[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3830) Buggy access attrs=... val=...

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#3830) Buggy access attrs=... val=...
From: h.b.furuseth@usit.uio.no
Date: Tue, 5 Jul 2005 08:45:14 GMT

Howard Chu writes:
> I have committed a fix to HEAD, please test.

Thanks.  The reported problem is fixed.
I've stumbled on to two new ones instead - including a crash:


"access non-DN-attr=foo val=bar" uses the attribute's EQUALITY
rule to check for a match - and so value_match() crashes on
assert( mr != NULL ) if the attribute has no EQUALITY rule.
E.g. "access to attrs=supportedControl val=1.2 by * read".

I suggest that slapd then exits with an error message during startup:
"val.regex style for non-DN attr without EQUALITY rule":
  http://folk.uio.no/hbf/OpenLDAP/valacl.patch
That does mean one can't use 'val=<not regexp>' on an attribute for
access control on inherited attributes with EQUALITY rules, but it's
less surprising than to just have the match fail at run-time.

Not sure if slap_acl_get() needs to check if there is an EQUALITY
rule in any case.

I note that acl_mask_dnattr() also calls value_match() with some
attribute's EQUALITY rule; maybe that needs something similar.


Also, the value from 'val=' does not get normalized.  So
  access to attrs=configContext val=CN=CONFIG by * none
  access to * by * read
does show configContext: cn=config.  OTOH,
  access to attrs=objectClass val=OPENLDAPROOTDSE by * none
works fine - it only shows objectClass: top.

-- 
Hallvard
Don't anthropomorphize computers. They hate that.

Prev by Date: Re: (ITS#3833) back-bdb doesn't start up after manual recovery
Next by Date: Re: (ITS#3830) Buggy access attrs=... val=...
Index(es):
- Chronological
- Thread