[Date Prev][Date Next] [Chronological] [Thread] [Top]

ITS#3140 patch breaks back-ldap, questionable security.

To: openldap-its@OpenLDAP.org
Subject: ITS#3140 patch breaks back-ldap, questionable security.
From: hyc@symas.com
Date: Wed, 18 Aug 2004 11:04:56 GMT

If an ACL set is evaluated on a back-ldap backend and librewrite is 
being used, slapd will get an assertion failure in rewrite_session_init 
(librewrite/session.c:84) from ldap_back_getconn (back-ldap/bind.c:295). 
This is due to the change in aci_match_set (acl.c:1826) using a new 
Operation structure with o_conn explicitly set to NULL.

It seems that we need a different mechanism for breaking the set 
recursion problem here. This patch appears to allow set ACLs to operate 
indiscriminately, regardless of ACL_AUTH access.

-- 
  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Prev by Date: Re: bdb cannot allocate memory (ITS#3287)
Next by Date: Syncrepl nits with operational attributes (ITS#3289)
Index(es):
- Chronological
- Thread