3050 – ACL sockurl syntax

Issue 3050 - ACL sockurl syntax

Summary: ACL sockurl syntax

Status:	VERIFIED FIXED

Alias:	None

Product:	OpenLDAP
Classification:	Unclassified
Component:	slapd (show other issues)
Version:	unspecified
Hardware:	All All

Importance:	--- normal
Target Milestone:	---
Assignee:	OpenLDAP project

URL:
Keywords:

Depends on:
Blocks:

Reported:	2004-04-01 09:22 UTC by j.campbell@bham.ac.uk
Modified:	2014-08-01 21:05 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description j.campbell@bham.ac.uk 2004-04-01 09:22:55 UTC

Full_Name: Jim Campbell
Version: 2.2.8
OS: Solaris 8
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (147.188.40.2)


Hi,
With 2.2.8 has there been a change in the ACL syntax:
access to *
        by sockurl="^ldapi:///$" write
as I now get permission denied from my Heimdal connection.
If I use:
access to *
        by sockurl="^ldapi:///$" write
        by sockname="PATH=/var/opt/OPENldap/run/ldapi" write
The it passes through first check and succeeds with second:
=> acl_mask: access to entry
"ou=KerberosPrincipals,dc=NP,dc=PH,dc=BHAM,dc=AC,dc
=UK", attr "children" requested
=> acl_mask: to all values by "", (=n) 
<= check a_sockurl_pat: ^ldapi:///$
<= check a_sockname_path: PATH=/var/opt/OPENldap/run/ldapi
<= acl_mask: [2] applying write(=wrscx) (stop)
<= acl_mask: [2] mask: write(=wrscx)
=> access_allowed: write access granted by write(=wrscx)
=> access_allowed: write access to
"cn=krbtgt/np.ph.bham.ac.uk@np.ph.bham.ac.uk,
ou=KerberosPrincipals,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK" "entry" requested

This used to work in 2.1.x
cheers
Jim

Comment 1 ando@openldap.org 2004-04-01 18:06:00 UTC

This change occurred ages ago.  Read slapd.access(5) for details.
To make a long story short, the default is exact.  Expressly require
regex evaluation.  And don't rely on defaults.

p.

> Full_Name: Jim Campbell
> Version: 2.2.8
> OS: Solaris 8
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (147.188.40.2)
>
>
> Hi,
> With 2.2.8 has there been a change in the ACL syntax:
> access to *
>         by sockurl="^ldapi:///$" write
> as I now get permission denied from my Heimdal connection.
> If I use:
> access to *
>         by sockurl="^ldapi:///$" write
>         by sockname="PATH=/var/opt/OPENldap/run/ldapi" write
> The it passes through first check and succeeds with second:
> => acl_mask: access to entry
> "ou=KerberosPrincipals,dc=NP,dc=PH,dc=BHAM,dc=AC,dc
> =UK", attr "children" requested
> => acl_mask: to all values by "", (=n)
> <= check a_sockurl_pat: ^ldapi:///$
> <= check a_sockname_path: PATH=/var/opt/OPENldap/run/ldapi
> <= acl_mask: [2] applying write(=wrscx) (stop)
> <= acl_mask: [2] mask: write(=wrscx)
> => access_allowed: write access granted by write(=wrscx)
> => access_allowed: write access to
> "cn=krbtgt/np.ph.bham.ac.uk@np.ph.bham.ac.uk,
> ou=KerberosPrincipals,dc=NP,dc=PH,dc=BHAM,dc=AC,dc=UK" "entry" requested
>
> This used to work in 2.1.x
> cheers
> Jim


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

Comment 2 Kurt Zeilenga 2004-04-01 20:40:18 UTC

changed notes

Comment 3 ando@openldap.org 2004-04-03 10:10:35 UTC

changed state Open to Closed

Comment 4 Howard Chu 2009-02-17 05:25:25 UTC

moved from Incoming to Archive.Incoming

Comment 5 OpenLDAP project 2014-08-01 21:05:48 UTC

not a bug