[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#3446) ACL val clause ineffective with bind



Full_Name: Aaron Richton
Version: 2.2.19
OS: Solaris 9
URL: 
Submission from: (NULL) (67.85.190.119)


Start with test010-passwd, altered to halt the test after Pass 1. Note 

ldapsearch -x -H "ldap://localhost:9011/"; -D "cn=md5,o=University of
Michigan,c=US" -LLL -b "o=University of Michigan,c=US" -w newsecret '(cn=md5)'
userPassword

returns

dn: cn=md5,o=University of Michigan,c=US
userPassword:: e1NNRDV9TXZ0cWdGV2s3d0JTbm1xK3dlcmNQNFZ4UCtnPQ==


Edit the slapd config file. Replace the first "access" stanza with

access to attr=userpassword
        by * none

restart slapd, rerun ldapsearch as above, and note "Invalid credentials." Since
no "auth," we've observed expected behavior.

Replace the first "access" stanza with

access to attr=userpassword val.regex=^[{]SMD5[}].*
        by * none

Rerun ldapsearch as above. The read is prohibited, but the bind is not.

dn: cn=md5,o=University of Michigan,c=US

is output. I would expect "Invalid credentials." I'd claim this to be an ACL
processing bug.