[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problem in acl.c



Kurt,

I've a problem with the logics of acl matching when using back-ldap.
It is not a big, big deal because it is triggered by very special
conditions, however there it is.
When checking for the subject clause "dnattr=<attr>", the <attr> is
looked up in the entry, and its values are compared to the normalized
value of the operation dn (see servers/slapd/acl.c line 685).
This assumes that the ENTIRE entry is available
when the comparison is made. However, when the back-ldap is used,
only the portion of entry that was requested is currently available
when processing the acl. Imagine I protected the "cn" of an entry
with the clause "dnattr=member":

access to dn="cn=my entry,dc=my,dc=domain" attr=cn
	by dnattr=member read
	by * none

and the entry reads:

dn: cn=my group,dc=my,dc=domain
objectClass: top
objectClass: groupOfNames
cn: my group
member: cn=my group,dc=my,dc=domain
member: cn=someone else,dc=my,dc=domain

while I'm performing the query:

ldapsearch -D 'cn=someone else,dc=my,dc=domain' -w secret \
	-b 'cn=my group,dc=my,dc=domain' -s base cn
dn: cn=my group,dc=my,dc=domain

then the back-ldap asks the real DS only the "cn" attribute, and, at acl
checking, it doesn't find the "member" attribute so the check fails,
even if "someone else" has access to the "cn". In fact, if the member
attribute is also required (or all the attrs are required), the acl
succeedes:

ldapsearch -D 'cn=someone else,dc=my,dc=domain' -w secret \
	-b 'cn=my group,dc=my,dc=domain' -s base cn member
dn: cn=my group,dc=my,dc=domain
cn: my group
member: cn=my group,dc=my,dc=domain
member: cn=someone else,dc=my,dc=domain

In case the attr is not found in the entry, the entry should be read
again with the <attr> of the "dnattr" explicitly required. Or, to
avoid excessive overhead for other backends, this should happen in case
the backend provides a method to reload the entry specifically
requiring an attribute. I've noticed this is done by the method 
"backend_attribute", but I haven't been able to track the point where
it is called (the acl stuff is really cumbersome!), and it is
definitely NOT called in the case I discussed above.

Any clues/ideas/suggestions?

Pierangelo.