#48852 RFE: TargetObjectClass for aci
Closed: wontfix 3 years ago by spichugi. Opened 7 years ago by firstyear.

Writing secure aci's for delegation is hard. Basically, unless your aci is:

aci: (target = "ldap:///cn=*,ou=custom,ou=groups,dc=example,dc=com")
     (targetattr="cn || uniqueMember || objectclass")
     (version 3.0; acl "example"; allow (read, search, write, add)
        (userdn = "ldap:///uid=test,ou=People,dc=example,dc=com");

It's exploitable. You need to set the objectClasses to allow the delegate user/group to create, and the limited set of attributes that can exist on that objectClass.

I think we should add a new aci target type which helps this issue.

I propose a syntax like:

(targetobjectclass = " top || groupofuniquenames ")

The behaviour of this is:

Write operations:

  • Only allows writing to attributes that exist in the listed objectClasses MAY and MUST syntax.
  • Only allows the value of ObjectClass to be set to these values during add. IE the created object's objectClass must be a subset of the set listed in targetobjectclass.

Read operations:

  • The value being read must contain one of the objectClasses (IE or) listed in the target.
  • The attributes allowed to read, are from the MAY and MUST of these objectClasses.

This would allow the above aci to be securely written as:

aci: (target = "ldap:///cn=*,ou=custom,ou=groups,dc=example,dc=com")
     (targetobjectclass = "top || groupofuniquenames")
     (version 3.0; acl "example"; allow (read, search, write, add)
        (userdn = "ldap:///uid=test,ou=People,dc=example,dc=com");

This is much simpler for directory administrators to use and reason about.

Per weekly meeting, set milestone to 1.3.6.

Could you please describe what the relationship between this ticket and #48354 is? Thanks.

Sorry for the delay fweimer,

The relationship is that the default ACI's in Directory Server promote bad and insecure behaviours. The use of != is especially dangerous, and even tasks like delegation of group management is fraught with danger.

The creation of this new aci type will allow us to create better, expressive aci's that are less prone to human error. By using them in the default, people will adopt their new style.

Metadata Update from @fweimer:
- Issue set to the milestone: 1.3.6 backlog

7 years ago

Metadata Update from @firstyear:
- Issue close_status updated to: None
- Issue set to the milestone: FUTURE (was: 1.3.6 backlog)

6 years ago

Metadata Update from @mreynolds:
- Custom field reviewstatus adjusted to None
- Issue tagged with: RFE

6 years ago

Metadata Update from @mreynolds:
- Issue tagged with: Access Control

3 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/1912

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.