[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5805) Problem when modifying access control

To: openldap-its@OpenLDAP.org
Subject: (ITS#5805) Problem when modifying access control
From: emmanuel.duru@atosorigin.com
Date: Wed, 12 Nov 2008 13:45:26 GMT

Full_Name: Emmanuel Duru
Version: 2.4.11
OS: Windows
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (80.78.0.137)


I have a single BDB database directory with root DN as a physical entry. My
access control is defined as follows in olcDatabase={-1}frontend:
olcAccess: {0}to attrs=userPassword  by self write  by anonymous auth  by * no
 ne
olcAccess: {1}to dn=cn=manager,c=fr  by self write  by * none
olcAccess: {2}to *  by self write  by users read  by anonymous read  by * none

I perform a modify operation as follows:
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword  by self write  by anonymous auth  by * no
 ne
olcAccess: {1}to dn=cn=manager,c=fr  by self write  by * none
olcAccess: {2}to *  by self write  by users read  by anonymous read  by * none

dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to *  by * none
-
replace: olcRootDN
olcRootDN: cn=manager,c=fr

then I can not bind any more to the directory (invalid credentials).
The log says (do notice the line dn: [1]... with non printable characters):
do_bind: version=3 dn="cn=manager,c=fr" method=128
==> bdb_bind: dn: cn=manager,c=fr
bdb_dn2entry("cn=manager,c=fr")
=> access_allowed: auth access to "cn=manager,c=fr" "userPassword" requested
=> dn: [1]  <some non printable characters>anager,c=fr
=> acl_get: [2] attr userPassword
=> slap_access_allowed: result not in cache (userPassword)
=> acl_mask: access to entry "cn=manager,c=fr", attr "userPassword" requested
=> acl_mask: to value by "", (=0) 
<= check a_dn_pat: *
<= acl_mask: [1] applying none(=0) (stop)
<= acl_mask: [1] mask: none(=0)
=> slap_access_allowed: auth access denied by none(=0)
=> access_allowed: no more rules

When I stop the directory, the log says (filter_free lines may vary):
bdb_db_close: database "c=fr": alock_close failed
filter_free: unknown filter type=20224
filter_free: unknown filter type=496
slapd stopped.
filter_free: unknown filter type=29776
filter_free: unknown filter type=13944
filter_free: unknown filter type=29496

When I restart slapd, all is fine: the access control is OK and I can bind.

Prev by Date: (ITS#5804) attribute value regex expantion
Next by Date: Re: (ITS#5788) Search does not work with nested naming contexts
Index(es):
- Chronological
- Thread