[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#6693) Value dependent ACL issues
Full_Name: Ralf Haferkamp
Version: 2.4.23, HEAD
OS:
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (92.252.54.248)
Submitted by: ralf
It seems that if the first ACL on a server is a value dependend ACL it is not
evaluated correctly.
Steps to reproduce:
1. Set this global ACL on the server:
access to dn.base="" attrs=supportedControl
val/objectIdentifierMatch=1.3.6.1.4.1.4203.666.5.14
by * none
access to dn.base=""
by * read
Now, when "1.3.6.1.4.1.4203.666.5.14" would be the first value of the
supportedControl Attribute that the server would return, slapd will return no
value of that attribute at all.
OTOH when "1.3.6.1.4.1.4203.666.5.14" is not the first value, slapd will return
all values of the "supportedControl" Attribute, including
"1.3.6.1.4.1.4203.666.5.14".
The expected result would be to return all values but
"1.3.6.1.4.1.4203.666.5.14".
This problem only seems to be present if there are no other ACLs present before
the first value dependent ACL.
This patch seems to fix the problem, it would be nice however if somebody with
more insight into the acl code could review it before we commit it to HEAD.
-------------------------------------------------------------
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -405,7 +405,8 @@ access_allowed_mask(
if ( state->as_desc == desc &&
state->as_access == access &&
state->as_result != -1 &&
- state->as_vd_acl == NULL )
+ state->as_vd_acl == NULL &&
+ state->as_vd_acl_count > 0 )
{
Debug( LDAP_DEBUG_ACL,
"=> access_allowed: result was in cache
(%s)\n",
-------------------------------------------------------------
thanks,
Ralf