Re: ACL filter and backend SQL

[Pierangelo Masarati <ando@sys-net.it>]

Please reply on the list.

Jaime Tomé Gomes Ventura wrote:

> Pierangelo Masarati wrote:
>
> > Jaime Tomé Gomes Ventura wrote:
> >
> > > I'm using openldap 2.2.23 and backend sql as module.
> > > I cant get this rule to work:
> > >
> > > Basically, allow bind only to users having attribute ippNetStatus = 
> > > ACTIVO.
> > > access to * filter=(ippNetStatus=ACTIVO)
> > >       by anonymous auth
> > >       by self write
> > >
> > > I've made a replication to a bdb database and this rule works just 
> > > fine on it .
> > >
> > > Is this a backend-sql bug?
> >
> >
> > It's rather a feature :)  see ITS#3480 for details.  It's now fixed 
> > in HEAD/2.3 (please test).
> >
> > p. 
>
> Thank. :)
> Was this a feature on 2.1x ? 

I mean that from the beginning back-sql was computing only the requested 
attributes (plus those required by the filter), while ACLs may use more 
e.g. in the "filter" clause; in fact, they assume that when an entry is 
passd to access_allowed(), that entry be complete.

The behavior of back-sql is well known and considered a design 
limitation rather than a bug, because it is a reasonable trade-off 
between performances and versatility.  However, in 2.3, there is the 
possibility to specify an additional set of attributes to be retrieved 
in all cases an entry will be used in ACL checking.  See the 
"fetch_attrs" and "fetch_all_attrs" directive in 2.3's slapd-sql(5) man 
page.

No need to say that the problem cannot be worked around either in 2.1 
nor in 2.2.

p.





   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497