go to  ForumEasy.com   
LdapPro
Home » Archive » Message


[Email To Friend][View in Live Context][prev topic « prev post | next post » next topic]
  Run #2 Modify Operation
 
Subject: Run #2 Modify Operation
Author: aci
In response to: Run #1 Search Operation
Posted on: 03/21/2014 12:56:32 AM

C:\>ldapmodify -h localhost -p 389 -D "uid=user.1,ou=Support,dc=example,dc=com"
 -w secret -Y "dn:uid=user.2,ou=Develop,dc=example,dc=com"

dn: uid=user.3,ou=Sales,dc=example,dc=com
changetype: modify
replace: mobile
mobile: 555-1234
-

modifying entry uid=user.3,ou=Sales,dc=example,dc=com

^C

Succeeded(0) -- Works as expected

C:\>ldapmodify -h localhost -p 389 -D "uid=user.1,ou=Support,dc=example,dc=com"
 -w secret -Y "dn:uid=user.2,ou=Develop,dc=example,dc=com"

dn: uid=user.3,ou=Support,dc=example,dc=com
changetype: modify
replace: mobile
mobile: 555-1234
-

modifying entry uid=user.3,ou=Sales,dc=example,dc=com
ldap_modify: Insufficient access

Failed: Insufficient access right(50) -- Even though "uid=user.2,ou=Develop,dc=example,dc=com" has the right to modify entry "uid=user.3,ou=Support,dc=example,dc=com", the proxy aci forbids the user to do so (the user can only touch the target which has been narrowed down to Sales department).


 

> On 03/21/2014 12:48:02 AM aci wrote:

C:\>ldapsearch -h localhost -p 389 -D "uid=user.1,ou=Support,dc=example,dc=com"
 -w secret -b "dc=example,dc=com" "(uid=user.3)"

Nothing to return, because no aci was set to allow users from Support department to do search or read.

C:\>ldapsearch -h localhost -p 389 -D "uid=user.1,ou=Develop,dc=example,dc=com"
 -w secret -b "dc=example,dc=com" "(uid=user.3)"

dn: uid=user.3,ou=Sales,dc=example,dc=com
dn: uid=user.3,ou=Support,dc=example,dc=com
dn: uid=user.3,ou=Develop,dc=example,dc=com

Search with user from Develop department returns all (3) user accounts which have uid matching the value of 'user.3'.

C:\>ldapsearch -h localhost -p 389 -D "uid=user.1,ou=Support,dc=example,dc=com" -w secret -Y
 "dn:uid=user.2,ou=Develop,dc=example,dc=com" 
  -b "dc=example,dc=com" "(uid=user.3)"

dn: uid=user.3,ou=Sales,dc=example,dc=com

Same search with the same user from Support but using proxy right of another user from Develop department returns one result. This is because the proxy rule has narrowed the target to Sales department via proxy.





References:

 


 
Powered by ForumEasy © 2002-2022, All Rights Reserved. | Privacy Policy | Terms of Use
 
Get your own forum today. It's easy and free.