =A0 =A0 =A0getService().getAdminSession().search( new Dn( "ou=
=3Dsystem" ),
> SearchScope.SUBTREE, filter , AliasDerefMode.DEREF_ALWAYS, null );
> =A0 =A0 =A0 =A0}
> =A0 =A0 =A0 =A0catch ( LdapNoPermissionException e )
> =A0 =A0 =A0 =A0{
> =A0 =A0 =A0 =A0 =A0 =A0assertNotNull( e );
> =A0 =A0 =A0 =A0}
> =A0 =A0}
>
> It passes with flying colors, just because we don't check anything...
>
> --
> Regards,
> Cordialement,
> Emmanuel L=E9charny
> www.iktek.com
>



--=20
Kiran Ayyagari