[Date Prev][Date Next] [Chronological] [Thread] [Top]

access to ... attrs=entry,attr1,attr2 not restricting access properly (ITS#1925)

To: openldap-its@OpenLDAP.org
Subject: access to ... attrs=entry,attr1,attr2 not restricting access properly (ITS#1925)
From: richard.goerwitz@carleton.edu
Date: Fri, 5 Jul 2002 15:07:15 GMT

Full_Name: Richard L. Goerwitz III
Version: 2.1.2
OS: Linux (RedHat 7.3)
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (137.22.128.66)


Restricting access to specific attributes does not work properly.  Here, e.g.,
is a test set of ACLs:

access to attrs=userPassword
  by anonymous auth
  by self read
  by * none

# Restrict access to attr1 and attr2 if hideMe is set
access to dn.children="ou=People,dc=carleton,dc=edu" filter="hideme=*"
  attrs=entry,attr1,attr2
    by self read break
    by users read
    by * none

# If hideMe is NOT set (or if user=self), go ahead and reveal everything
access to *
  by users read
  by * none

In the above case if a user (not self) binds to the directory (OpenLDAP
2.1.2), then the user can see everything, as if the second rule above were
not there - although a traceback shows that in fact that rule is applied.
Note that even if I change the "by users read" line in the second rule to
an explicit "by users read stop" the problem still persists.

On a side note, attrs=* does not seem to work anymore, which is really
too bad.  It can come in handy.

Richard.Goerwitz@Carleton.EDU

Prev by Date: Problem with NON-ASCII chars in DNs when using OpenLDAP 2.1.x libs (ITS#1923)
Next by Date: crash with openssl-0.9.7 (ITS#1924)
Index(es):
- Chronological
- Thread