From: Kurt Zeilenga Date: Wed, 12 Apr 2006 23:33:04 +0000 (+0000) Subject: Add disclose and manage to ABNF and table of access levels X-Git-Tag: OPENLDAP_REL_ENG_2_4_0ALPHA~3^2~16 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=f2aae492a8447b308bc73734961adfe179a9aa2c;p=openldap Add disclose and manage to ABNF and table of access levels --- diff --git a/doc/guide/admin/slapdconf2.sdf b/doc/guide/admin/slapdconf2.sdf index 0758be66d8..8ee5dc0957 100644 --- a/doc/guide/admin/slapdconf2.sdf +++ b/doc/guide/admin/slapdconf2.sdf @@ -1032,8 +1032,8 @@ The general form of the olcAccess configuration is: > [set=] > [aci=] > ::= [self]{|} -> ::= none | auth | compare | search | read | write -> ::= {=|+|-}{w|r|s|c|x|0}+ +> ::= none | disclose | auth | compare | search | read | write | manage +> ::= {=|+|-}{m|w|r|s|c|x|d|0}+ > ::= [stop | continue | break] where the part selects the entries and/or attributes to which @@ -1166,25 +1166,25 @@ As these can easily spoofed, the domain factor should not be avoided. H3: The access to grant - The kind of granted can be one of the following: - !block table; colaligns="LRL"; coltags="EX,EX,N"; align=Center; \ title="Table 5.4: Access Levels" -Level Privileges Description -none =0 no access -auth =x needed to bind -compare =cx needed to compare -search =scx needed to apply search filters -read =rscx needed to read search results -write =wrscx needed to modify/rename +Level Privileges Description +none =0 no access +disclose =d needed for information disclosure on error +auth =dx needed to authenticate (bind) +compare =cdx needed to compare +search =scdx needed to apply search filters +read =rscdx needed to read search results +write =wrscdx needed to modify/rename +manage =mwrscdx needed to manage !endblock -Each level implies all lower levels of access. So, for -example, granting someone {{EX:write}} access to an entry also -grants them {{EX:read}}, {{EX:search}}, {{EX:compare}}, and -{{EX:auth}} access. However, one may use the privileges specifier +Each level implies all lower levels of access. So, for example, +granting someone {{EX:write}} access to an entry also grants them +{{EX:read}}, {{EX:search}}, {{EX:compare}}, {{EX:auth}} and +{{EX:disclose}} access. However, one may use the privileges specifier to grant specific permissions. @@ -1192,15 +1192,16 @@ H3: Access Control Evaluation When evaluating whether some requester should be given access to an entry and/or attribute, slapd compares the entry and/or attribute -to the {{EX:}} selectors given in the configuration. -For each entry, access controls provided in the database which holds +to the {{EX:}} selectors given in the configuration. For +each entry, access controls provided in the database which holds the entry (or the first database if not held in any database) apply first, followed by the global access directives (which are held in -the {{EX:frontend}} database definition). Within this -priority, access directives are examined in the order in which they -appear in the configuration attribute. Slapd stops with the first {{EX:}} -selector that matches the entry and/or attribute. The corresponding -access directive is the one slapd will use to evaluate access. +the {{EX:frontend}} database definition). Within this priority, +access directives are examined in the order in which they appear +in the configuration attribute. Slapd stops with the first +{{EX:}} selector that matches the entry and/or attribute. The +corresponding access directive is the one slapd will use to evaluate +access. Next, slapd compares the entity requesting access to the {{EX:}} selectors within the access directive selected above in the order diff --git a/doc/guide/admin/slapdconfig.sdf b/doc/guide/admin/slapdconfig.sdf index bd97c8bc1e..92c0bedd8b 100644 --- a/doc/guide/admin/slapdconfig.sdf +++ b/doc/guide/admin/slapdconfig.sdf @@ -705,8 +705,8 @@ access line is: > [set=] > [aci=] > ::= [self]{|} -> ::= none | auth | compare | search | read | write -> ::= {=|+|-}{w|r|s|c|x|0}+ +> ::= none | disclose | auth | compare | search | read | write | manage +> ::= {=|+|-}{m|w|r|s|c|x|d|0}+ > ::= [stop | continue | break] where the part selects the entries and/or attributes to which @@ -839,25 +839,25 @@ As these can easily spoofed, the domain factor should not be avoided. H3: The access to grant - The kind of granted can be one of the following: - !block table; colaligns="LRL"; coltags="EX,EX,N"; align=Center; \ title="Table 5.4: Access Levels" -Level Privileges Description -none =0 no access -auth =x needed to bind -compare =cx needed to compare -search =scx needed to apply search filters -read =rscx needed to read search results -write =wrscx needed to modify/rename +Level Privileges Description +none =0 no access +disclose =d needed for information disclosure on error +auth =dx needed to authenticate (bind) +compare =cdx needed to compare +search =scdx needed to apply search filters +read =rscdx needed to read search results +write =wrscdx needed to modify/rename +manage =mwrscdx needed to manage !endblock -Each level implies all lower levels of access. So, for -example, granting someone {{EX:write}} access to an entry also -grants them {{EX:read}}, {{EX:search}}, {{EX:compare}}, and -{{EX:auth}} access. However, one may use the privileges specifier +Each level implies all lower levels of access. So, for example, +granting someone {{EX:write}} access to an entry also grants them +{{EX:read}}, {{EX:search}}, {{EX:compare}}, {{EX:auth}} and +{{EX:disclose}} access. However, one may use the privileges specifier to grant specific permissions.