Re: ACL access clause parsing

["Pierangelo Masarati" <ando@sys-net.it>]

> It would appear that the ACL access clause parsing has changed between
> OpenLDAP 2.0 and 2.1.
>
> This ACL worked in 2.0:
>
> access to attrs=carLicense
>     by group="cn=Readers,ou=Admin,dc=my-domain,dc=com" read
>     by self write
>     by * none
>
> In 2.1 (at least 2.1.27 and 2.1.29), if the authenticated DN is a member
> of the Readers group, and they are attempting to modify their
> carLicense, they will fail with "Insufficient access (50)".
>
> However, if I reorder the ACL to:
>
> access to attrs=carLicense
>    by self write
>    by group="cn=Readers,ou=Admin,dc=my-domain,dc=com" read
>    by * none
>
> Then the modification of my own entry works even if I'm a member of the
> Readers group.
>
> Was this change intentional and I missed it somewhere in the
> documentation (which includes the slapd.access manpage for 2.1.29) or is
> it an error and I should file an ITS?


the <by> clauses are processed in order; at the first match
the check stops.  I believe this is the intended behavior
ever since UMich's ldap-3.3.  If you're simultaneously "self"
and member of the "cn=Readers,..." group, in the first example
the "by self" clause is not reached because the "by group"
clause matches first, so you don't get write permission.
In the second example, the "by self" clause matches first so
you get write permission.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it