[PATCH] Re: ACLs on Attributes that do not have attributeSecurityGUID
Andrew Bartlett
abartlet at samba.org
Wed Jan 2 14:56:58 MST 2013
On Wed, 2013-01-02 at 21:34 +0100, Marc Muehlfeld wrote:
> Am 02.01.2013 09:44, schrieb Andrew Bartlett:
> > I'm maintaining this (and my summer collection of un-reviewed patches)
> > in my acl-read-fixes branch.
>
> I applied all 10 patches from your previous posting on my test environment.
> And now I get the unixHomeDirectory attribute, as non-domain-admin too:
>
> # ldapsearch -h localhost -b "dc=MUC,dc=medizinische-genetik,dc=de" -D
> "CN=nslcd-connect,OU=BackendUsers,dc=MUC,dc=medizinische-genetik,dc=de" -W
> "(&(&(objectClass=user)(uidNumber=*))(sAMAccountName=muehlfeld))" | grep
> unixHomeDirectory
>
> unixHomeDirectory: /home/muehlfeld
Thanks. The issue that we have now is that somehow (and I'm totally
stumped as to how), the patch to correct the groups breaks our WRITE ACL
tests. That somehow implies that users now can write to more than they
should, which is scary.
I simply make this warning because I need to understand this more before
I can recommend this for production use, because it seems very wrong.
Anyway, thanks for the testing, I do very much appreciate it.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list