[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3830) Buggy access attrs=... val=...

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#3830) Buggy access attrs=... val=...
From: ando@sys-net.it
Date: Tue, 5 Jul 2005 09:14:19 GMT

I'm about to apply a slightly different fix; one point is that we might
want to extend that value match capability with a matching rule much like
extensible filters.  Something like

access to attrs=namingContext val/distinguishedNameMatch.subtree="dc=com"
        by * read

Comments?

>
>> Howard Chu writes:
>>> I have committed a fix to HEAD, please test.
>>
>> Thanks.  The reported problem is fixed.
>> I've stumbled on to two new ones instead - including a crash:
>>
>>
>> "access non-DN-attr=foo val=bar" uses the attribute's EQUALITY
>> rule to check for a match - and so value_match() crashes on
>> assert( mr != NULL ) if the attribute has no EQUALITY rule.
>
> Asserts are there for this reason :)
>
>
>> E.g. "access to attrs=supportedControl val=1.2 by * read".
>>
>> I suggest that slapd then exits with an error message during startup:
>> "val.regex style for non-DN attr without EQUALITY rule":
>>   http://folk.uio.no/hbf/OpenLDAP/valacl.patch
>> That does mean one can't use 'val=<not regexp>' on an attribute for
>> access control on inherited attributes with EQUALITY rules, but it's
>> less surprising than to just have the match fail at run-time.
>>
>> Not sure if slap_acl_get() needs to check if there is an EQUALITY
>> rule in any case.
>>
>> I note that acl_mask_dnattr() also calls value_match() with some
>> attribute's EQUALITY rule; maybe that needs something similar.
>>
>>
>> Also, the value from 'val=' does not get normalized.  So
>>   access to attrs=configContext val=CN=CONFIG by * none
>>   access to * by * read
>> does show configContext: cn=config.  OTOH,
>>   access to attrs=objectClass val=OPENLDAPROOTDSE by * none
>> works fine - it only shows objectClass: top.
>
> I'll look at these.
>
> Thanks, p.
>
> --
> Pierangelo Masarati
> mailto:pierangelo.masarati@sys-net.it
>
>
>     SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497
>
>
>


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Prev by Date: Re: (ITS#3830) Buggy access attrs=... val=...
Next by Date: (ITS#3834) syncrepl.c - missing array subscript
Index(es):
- Chronological
- Thread