[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5805) Problem when modifying access control

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5805) Problem when modifying access control
From: ando@sys-net.it
Date: Sun, 16 Nov 2008 20:01:23 GMT

emmanuel.duru@atosorigin.com wrote:
> Full_Name: Emmanuel Duru
> Version: 2.4.11
> OS: Windows
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (80.78.0.137)
> 
> 
> I have a single BDB database directory with root DN as a physical entry. My
> access control is defined as follows in olcDatabase={-1}frontend:
> olcAccess: {0}to attrs=userPassword  by self write  by anonymous auth  by * no
>  ne
> olcAccess: {1}to dn=cn=manager,c=fr  by self write  by * none
> olcAccess: {2}to *  by self write  by users read  by anonymous read  by * none
> 
> I perform a modify operation as follows:
> dn: olcDatabase={-1}frontend,cn=config
> changetype: modify
> replace: olcAccess
> olcAccess: {0}to attrs=userPassword  by self write  by anonymous auth  by * no
>  ne
> olcAccess: {1}to dn=cn=manager,c=fr  by self write  by * none
> olcAccess: {2}to *  by self write  by users read  by anonymous read  by * none
> 
> dn: olcDatabase={0}config,cn=config
> changetype: modify
> replace: olcAccess
> olcAccess: {0}to *  by * none
> -
> replace: olcRootDN
> olcRootDN: cn=manager,c=fr
> 
> then I can not bind any more to the directory (invalid credentials).
> The log says (do notice the line dn: [1]... with non printable characters):
> do_bind: version=3 dn="cn=manager,c=fr" method=128
> ==> bdb_bind: dn: cn=manager,c=fr
> bdb_dn2entry("cn=manager,c=fr")
> => access_allowed: auth access to "cn=manager,c=fr" "userPassword" requested
> => dn: [1]  <some non printable characters>anager,c=fr
> => acl_get: [2] attr userPassword
> => slap_access_allowed: result not in cache (userPassword)
> => acl_mask: access to entry "cn=manager,c=fr", attr "userPassword" requested
> => acl_mask: to value by "", (=0) 
> <= check a_dn_pat: *
> <= acl_mask: [1] applying none(=0) (stop)
> <= acl_mask: [1] mask: none(=0)
> => slap_access_allowed: auth access denied by none(=0)
> => access_allowed: no more rules
> 
> When I stop the directory, the log says (filter_free lines may vary):
> bdb_db_close: database "c=fr": alock_close failed
> filter_free: unknown filter type=20224
> filter_free: unknown filter type=496
> slapd stopped.
> filter_free: unknown filter type=29776
> filter_free: unknown filter type=13944
> filter_free: unknown filter type=29496
> 
> When I restart slapd, all is fine: the access control is OK and I can bind.

I can't confirm your report with HEAD code.  I suggest you retry with 
either 2.4.12 or (better) re24, which is about to be released as 2.4.13. 
  I note that by performing the operations you indicate, the cn=config 
database (dn: olcDatabase={0}config,cn=config) ends up in an 
inconsistent state, because the rootdn does not belong to its naming 
context, but the rootpw is set, which should not be allowed.  A check 
for this does not exist, while it should.  In any case, this is harmless.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

Prev by Date: Re: (ITS#5814) concurrent access to connections
Next by Date: (ITS#5815) typo in os-ip.c (MAXHOSTNAMELEN)
Index(es):
- Chronological
- Thread