[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6804) 'self' access modifier only works for first entry
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6804) 'self' access modifier only works for first entry
- From: hyc@symas.com
- Date: Wed, 26 Jan 2011 23:51:38 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
djpohly@gmail.com wrote:
> Full_Name: Devin J. Pohly
> Version: 2.4.23
> OS: Linux
> URL: http://openldap.pastebin.com/gvswpxLX
> Submission from: (NULL) (98.235.33.55)
Thanks for the detailed report. This is now fixed in HEAD.
> Description:
> I have set up an LDAP directory which contains users and flat groups
> (groupOfNames/member style). I want to use the access controls to only allow
> users to see their own groups and membership, so I defined the following
> controls:
>
> access to dn.onelevel="ou=group,o=org" attrs=entry
> by dnattr=member read
> access to dn.onelevel="ou=group,o=org" attrs=member
> by dnattr=member selfread
>
> Steps to reproduce:
> 1. Start a new instance of OpenLDAP with the slapd.conf file provided at
> <http://openldap.pastebin.com/gvswpxLX> and an empty database.
> 2. Get grouptest.ldif from<http://openldap.pastebin.com/X1DUyGmf> and add it to
> the directory:
> ldapadd -x -H $LDAPURI -D uid=admin,o=org -w admin -f grouptest.ldif
> This creates two users, foo and bar, and two groups, g1 and g2. Each user is in
> both groups.
> 3. Compare the outputs of:
> ldapsearch -x -H $LDAPURI -D uid=foo,ou=user,o=org -w foo -b ou=group,o=org
> ldapsearch -x -H $LDAPURI -D uid=bar,ou=user,o=org -w bar -b ou=group,o=org
>
> Expected results:
> Foo's query shows "member: foo" for both g1 and g2. Bar's query shows "member:
> bar" for both g1 and g2.
>
> Actual results:
> Foo's query shows "member: foo" for both g1 and g2. Bar's query does not show
> any member attributes.
>
> Note: Changing the order in which the users are listed changes the behavior;
> only the first user listed matches 'self'. Changing the 'selfread' privilege to
> 'read' behaves correctly: both queries display both users' memberships in the
> groups. So the problem lies somewhere in the way the 'self' modifier is
> implemented.
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/