[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Evaluation bug (ITS#3173)

Could this simply be due to the separator between 5 and 6
in the RegistryDataAuditor by clause?

Kurt


At 09:45 AM 6/3/2004, quanah@stanford.edu wrote:
>Full_Name: Quanah Gibson-Mount
>Version: 2.2.11
>OS: Solaris 8
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (171.66.182.82)
>
>
>I was working on ITS#3114, when I found that if I simply changed my ACL's,
>everything worked.
>
>Originally, I had:
>
>access to *
>        by dn.base="cn=replicator,cn=service,cn=Applications,dc=stanford,dc=edu"
>sasl_ssf=56 write
>        by group.base="cn=Supervisor,cn=Applications,dc=stanford,dc=edu"
>sasl_ssf=56 write
>        by group.base="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu"
>sasl_ssf=56 read
>        by dn.base="cn=RegistryDataAuditor,cn=service,cn=Applications,dc=stanford,dc=edu"
>sasl_ssf=5
>6 read
>        by group.base="cn=ldapReplica,cn=Applications,dc=stanford,dc=edu"
>sasl_ssf=56 read
>        by * break
>
>
>This caused the ADD's I did to block.  I changed the ACL order after looking at
>the debug output at -d -1 level, which showed taht the ldapReplica group was not
>being iterated through.
>
>This ACL worked:
>access to *
>        by dn.base="cn=replicator,cn=service,cn=Applications,dc=stanford,dc=edu"
>sasl_ssf=56 write
>        by group.base="cn=ldapReplica,cn=Applications,dc=stanford,dc=edu"
>sasl_ssf=56 read
>        by group.base="cn=Supervisor,cn=Applications,dc=stanford,dc=edu"
>sasl_ssf=56 write
>        by group.base="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu"
>sasl_ssf=56 read
>        by dn.base="cn=RegistryDataAuditor,cn=service,cn=Applications,dc=stanford,dc=edu"
>sasl_ssf=5
>6 read
>        by * break
>
>
>However, I'm now blocked by ITS#3172, so I can't give the more detailed output,
>as I inadverdently blew away my initial -d -1 output file that had the iteration
>information in it.