| |
Run #2 Modify Operation |
|
|
Subject: Run #2 Modify Operation
Author: aci
In response to: Run #1 Search Operation
Posted on: 03/21/2014 12:56:32 AM
C:\>ldapmodify -h localhost -p 389 -D "uid=user.1,ou=Support,dc=example,dc=com"
-w secret -Y "dn:uid=user.2,ou=Develop,dc=example,dc=com"
dn: uid=user.3,ou=Sales,dc=example,dc=com
changetype: modify
replace: mobile
mobile: 555-1234
-
modifying entry uid=user.3,ou=Sales,dc=example,dc=com
^C
Succeeded(0) -- Works as expected
C:\>ldapmodify -h localhost -p 389 -D "uid=user.1,ou=Support,dc=example,dc=com"
-w secret -Y "dn:uid=user.2,ou=Develop,dc=example,dc=com"
dn: uid=user.3,ou=Support,dc=example,dc=com
changetype: modify
replace: mobile
mobile: 555-1234
-
modifying entry uid=user.3,ou=Sales,dc=example,dc=com
ldap_modify: Insufficient access
Failed: Insufficient access right(50) -- Even though "uid=user.2,ou=Develop,dc=example,dc=com" has the right to modify entry "uid=user.3,ou=Support,dc=example,dc=com", the proxy aci forbids the user to do so (the user can only touch the target which has been narrowed down to Sales department).
>
> On 03/21/2014 12:48:02 AM aci wrote:
C:\>ldapsearch -h localhost -p 389 -D "uid=user.1,ou=Support,dc=example,dc=com"
-w secret -b "dc=example,dc=com" "(uid=user.3)"
Nothing to return, because no aci was set to allow users from Support department to do search or read.
C:\>ldapsearch -h localhost -p 389 -D "uid=user.1,ou=Develop,dc=example,dc=com"
-w secret -b "dc=example,dc=com" "(uid=user.3)"
dn: uid=user.3,ou=Sales,dc=example,dc=com
dn: uid=user.3,ou=Support,dc=example,dc=com
dn: uid=user.3,ou=Develop,dc=example,dc=com
Search with user from Develop department returns all (3) user accounts which have uid matching the value of 'user.3'.
C:\>ldapsearch -h localhost -p 389 -D "uid=user.1,ou=Support,dc=example,dc=com" -w secret -Y
"dn:uid=user.2,ou=Develop,dc=example,dc=com"
-b "dc=example,dc=com" "(uid=user.3)"
dn: uid=user.3,ou=Sales,dc=example,dc=com
Same search with the same user from Support but using proxy right of another user from Develop department returns one result. This is because the proxy rule has narrowed the target to Sales department via proxy.
References:
|
|
|
|
