[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access to ... attrs=entry,attr1,attr2 not restricting access properly (ITS#1925)

To: openldap-its@OpenLDAP.org
Subject: Re: access to ... attrs=entry,attr1,attr2 not restricting access properly (ITS#1925)
From: Kurt@OpenLDAP.org
Date: Wed, 10 Jul 2002 03:38:35 GMT

At 08:07 AM 2002-07-05, richard.goerwitz@carleton.edu wrote:
>Full_Name: Richard L. Goerwitz III
>Version: 2.1.2
>OS: Linux (RedHat 7.3)
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (137.22.128.66)
>
>
>Restricting access to specific attributes does not work properly.
>
>access to attrs=userPassword
>  by anonymous auth
>  by self read
>  by * none
>
># Restrict access to attr1 and attr2 if hideMe is set
>access to dn.children="ou=People,dc=carleton,dc=edu" filter="hideme=*"
>  attrs=entry,attr1,attr2
>    by self read break
>    by users read
>    by * none
>
># If hideMe is NOT set (or if user=self), go ahead and reveal everything
>access to *
>  by users read
>  by * none
>
>In the above case if a user (not self) binds to the directory (OpenLDAP
>2.1.2), then the user can see everything, as if the second rule above were
>not there - although a traceback shows that in fact that rule is applied.
>Note that even if I change the "by users read" line in the second rule to
>an explicit "by users read stop" the problem still persists.

The behavior you describe is consistent with your ACLs.
I don't see a software bug here.  I suggest you re-read
the documentation: Admin Guide / slapd-access(5).  If
you continue to have software use issues, please take
them to the software mailing list.

Kurt

Prev by Date: Re: untoward change to ACL behavior (ITS#1921)
Next by Date: Re: Problem with NON-ASCII chars in DNs when using OpenLDAP 2.1.x libs (ITS#1923)
Index(es):
- Chronological
- Thread