[prev in list] [next in list] [prev in thread] [next in thread]
List: openldap-software
Subject: Re: slapacl question
From: Pierangelo Masarati <pierangelo.masarati () sys-net ! it>
Date: 2006-08-26 10:33:28
Message-ID: 44F02378.4050708 () sys-net ! it
[Download RAW message or body]
TechnoSophos wrote:
> Should I file this as a bug?
>
> On 8/22/06, TechnoSophos <technosophos@gmail.com> wrote:
>> When using the slapacl program to test ACLs, how come slapacl
>> inidcates that a user has 'read' permissions when the ACL restricts
>> to 'auth' only?
>>
>> ###
>>
>> # slapacl -D 'uid=matt,ou=Users,dc=example,dc=com' -b
>> 'uid=barbara,ou=Users,dc=example,dc=com' -d acl 'cn/read'
>> Backend ACL: access to attrs=userPassword
>> by anonymous auth
>> by self write
>> by * none
>>
>> Backend ACL: access to attrs=cn
>> by users auth
>> by self write
>> by * none
>>
>> Backend ACL: access to *
>> by self write
>> by users read
>> by * none
>>
>> authcDN: "uid=matt,ou=users,dc=example,dc=com"
>> => access_allowed: read access to "" "cn" requested
>> => access_allowed: backend default read access granted to
>> "uid=matt,ou=users,dc=example,dc=com"
>> read access to cn: ALLOWED
>>
>> ###
>>
>> Note that the same things happens if I substitute '=x' for 'auth' in
>> the acl.
>>
>> Thanks,
>>
>> Matt
>>
>> (OpenLDAP version: 2.3.25)
>>
>
> For those of you perishing few who still have a problem with top
> posting: should I file this as a bug?
There seems to be some inconsistency within your report. The logs say
=> access_allowed: read access to "" "cn" requested
=> access_allowed: backend default read access granted to
which corresponds to requesting access to "" instead of
'uid=barbara,ou=Users,dc=example,dc=com' as indicated in the command
line. If I set the same rules indicated in your logs in a generic
slapd.conf file, and run the same command line you run, I get the
expected behavior both with HEAD and 2.3.27. I suggest you clearly
define the boundary conditions for your test before claiming you spot a
bug. Please isolate a minimal slapd.conf (with a database in LDIF
format, if by any means relevant) and a command-line that results in the
unexpected behavior you describe. Please test it with OpenLDAP 2.3.27,
since bugs no longer present in the current release tree would not be
considered. If the problem persists, you should file an ITS; make sure
you provide the data (slapd.conf, LDIF and command line) that is
required to reproduce the problem.
p.
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic