Writing secure aci's for delegation is hard. Basically, unless your aci is:
aci: (target = "ldap:///cn=*,ou=custom,ou=groups,dc=example,dc=com") (targetfilter="(&(objectClass=top)(objectClass=groupOfUniqueNames))") (targetattr="cn || uniqueMember || objectclass") (version 3.0; acl "example"; allow (read, search, write, add) (userdn = "ldap:///uid=test,ou=People,dc=example,dc=com"); )
It's exploitable. You need to set the objectClasses to allow the delegate user/group to create, and the limited set of attributes that can exist on that objectClass.
I think we should add a new aci target type which helps this issue.
I propose a syntax like:
(targetobjectclass = " top || groupofuniquenames ")
The behaviour of this is:
Write operations:
Read operations:
This would allow the above aci to be securely written as:
aci: (target = "ldap:///cn=*,ou=custom,ou=groups,dc=example,dc=com") (targetobjectclass = "top || groupofuniquenames") (version 3.0; acl "example"; allow (read, search, write, add) (userdn = "ldap:///uid=test,ou=People,dc=example,dc=com"); )
This is much simpler for directory administrators to use and reason about.
Per weekly meeting, set milestone to 1.3.6.
Could you please describe what the relationship between this ticket and #48354 is? Thanks.
Sorry for the delay fweimer,
The relationship is that the default ACI's in Directory Server promote bad and insecure behaviours. The use of != is especially dangerous, and even tasks like delegation of group management is fraught with danger.
The creation of this new aci type will allow us to create better, expressive aci's that are less prone to human error. By using them in the default, people will adopt their new style.
Metadata Update from @fweimer: - Issue set to the milestone: 1.3.6 backlog
Metadata Update from @firstyear: - Issue close_status updated to: None - Issue set to the milestone: FUTURE (was: 1.3.6 backlog)
Metadata Update from @mreynolds: - Custom field reviewstatus adjusted to None - Issue tagged with: RFE
Metadata Update from @mreynolds: - Issue tagged with: Access Control
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/1912
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.