From: Gavin Henry Date: Thu, 15 May 2008 21:35:13 +0000 (+0000) Subject: ITS#5512 Doc contribution for search privileges in 2.4 X-Git-Tag: LOCKER_IDS~165 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=2f76f6ce2324644953772c1245efff12c78d3ce0;p=openldap ITS#5512 Doc contribution for search privileges in 2.4 --- diff --git a/doc/guide/admin/access-control.sdf b/doc/guide/admin/access-control.sdf index a60a341052..aedd96680f 100644 --- a/doc/guide/admin/access-control.sdf +++ b/doc/guide/admin/access-control.sdf @@ -137,7 +137,9 @@ attribute name and also using a value selector: There are two special {{pseudo}} attributes {{EX:entry}} and {{EX:children}}. To read (and hence return) a target entry, the subject must have {{EX:read}} access to the target's {{entry}} -attribute. To add or delete an entry, the subject must have +attribute. To perform a search, the subject must have +{{EX:search}} access to the search base's {{entry}} attribute. +To add or delete an entry, the subject must have {{EX:write}} access to the entry's {{EX:entry}} attribute AND must have {{EX:write}} access to the entry's parent's {{EX:children}} attribute. To rename an entry, the subject must have {{EX:write}} @@ -552,7 +554,9 @@ attribute name and also using a value selector: There are two special {{pseudo}} attributes {{EX:entry}} and {{EX:children}}. To read (and hence return) a target entry, the subject must have {{EX:read}} access to the target's {{entry}} -attribute. To add or delete an entry, the subject must have +attribute. To perform a search, the subject must have +{{EX:search}} access to the search base's {{entry}} attribute. +To add or delete an entry, the subject must have {{EX:write}} access to the entry's {{EX:entry}} attribute AND must have {{EX:write}} access to the entry's parent's {{EX:children}} attribute. To rename an entry, the subject must have {{EX:write}} diff --git a/doc/guide/admin/appendix-upgrading.sdf b/doc/guide/admin/appendix-upgrading.sdf index 98b8a8fe67..a0504266bd 100644 --- a/doc/guide/admin/appendix-upgrading.sdf +++ b/doc/guide/admin/appendix-upgrading.sdf @@ -37,6 +37,22 @@ entries like below, just remove them from the relevant ldif file. > olcReplicationInterval: value #0: keyword is obsolete (ignored) +H2: ACLs: searches require privileges on the search base + +Search operations now require "search" privileges on the "entry" pseudo-attribute of the search +base. While upgrading from 2.3.x, make sure your ACLs grant such privileges to all desired search +bases. + +For example, assuming you have the following ACL: + +> access to dn.sub="ou=people,dc=example,dc=com" by * search + +Searches using a base of "dc=example,dc=com" will only be allowed if you add the following ACL: + +> access to dn.base="dc=example,dc=com" attrs=entry by * search + +Note: The {{slapd.access}}(5) man page states that this requirement was introduced +with OpenLDAP 2.3. However, it is the default behavior only since 2.4.