RE: ACI syntax changes in 2.3 / OpenLDAPaci does not like multipleattributes

["Gerald Richter" <richter@ecos.de>]

Hi,
> 
> > Additionaly it doesn't accepts more then one attribute, also while 
> > looking throught the source in aci.c it seems that the ACI code 
> > itself, still support multiple attributes. Here is an example:
> > 
> > OpenLDAPaci: 
> > 1#entry#grant;r,s,c;cn#access-id#cn=admin,dc=testuml,dc=test
> > OpenLDAPaci: 
> > 1#entry#grant;r,s,c;dc#access-id#cn=aaa,dc=testuml,dc=test
> > OpenLDAPaci: 
> > 1#entry#grant;r,s,c;cn,dc#access-id#cn=xxx,dc=testuml,dc=test
> > 
> > The first two entries are ok, while the third one fails. 
> This seems a 
> > bug to me or do I oversee something?
> 
> The third case has never been valid, 

But we use it in production for about 2 years with OpenLDAP 2.1 and it works
:-)

> AFAIR; you should rather use
> 
> OpenLDAPaci: 
> 1#entry#grant;r,s,c;cn;r,s,c;dc#access-id#cn=xxx,dc=testuml,dc=test
> 
> i.e. you must use sequences of 
> "{grant|deny};(<access>;<attr>)*" where "<attr>" is a single 
> attribute, or "[all]".
> 

If you look at aci.c in function aci_list_has_attr it splits the attribute
list at ',', so it seems to me that it would still work, if the syntax
validater accepts it.

If this is true, I could create a patch to make it work again.

Gerald



 
** Virus checked by BB-5000 Mailfilter **