[Date Prev][Date Next] [Chronological] [Thread] [Top]

"break" broken?



I am in the process of trying to understand the ACLs, as documented in the FAQ, <http://www.openldap.org/faq/data/cache/447.html>.

(Thanks to the author of this FAQ! But I think it should appear in the "Software" section of the FAQ, rather than the "Developper's" section.)

I'm on openldap 2.0.7. I have come upon some strange behaviour in the

   <control> ::= [ stop | continue | break ]

clause, that doesn't seem to conform to what is said in that FAQ. I think it is a bug.

In my tests, I attempt to bind as some entry I will call myBindDn; specifically:

   myBindDn = "uid=testAdm,ou=people,dc=univ-lyon2,dc=fr"

For this, it appears from the FAQ and from my own tests that I need:

  privilege: "auth" ("x")

  to be granted on: myBindDn, attribute userPassword

  to: "anonymous".

My first test is with the following ACLs:

============== slapd.acl.conf: ======= (1)
defaultaccess   none

# First and only access clause:
access to dn.base="uid=testAdm,ou=people,dc=univ-lyon2,dc=fr" attrs=userPassword
by anonymous
auth
=========== End of slapd.acl.conf. === (1)


Bind is successful, as expected.

In my second test I just add a "break" clause:

============== slapd.acl.conf: ======= (2)
defaultaccess   none

# First and only access clause:
access to dn.base="uid=testAdm,ou=people,dc=univ-lyon2,dc=fr" attrs=userPassword
by anonymous
auth break
=========== End of slapd.acl.conf. === (2)


This time, bind fails! Error code 50, "Insufficient Access Rights". Note that these are all my ACLs; i.e. there is no other access clause after this one.

Following the FAQ the meaning of "break" is:

You can also request that further analysis of this access clause (the
<who>) be stopped here but keep on reading other access clauses. You do
this by specifying break. This is useful if you have clauses that match
this target later in your configuration and want to be able to
add or remove privileges.

In other words, the only difference between test (1) and (2) is that after granting "anonymous" the "auth" privileges to myBindDn, the server should go on and analyze any further access clauses, to add or remove privileges. But here there are no more access clauses, so the "break" should have no effect! Instead, does have an effect: it cancels the privileges already granted.


What makes me feel its a bug is that if I add to (2) another access clause:

============== slapd.acl.conf: ======= (3)
defaultaccess   none

# First access clause:
access to dn.base="uid=testAdm,ou=people,dc=univ-lyon2,dc=fr" attrs=userPassword
by anonymous
auth break


# Second access clause:
access to dn.base="uid=testAdm,ou=people,dc=univ-lyon2,dc=fr" attrs=userPassword
by dn.base="uid=smurgle,ou=people,dc=univ-lyon2,dc=fr"
none
=========== End of slapd.acl.conf. === (3)


bind becomes successful again!

Here, the <what> part of the second acces clause matches, but no <who> section applies. However, it seems that finding one more access clause where the <what> matches, even if no <who> section applies, is enough to make the "break" happy.

This is confirmed by a fourth test, in which the <what> part doesn't match:

============== slapd.acl.conf: ======= (4)
defaultaccess   none

# First access clause:
access to dn.base="uid=testAdm,ou=people,dc=univ-lyon2,dc=fr" attrs=userPassword
by anonymous
auth break


# Second access clause:
access to dn.base="uid=blotch,ou=people,dc=univ-lyon2,dc=fr" attrs=userPassword
by dn.base="uid=smurgle,ou=people,dc=univ-lyon2,dc=fr"
none
=========== End of slapd.acl.conf. === (4)


This time bind fails. The <what> in the second access clause does not match.

If I am right about this being a BUG (big bad bug), I will put it in the ITS thing as such. But since I am not sure of myself I would like other people's opinions.

I have tried my tests with "ACL debugging" on (loglevel 128). As far as I understand the messages, they seem to confirm my analysis: "break" needs another matching access clause to be happy.

Workaround
==========

It seems one simple way to make "break" behave itself is to add a bogus access clause to the end of the ACLs, that will match any <what>, but apply to no <who>:

============== workaround: =======
# Last access clause:
access to *
      by dn.base="cn=No-One, o=no-org, c=Utopia"
         write
======= End of workaround. =======

With this added, cases (2) and (4) both become successful again.

---
David Olivier
Klebs gardien Alpages CRI courrier brebis Lyon 2 Lumière