[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL filter and backend SQL
Please reply on the list.
Jaime Tomé Gomes Ventura wrote:
Pierangelo Masarati wrote:
Jaime Tomé Gomes Ventura wrote:
I'm using openldap 2.2.23 and backend sql as module.
I cant get this rule to work:
Basically, allow bind only to users having attribute ippNetStatus =
ACTIVO.
access to * filter=(ippNetStatus=ACTIVO)
by anonymous auth
by self write
I've made a replication to a bdb database and this rule works just
fine on it .
Is this a backend-sql bug?
It's rather a feature :) see ITS#3480 for details. It's now fixed
in HEAD/2.3 (please test).
p.
Thank. :)
Was this a feature on 2.1x ?
I mean that from the beginning back-sql was computing only the requested
attributes (plus those required by the filter), while ACLs may use more
e.g. in the "filter" clause; in fact, they assume that when an entry is
passd to access_allowed(), that entry be complete.
The behavior of back-sql is well known and considered a design
limitation rather than a bug, because it is a reasonable trade-off
between performances and versatility. However, in 2.3, there is the
possibility to specify an additional set of attributes to be retrieved
in all cases an entry will be used in ACL checking. See the
"fetch_attrs" and "fetch_all_attrs" directive in 2.3's slapd-sql(5) man
page.
No need to say that the problem cannot be worked around either in 2.1
nor in 2.2.
p.
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497