[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems resolving multi-valued attributes with acl directives (ITS#3269)



As a followup--I tried rebuilding using v2.2.15--the latest version that 
is on the OpenLDAP front page. (I had to recompile for Windows to test, so 
it took a little time.) The problem seemed to be cleared up with 
2.2.15--but I got a hang which I don't have time now to debug. (We are 
attempting to port a rather mature product from IBM SecureWay to OpenLDAP, 
so there are about a million things that could be going wrong. I do know 
it is OpenLDAP that is hanging, though--though I can't be certain it isn't 
something I did to recompile OpenLDAP with MSVC v6.)

I tried with v2.2.13--and while I'm not experiencing a hang, the problem 
appears to manifest itself there.


 
Bill Woody

Principle Software Developer
Symantec Corporation
Office:
310-449-5424
Interoffice: 
6 [310] 5424
Email:
bill_woody@symantec.com






hyc@symas.com 
Sent by: owner-openldap-bugs@OpenLDAP.org
08/05/2004 10:20 PM

To
openldap-its@OpenLDAP.org
cc

Subject
Re: Problems resolving multi-valued attributes with acl directives 
(ITS#3269)






bill_woody@symantec.com wrote:

> Full_Name: William Edward Woody
> Version: 2.2.8
> OS: Win32
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (198.6.50.155)
> 
> 
> I encountered a problem with entries with multi-valued attributes, where 
not all
> of the values were being returned in v2.2.8 of OpenLDAP slapd.
> 
> When an entry is marked as having read access only to a group, reading 
the
> objectClass attribute with 'cn=root' (full root privileges) will return 
all
> objectClass attribute values. However, if one logs in using the access
> privileges of a member in the group, only the first objectClass 
attribute is
> returned.
> 
> I narrowed down the problem to the state caching used while resolving 
ACL
> instructions. In servers/slapd/acl.c, the AccessControlState object 
appears to
> store the last resolved ACL item in the slapd.conf block access control 
list,
> and stores nothing with respect to the openLDAPaci attribute. Now we've 
defined
> our access control block to rely on openLDAPaci:

There was a recent change to ACL caching and OpenLDAPaci, does this 
problem still occur for you in the current release (2.2.25)?

-- 
   -- Howard Chu
   Chief Architect, Symas Corp.       Director, Highland Sun
   http://www.symas.com               http://highlandsun.com/hyc
   Symas: Premier OpenSource Development and Support