[Date Prev][Date Next] [Chronological] [Thread] [Top]

dnattr in access clause doesn't work (ITS#2572)

Full_Name: Alexandre Tsu
Version: 2.1.16
OS: win2000
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

the dnattr would never be processed when we give a access as :
access to dn.base="o=org,dc=example,dc=com"
    by dn.base="cn=Guests,ou=UserGroups,o=org,dc=example,dc=com"
dnattr=member read
where "cn=guest,ou=Users,o=org,dc=example,dc=com" contained in "cn=Guests".

I do a search in acl.c aclparse.c and slap.h, structure Access's member
a_dn_at indicated to contain dnattr property, acl_mask() will process it.
the access_allowed() will call acl_mask(). But, the problem is , at line
275, following directives
 while((a = acl_get( a, &count, be, op, e, desc,MAXREMATCHES, matches )) !=
]] are immediately skipped.then acl_mask() is samely skipped.
acl_get()return always NULL when dn is specified ("cn=Guests, ou=UserGroups,
o=org, dc=example, dc=com"), which is not the same as binded dn
at line 449, [[if ( dnlen != patlen ) continue;]] breaks the cycle and
return NULL.

Is this a logic problem?! I wonder how could I use dnattr if this is not a
thank you very much.