[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#3830) Buggy access attrs=... val=...
Howard Chu writes:
> I have committed a fix to HEAD, please test.
Thanks. The reported problem is fixed.
I've stumbled on to two new ones instead - including a crash:
"access non-DN-attr=foo val=bar" uses the attribute's EQUALITY
rule to check for a match - and so value_match() crashes on
assert( mr != NULL ) if the attribute has no EQUALITY rule.
E.g. "access to attrs=supportedControl val=1.2 by * read".
I suggest that slapd then exits with an error message during startup:
"val.regex style for non-DN attr without EQUALITY rule":
http://folk.uio.no/hbf/OpenLDAP/valacl.patch
That does mean one can't use 'val=<not regexp>' on an attribute for
access control on inherited attributes with EQUALITY rules, but it's
less surprising than to just have the match fail at run-time.
Not sure if slap_acl_get() needs to check if there is an EQUALITY
rule in any case.
I note that acl_mask_dnattr() also calls value_match() with some
attribute's EQUALITY rule; maybe that needs something similar.
Also, the value from 'val=' does not get normalized. So
access to attrs=configContext val=CN=CONFIG by * none
access to * by * read
does show configContext: cn=config. OTOH,
access to attrs=objectClass val=OPENLDAPROOTDSE by * none
works fine - it only shows objectClass: top.
--
Hallvard
Don't anthropomorphize computers. They hate that.