[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL Evaluation bug (ITS#3173)



Full_Name: Quanah Gibson-Mount
Version: 2.2.11
OS: Solaris 8
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (171.66.182.82)


I was working on ITS#3114, when I found that if I simply changed my ACL's,
everything worked.

Originally, I had:

access to *
        by dn.base="cn=replicator,cn=service,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=56 write
        by group.base="cn=Supervisor,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=56 write
        by group.base="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=56 read
        by dn.base="cn=RegistryDataAuditor,cn=service,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=5
6 read
        by group.base="cn=ldapReplica,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=56 read
        by * break


This caused the ADD's I did to block.  I changed the ACL order after looking at
the debug output at -d -1 level, which showed taht the ldapReplica group was not
being iterated through.

This ACL worked:
access to *
        by dn.base="cn=replicator,cn=service,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=56 write
        by group.base="cn=ldapReplica,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=56 read
        by group.base="cn=Supervisor,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=56 write
        by group.base="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=56 read
        by dn.base="cn=RegistryDataAuditor,cn=service,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=5
6 read
        by * break


However, I'm now blocked by ITS#3172, so I can't give the more detailed output,
as I inadverdently blew away my initial -d -1 output file that had the iteration
information in it.