[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4230) access to attr=objectClass

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#4230) access to attr=objectClass
From: ando@sys-net.it
Date: Wed, 30 Nov 2005 00:20:42 GMT

On Tue, 2005-11-29 at 22:44 +0000, ando@sys-net.it wrote:
> On Tue, 2005-11-29 at 15:06 +0000, syrius.ml@no-log.org wrote:
> > Full_Name: 
> > Version: 2.2.26
> > OS: GNU/Linux (debian/unstable)
> > URL: ftp://ftp.openldap.org/incoming/
> > Submission from: (NULL) (193.49.184.28)
> > 
> > 
> > Hi there,
> > 
> > When I use the acl below ldapsearch doesn't show all the objectClass anymore.
> > The displayed objects only have objectClass=top
> > access to attr=objectClass val.regex=".*"
> >        by * read
> > 
> > I was first trying to use an acl like this:
> > access to attr=objectClass val.regex="sambaSamAccount"
> >        by cn=test,dc=test,dc=test write
> >        by * read
> > when i discovered that.
> > 
> > Is this a bug ?
> > Or am i doing something wrong ?
> 
> It appears to be a bug that still affects re22: only the first
> occurrence of objectClass (actually, of any multi-valued attr) is
> returned.
> 
> re23 is no longer affected.

After carefully reviewing the code, I think re23 is no longer affected
by chance only.  In fact, the state code is broken as it is now, and
only because an extra layer has been added (fe_access_allowed) without
passing all the related data (st_same_attr) the issue you're reporting
doesn't surface any more.

Try this, with the database resulting from test003

access to attrs=cn.regex="^Mark A.*"
        by * read
access to attrs=cn
        by * none
access to *
        by * read

where the above regex is supposed to match the __second__ value of the
"cn" of "cn=Mark Elliot,...".

This works as expected (only "cn: Mark A Elliott" is returned) in re23
but not in re22.  I think we should leave the code as is, since it works
as expected.  However, the "right" approach requires that we fix status
preservation across calls to access checking.

In any case, this would not be the most relevant reason to upgrade to
2.3.

p.

Ing. Pierangelo Masarati
Responsabile Open Solution

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

Prev by Date: Re: (ITS#4230) access to attr=objectClass
Next by Date: Re: (ITS#4232) proxy cache and
Index(es):
- Chronological
- Thread