OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Incoming/6035
Full headers

From: dgbaley27@verizon.net
Subject: slapd requires restart after modifying olcAuthzRegexp
Compose comment
Download message
State:
0 replies:
4 followups: 1 2 3 4

Major security issue: yes  no

Notes:

Notification:


Date: Thu, 26 Mar 2009 03:33:37 +0000
From: dgbaley27@verizon.net
To: openldap-its@OpenLDAP.org
Subject: slapd requires restart after modifying olcAuthzRegexp
Full_Name: Matthew Monaco
Version: 2.4.11
OS: GNU/Linux 2.6.27-7 (Ubuntu 8.10 Server JeOS)
URL: 
Submission from: (NULL) (96.242.209.249)


After modifying existing olcAuthzRegexp and/or adding/removing additional
olcAuthzRegexp from cn=config, I needed to restart slapd for the changes to take
effect.

I'm not sure if it matters but I was using ldapvi to do the modification.

I can however, confirm that the changes immediately appeared in various other
ldap browsers (such as Apache Directory Studio).

Followup 1

Download message
Date: Thu, 26 Mar 2009 09:13:13 -0700
From: hyc@symas.com
To: dgbaley27@verizon.net
Cc: openldap-its@openldap.org
Subject: Re: (ITS#6035) slapd requires restart after modifying
	olcAuthzRegexp
This is a known limitation in authz regexp support. There are no plans
to change this any time soon.

On Thu, Mar 26, 2009 at 03:33:37AM +0000, dgbaley27@verizon.net wrote:
> Full_Name: Matthew Monaco
> Version: 2.4.11
> OS: GNU/Linux 2.6.27-7 (Ubuntu 8.10 Server JeOS)
> URL: 
> Submission from: (NULL) (96.242.209.249)
> 
> 
> After modifying existing olcAuthzRegexp and/or adding/removing additional
> olcAuthzRegexp from cn=config, I needed to restart slapd for the changes to
take
> effect.
> 
> I'm not sure if it matters but I was using ldapvi to do the modification.
> 
> I can however, confirm that the changes immediately appeared in various
other
> ldap browsers (such as Apache Directory Studio).



Followup 2

Download message
Date: Thu, 26 Mar 2009 13:20:45 -0700
From: Quanah Gibson-Mount <quanah@zimbra.com>
To: hyc@symas.com, openldap-its@openldap.org
Subject: Re: (ITS#6035) slapd requires restart after modifying
 olcAuthzRegexp
--On Thursday, March 26, 2009 4:14 PM +0000 hyc@symas.com wrote:

> This is a known limitation in authz regexp support. There are no plans
> to change this any time soon.

Where's this limitation documented?  What other parameters in the config 
backend have the same flaw?  We've certainly fixed this for a number of 
other things.

I don't even see authz-regexp/olcAuthzRegexp mentioned in chapters 5 or 6 
in the admin guide, and the man pages don't note this limitation.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration



Followup 3

Download message
Date: Thu, 26 Mar 2009 21:27:32 +0100
From: Pierangelo Masarati <ando@sys-net.it>
To: quanah@zimbra.com
CC: openldap-its@openldap.org
Subject: Re: (ITS#6035) slapd requires restart after modifying olcAuthzRegexp
quanah@zimbra.com wrote:
> --On Thursday, March 26, 2009 4:14 PM +0000 hyc@symas.com wrote:
> 
>> This is a known limitation in authz regexp support. There are no plans
>> to change this any time soon.
> 
> Where's this limitation documented?  What other parameters in the config 
> backend have the same flaw?  We've certainly fixed this for a number of 
> other things.

Indeed, it has been finally, although rather inelegantly, fixed in 
slapo-rwm(5), AFAIR.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------



Followup 4

Download message
Date: Tue, 16 Sep 2014 21:35:07 -0700
From: Ryan Tandy <ryan@nardis.ca>
To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6035) slapd requires restart after modifying olcAuthzRegexp
Hi,

Following up from 
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761407#23>:

This limitation seems to still exist (tried RE24 and master).

Until it can be fixed, please document it clearly in slapd-config.5 (and maybe 
the admin guide too), as well as any related attrs if they also require a 
restart (olcAuthzPolicy?). It's surprising behaviour, since almost every other 
attribute does support online configuration. Proposed patch follows.

thanks,
Ryan

diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
index c5bf06f..7c39369 100644
--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@@ -409,6 +409,10 @@ values can be specified to allow for multiple matching
 and replacement patterns. The matching patterns are checked in the order they 
 appear in the attribute, stopping at the first successful match.
 
+Note that changes to 
+.B olcAuthzRegexp 
+take effect the next time the server is started, not immediately upon 
+changing the configuration.
 .\".B Caution:
 .\"Because the plus sign + is a character recognized by the regular expression
engine,
 .\"and it will appear in names that include a REALM, be careful to escape the


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org