Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
Joe Martin
OpenLDAP
Commits
54f70247
Commit
54f70247
authored
May 20, 2008
by
Quanah Gibson-Mount
Browse files
ITS#5512
parent
6729a2f0
Changes
3
Hide whitespace changes
Inline
Side-by-side
CHANGES
View file @
54f70247
...
...
@@ -8,6 +8,8 @@ OpenLDAP 2.4.10 Engineering
Fixed slapo-syncprov csn update with delta-syncrepl (ITS#5493)
Fixed slapo-syncprov op2.o_extra reset (ITS#5506)
Fixed slapo-syncprov sending ops without queued CSNs (ITS#5465)
Documentation
Add search privileges documentation (ITS#5512)
OpenLDAP 2.4.9 Release (2008/05/07)
Fixed libldap to use unsigned port (ITS#5436)
...
...
doc/guide/admin/access-control.sdf
View file @
54f70247
...
...
@@ -137,7 +137,9 @@ attribute name and also using a value selector:
There are two special {{pseudo}} attributes {{EX:entry}} and
{{EX:children}}. To read (and hence return) a target entry, the
subject must have {{EX:read}} access to the target's {{entry}}
attribute. To add or delete an entry, the subject must have
attribute. To perform a search, the subject must have
{{EX:search}} access to the search base's {{entry}} attribute.
To add or delete an entry, the subject must have
{{EX:write}} access to the entry's {{EX:entry}} attribute AND must
have {{EX:write}} access to the entry's parent's {{EX:children}}
attribute. To rename an entry, the subject must have {{EX:write}}
...
...
@@ -552,7 +554,9 @@ attribute name and also using a value selector:
There are two special {{pseudo}} attributes {{EX:entry}} and
{{EX:children}}. To read (and hence return) a target entry, the
subject must have {{EX:read}} access to the target's {{entry}}
attribute. To add or delete an entry, the subject must have
attribute. To perform a search, the subject must have
{{EX:search}} access to the search base's {{entry}} attribute.
To add or delete an entry, the subject must have
{{EX:write}} access to the entry's {{EX:entry}} attribute AND must
have {{EX:write}} access to the entry's parent's {{EX:children}}
attribute. To rename an entry, the subject must have {{EX:write}}
...
...
doc/guide/admin/appendix-upgrading.sdf
View file @
54f70247
...
...
@@ -37,6 +37,22 @@ entries like below, just remove them from the relevant ldif file.
> olcReplicationInterval: value #0: <olcReplicationInterval> keyword is obsolete (ignored)
H2: ACLs: searches require privileges on the search base
Search operations now require "search" privileges on the "entry" pseudo-attribute of the search
base. While upgrading from 2.3.x, make sure your ACLs grant such privileges to all desired search
bases.
For example, assuming you have the following ACL:
> access to dn.sub="ou=people,dc=example,dc=com" by * search
Searches using a base of "dc=example,dc=com" will only be allowed if you add the following ACL:
> access to dn.base="dc=example,dc=com" attrs=entry by * search
Note: The {{slapd.access}}(5) man page states that this requirement was introduced
with OpenLDAP 2.3. However, it is the default behavior only since 2.4.
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment