[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access to ... attrs=entry,attr1,attr2 not restricting access properly (ITS#1925)

Thanks for the detailed information.  Yes, there is a bug in
the ACL handling of 'to dn=""' and variants.  I've committed
a fix to HEAD branch which should resolve the problem.  Please


At 06:18 AM 2002-07-10, Richard.Goerwitz@Carleton.edu wrote:
>Kurt@OpenLDAP.org wrote:
>>>Restricting access to specific attributes does not work properly.
>>>access to attrs=userPassword
>>> by anonymous auth
>>> by self read
>>> by * none
>>># Restrict access to attr1 and attr2 if hideMe is set
>>>access to dn.children="ou=People,dc=carleton,dc=edu" filter="hideme=*"
>>> attrs=entry,attr1,attr2
>>>   by self read break
>>>   by users read
>>>   by * none
>>># If hideMe is NOT set (or if user=self), go ahead and reveal everything
>>>access to *
>>> by users read
>>> by * none
>>>In the above case if a user (not self) binds to the directory (OpenLDAP
>>>2.1.2), then the user can see everything, as if the second rule above were
>>>not there - although a traceback shows that in fact that rule is applied.
>>>Note that even if I change the "by users read" line in the second rule to
>>>an explicit "by users read stop" the problem still persists.
>> The behavior you describe is consistent with your ACLs.
> From the documentation, you'd expect the first 'by users read'
>clause above to apply and block processing before the 'access to *'
>rule applies.  This is the behavior I expected from the documen-
>tation.  And it's the behavior that actually makes sense to me -
>although I freely admit that I'm new to OpenLDAP.
>Richard Goerwitz                               richard@Goerwitz.COM
>tel: 507 645 7015