[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7495) access filter not correctly validated if assertion attribute not requested

To: openldap-its@OpenLDAP.org
Subject: (ITS#7495) access filter not correctly validated if assertion attribute not requested
From: michael@stroeder.com
Date: Thu, 17 Jan 2013 09:00:13 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Michael Ströder
Version: RE24 6f33e2c
OS: Debian Squeeze
URL: 
Submission from: (NULL) (2001:8d8:1fe:1:d6be:d9ff:fe06:a14f)


This is tested with RE24 built for Debian Squeeze:
It seems that ACLs are not correctly evaluated when processing a search request
if the assertion type is not requested in the search request.

Example:

access to
  dn.subtree="o=example"
  attrs=sambaNTPassword
  filter="(organizationalStatus=0)"
    by group="uid=samba_dc,o=example" write
    by group="cn=slapd Admins,ou=groups,o=example" =sw
    by self =w
    by * none

The following search correctly returns attribute sambaNTPassword of the entry:

ldapsearch -LLL -X "dn:uid=samba_dc,o=example"
"(&(objectclass=sambaSamAccount)(uid=wtester))" organizationalStatus
sambaNTPassword

But this search does not return sambaNTPassword:

ldapsearch -LLL -X "dn:uid=samba_dc,o=example"
"(&(objectclass=sambaSamAccount)(uid=wtester))" sambaNTPassword

I cannot find any hint in slapd.access(5) that this is expected behaviour.

Prev by Date: Re: (ITS#7493) slapo-allowed: allowed* attrs are replicated
Next by Date: Re: (ITS#7495) access filter not correctly validated if assertion attribute not requested
Index(es):
- Chronological
- Thread