6753 – Compare operation broken with attribute inheritance

Issue 6753 - Compare operation broken with attribute inheritance

Summary: Compare operation broken with attribute inheritance

Status:	RESOLVED PARTIAL

Alias:	None

Product:	OpenLDAP
Classification:	Unclassified
Component:	slapd (show other issues)
Version:	unspecified
Hardware:	All All

Importance:	--- normal
Target Milestone:	---
Assignee:	OpenLDAP project

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-12-20 09:27 UTC by Hallvard Furuseth
Modified:	2014-08-01 21:04 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description Hallvard Furuseth 2010-12-20 09:27:07 UTC

Full_Name: Hallvard B Furuseth
Version: HEAD
OS: Linux
URL: 
Submission from: (NULL) (193.157.200.213)
Submitted by: hallvard


back-bdb, back-monitor: If attr A is ACL-protected and inherits from B,
one can still check its value with ldapcompare ... 'B:value'.

back-config: Compare doesn't seem to support attribute inheritance.

root DSE, cn=subschema: Inheritance works correctly.

######## acl.conf
include servers/slapd/schema/core.schema
rootdse root.ldif
access  to attrs=st,cn  by * none
access  to *            by * read

database        bdb
suffix          o=foo
directory       acl.dir
dbconfig        set_flags DB_LOG_AUTOREMOVE

database        monitor

database        config
access  to *    by * read

######## root.ldif
dn:
objectClass: extensibleObject
st: hidden

######## slapadd: acl.ldif
dn: o=foo
objectClass: organization
st: hidden

######## Results.  cn=config should get TRUE, others UNDEFINED.
ldapcompare -x cn=config  name:config  -> UNDEFINED, No such attribute (16)
ldapcompare -x cn=config    cn:config  -> TRUE

ldapcompare -x o=foo      name:hidden  -> TRUE
ldapcompare -x o=foo        st:hidden  -> UNDEFINED, Insufficient access (50)

ldapcompare -x cn=monitor name:monitor -> TRUE
ldapcompare -x cn=monitor   cn:monitor -> UNDEFINED, Insufficient access (50)

ldapcompare -x ''         name:hidden  -> UNDEFINED, Insufficient access (50)
ldapcompare -x ''           cn:hidden  -> UNDEFINED, Insufficient access (50)

ldapcompare -x cn=subschema   cn:subschema ->UNDEFINED,Insufficient access (50)
ldapcompare -x cn=subschema name:subschema ->UNDEFINED,Insufficient access (50)

Comment 1 Howard Chu 2010-12-23 12:54:15 UTC

changed notes
changed state Open to Test
moved from Incoming to Software Bugs

Comment 2 Quanah Gibson-Mount 2011-01-04 10:37:46 UTC

changed notes
changed state Test to Release

Comment 3 Quanah Gibson-Mount 2011-01-04 10:37:56 UTC

changed notes
changed state Release to Partial

Comment 4 Howard Chu 2011-02-10 10:59:25 UTC

h.b.furuseth@usit.uio.no wrote:
> Full_Name: Hallvard B Furuseth
> Version: HEAD
> OS: Linux
> URL:
> Submission from: (NULL) (193.157.200.213)
> Submitted by: hallvard
>
>
> back-bdb, back-monitor: If attr A is ACL-protected and inherits from B,
> one can still check its value with ldapcompare ... 'B:value'.
>
> back-config: Compare doesn't seem to support attribute inheritance.
>
> root DSE, cn=subschema: Inheritance works correctly.

All Compare processing has been centralized in the frontend so all backends 
implement it uniformly now.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Comment 5 OpenLDAP project 2014-08-01 21:04:32 UTC

partial fix in HEAD - check all other backends
partial fix in RE24 - check all other backends