[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapacl question

To: TechnoSophos <technosophos@gmail.com>
Subject: Re: slapacl question
From: Pierangelo Masarati <pierangelo.masarati@sys-net.it>
Date: Sat, 26 Aug 2006 12:33:28 +0200
Cc: OpenLDAP-software@OpenLDAP.org
In-reply-to: <70fbbb000608222137k69993261w3983a280c7379dde@mail.gmail.com>
References: <70fbbb000608220805t60d2e85cm9aa5ba7015eadee1@mail.gmail.com> <70fbbb000608222137k69993261w3983a280c7379dde@mail.gmail.com>
User-agent: Mail/News 1.5.0.5 (X11/20060808)

TechnoSophos wrote:

Should I file this as a bug?

On 8/22/06, TechnoSophos <technosophos@gmail.com> wrote:

When using the slapacl program to test ACLs, how come slapacl
inidcates that a  user has 'read' permissions when the ACL restricts
to 'auth' only?

###

# slapacl -D 'uid=matt,ou=Users,dc=example,dc=com' -b
'uid=barbara,ou=Users,dc=example,dc=com' -d acl 'cn/read'
Backend ACL: access to attrs=userPassword
        by anonymous auth
        by self write
        by * none

Backend ACL: access to attrs=cn
        by users auth
        by self write
        by * none

Backend ACL: access to *
        by self write
        by users read
        by * none

authcDN: "uid=matt,ou=users,dc=example,dc=com"
=> access_allowed: read access to "" "cn" requested
=> access_allowed: backend default read access granted to
"uid=matt,ou=users,dc=example,dc=com"
read access to cn: ALLOWED

###

Note that the same things happens if I substitute '=x' for 'auth' in the acl.

Thanks,

Matt

(OpenLDAP version: 2.3.25)


For those of you perishing few who still have a problem with top
posting: should I file this as a bug?


There seems to be some inconsistency within your report.  The logs say

=> access_allowed: read access to "" "cn" requested
=> access_allowed: backend default read access granted to

which corresponds to requesting access to "" instead of 'uid=barbara,ou=Users,dc=example,dc=com' as indicated in the command line. If I set the same rules indicated in your logs in a generic slapd.conf file, and run the same command line you run, I get the expected behavior both with HEAD and 2.3.27. I suggest you clearly define the boundary conditions for your test before claiming you spot a bug. Please isolate a minimal slapd.conf (with a database in LDIF format, if by any means relevant) and a command-line that results in the unexpected behavior you describe. Please test it with OpenLDAP 2.3.27, since bugs no longer present in the current release tree would not be considered. If the problem persists, you should file an ITS; make sure you provide the data (slapd.conf, LDIF and command line) that is required to reproduce the problem.

p.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

References:
- slapacl question
  - From: TechnoSophos <technosophos@gmail.com>
- Re: slapacl question
  - From: TechnoSophos <technosophos@gmail.com>

Prev by Date: Re: TreeDeleteControl and SortControl
Next by Date: Re: hdb -- moving olc* objects -- expected behavior?
Index(es):
- Chronological
- Thread