'Re: slapacl question'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-software
Subject:    Re: slapacl question
From:       Pierangelo Masarati <pierangelo.masarati () sys-net ! it>
Date:       2006-08-26 10:33:28
Message-ID: 44F02378.4050708 () sys-net ! it
[Download RAW message or body]

TechnoSophos wrote:
> Should I file this as a bug?
>
> On 8/22/06, TechnoSophos <technosophos@gmail.com> wrote:
>> When using the slapacl program to test ACLs, how come slapacl
>> inidcates that a  user has 'read' permissions when the ACL restricts
>> to 'auth' only?
>>
>> ###
>>
>> # slapacl -D 'uid=matt,ou=Users,dc=example,dc=com' -b
>> 'uid=barbara,ou=Users,dc=example,dc=com' -d acl 'cn/read'
>> Backend ACL: access to attrs=userPassword
>>         by anonymous auth
>>         by self write
>>         by * none
>>
>> Backend ACL: access to attrs=cn
>>         by users auth
>>         by self write
>>         by * none
>>
>> Backend ACL: access to *
>>         by self write
>>         by users read
>>         by * none
>>
>> authcDN: "uid=matt,ou=users,dc=example,dc=com"
>> => access_allowed: read access to "" "cn" requested
>> => access_allowed: backend default read access granted to
>> "uid=matt,ou=users,dc=example,dc=com"
>> read access to cn: ALLOWED
>>
>> ###
>>
>> Note that the same things happens if I substitute '=x' for 'auth' in 
>> the acl.
>>
>> Thanks,
>>
>> Matt
>>
>> (OpenLDAP version: 2.3.25)
>>
>
> For those of you perishing few who still have a problem with top
> posting: should I file this as a bug?

There seems to be some inconsistency within your report.  The logs say

=> access_allowed: read access to "" "cn" requested
=> access_allowed: backend default read access granted to


which corresponds to requesting access to "" instead of  
'uid=barbara,ou=Users,dc=example,dc=com' as indicated in the command 
line.  If I set the same rules indicated in your logs in a generic 
slapd.conf file, and run the same command line you run, I get the 
expected behavior both with HEAD and 2.3.27.  I suggest you clearly 
define the boundary conditions for your test before claiming you spot a 
bug.  Please isolate a minimal slapd.conf (with a database in LDIF 
format, if by any means relevant) and a command-line that results in the 
unexpected behavior you describe.  Please test it with OpenLDAP 2.3.27, 
since bugs no longer present in the current release tree would not be 
considered.  If the problem persists, you should file an ITS; make sure 
you provide the data (slapd.conf, LDIF and command line) that is 
required to reproduce the problem.


p.


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic