[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6804) 'self' access modifier only works for first entry

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6804) 'self' access modifier only works for first entry
From: hyc@symas.com
Date: Wed, 26 Jan 2011 23:51:38 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

djpohly@gmail.com wrote:
> Full_Name: Devin J. Pohly
> Version: 2.4.23
> OS: Linux
> URL: http://openldap.pastebin.com/gvswpxLX
> Submission from: (NULL) (98.235.33.55)

Thanks for the detailed report. This is now fixed in HEAD.

> Description:
> I have set up an LDAP directory which contains users and flat groups
> (groupOfNames/member style).  I want to use the access controls to only allow
> users to see their own groups and membership, so I defined the following
> controls:
>
> access to dn.onelevel="ou=group,o=org" attrs=entry
>      by dnattr=member read
> access to dn.onelevel="ou=group,o=org" attrs=member
>      by dnattr=member selfread
>
> Steps to reproduce:
> 1. Start a new instance of OpenLDAP with the slapd.conf file provided at
> <http://openldap.pastebin.com/gvswpxLX>  and an empty database.
> 2. Get grouptest.ldif from<http://openldap.pastebin.com/X1DUyGmf>  and add it to
> the directory:
> ldapadd -x -H $LDAPURI -D uid=admin,o=org -w admin -f grouptest.ldif
> This creates two users, foo and bar, and two groups, g1 and g2.  Each user is in
> both groups.
> 3. Compare the outputs of:
> ldapsearch -x -H $LDAPURI -D uid=foo,ou=user,o=org -w foo -b ou=group,o=org
> ldapsearch -x -H $LDAPURI -D uid=bar,ou=user,o=org -w bar -b ou=group,o=org
>
> Expected results:
> Foo's query shows "member: foo" for both g1 and g2.  Bar's query shows "member:
> bar" for both g1 and g2.
>
> Actual results:
> Foo's query shows "member: foo" for both g1 and g2.  Bar's query does not show
> any member attributes.
>
> Note: Changing the order in which the users are listed changes the behavior;
> only the first user listed matches 'self'.  Changing the 'selfread' privilege to
> 'read' behaves correctly: both queries display both users' memberships in the
> groups.  So the problem lies somewhere in the way the 'self' modifier is
> implemented.
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: ITS#6805
Next by Date: Re: ITS#6805
Index(es):
- Chronological
- Thread