[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACI syntax changes in 2.3 / OpenLDAPaci does not like multiple attributes

To: Gerald Richter <richter@ecos.de>
Subject: Re: ACI syntax changes in 2.3 / OpenLDAPaci does not like multiple attributes
From: Pierangelo Masarati <ando@sys-net.it>
Date: Thu, 09 Feb 2006 23:27:57 +0100
Cc: openldap-software@OpenLDAP.org
In-reply-to: <20060209200314.0DC03419326@lnx1.i.ecos.de>
References: <20060209200314.0DC03419326@lnx1.i.ecos.de>

On Thu, 2006-02-09 at 21:03 +0100, Gerald Richter wrote: 
> Hi,
> 
> I currently try to move from 2.1 to 2.3 and notices that I get syntax errors
> during slapadd, for the OpenLDAPaci Attribute. The new syntax validation for
> ACIs doesn't like [entry] and [children] as attributes. Aren't they
> necessary anymore?

I'm not sure they were allowed ever.  I think "entry" and "children" are
recognized, since they're valid built-in attributes in slapd.  The point
is that before being cast into a syntax, (almost) everything was
accepted, and errors were delayed until access control actually
occurred; however, errors were not much apparent, since invalid (read:
unrecognized) values were kind of ignored.

> Additionaly it doesn't accepts more then one attribute, also while looking
> throught the source in aci.c it seems that the ACI code itself, still
> support multiple attributes. Here is an example:
> 
> OpenLDAPaci: 1#entry#grant;r,s,c;cn#access-id#cn=admin,dc=testuml,dc=test
> OpenLDAPaci: 1#entry#grant;r,s,c;dc#access-id#cn=aaa,dc=testuml,dc=test
> OpenLDAPaci: 1#entry#grant;r,s,c;cn,dc#access-id#cn=xxx,dc=testuml,dc=test
> 
> The first two entries are ok, while the third one fails. This seems a bug to
> me or do I oversee something?

The third case has never been valid, AFAIR; you should rather use

OpenLDAPaci: 1#entry#grant;r,s,c;cn;r,s,c;dc#access-id#cn=xxx,dc=testuml,dc=test

i.e. you must use sequences of "{grant|deny};(<access>;<attr>)*" where
"<attr>" is a single attribute, or "[all]".

> P.S. Is there any description about ACI syntax other then outdated in the
> FAQ?

None that I know of.  Essentially, the original syntax should be
(almost) entirely supported; few new features are allowed, but
apparently no one ever felt the need to document it.  I'd expect that
someone that actually uses ACI spends few cycles in preparing a doc
about them.  I don't use ACIs and I think I already spent enough time in
factoring them out of slapd while (hopefully) preserving their
functionality...

p.

Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

Follow-Ups:
- RE: ACI syntax changes in 2.3 / OpenLDAPaci does not like multipleattributes
  - From: "Gerald Richter" <richter@ecos.de>

References:
- ACI syntax changes in 2.3 / OpenLDAPaci does not like multiple attributes
  - From: "Gerald Richter" <richter@ecos.de>

Prev by Date: ACI syntax changes in 2.3 / OpenLDAPaci does not like multiple attributes
Next by Date: Re: import to openldap
Index(es):
- Chronological
- Thread