[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: access to ... attrs=entry,attr1,attr2 not restricting access properly (ITS#1925)
My last message was sent in error. In regards to this report,
I still cannot conclude from your report that there is a bug in
the software.
From your ACLs,
If rule two is applicable,
users can read everything but userPassword
else
users can read everything but userPassword.
You report:
users can read everything (but userPassword).
I don't see a software bug in that.
Kurt
At 06:18 AM 2002-07-10, Richard.Goerwitz@Carleton.edu wrote:
>Kurt@OpenLDAP.org wrote:
>
>>>Restricting access to specific attributes does not work properly.
>>>
>>>access to attrs=userPassword
>>> by anonymous auth
>>> by self read
>>> by * none
>>>
>>># Restrict access to attr1 and attr2 if hideMe is set
>>>access to dn.children="ou=People,dc=carleton,dc=edu" filter="hideme=*"
>>> attrs=entry,attr1,attr2
>>> by self read break
>>> by users read
>>> by * none
>>>
>>># If hideMe is NOT set (or if user=self), go ahead and reveal everything
>>>access to *
>>> by users read
>>> by * none
>>>
>>>In the above case if a user (not self) binds to the directory (OpenLDAP
>>>2.1.2), then the user can see everything, as if the second rule above were
>>>not there - although a traceback shows that in fact that rule is applied.
>>>Note that even if I change the "by users read" line in the second rule to
>>>an explicit "by users read stop" the problem still persists.
>>
>> The behavior you describe is consistent with your ACLs.
>
> From the documentation, you'd expect the first 'by users read'
>clause above to apply and block processing before the 'access to *'
>rule applies. This is the behavior I expected from the documen-
>tation. And it's the behavior that actually makes sense to me -
>although I freely admit that I'm new to OpenLDAP.
>
>--
>
>Richard Goerwitz richard@Goerwitz.COM
>tel: 507 645 7015