[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#3491) ACL and "operational" (generated) attrs issue

To: openldap-its@OpenLDAP.org
Subject: (ITS#3491) ACL and "operational" (generated) attrs issue
From: ando@sys-net.it
Date: Sun, 16 Jan 2005 10:30:04 GMT

Full_Name: Pierangelo Masarati
Version: HEAD/2.3 (suspect earlier)
OS: irrelevant
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (151.29.240.57)


An ACL set like

access to attrs=userPassword
        by * auth

access to *
        by dnattr=entryDN read
        by * search

fails with insufficient access even if a bound user searches its own entry. 
This occus because access checking occurs with and entry that doesn't contain
the generated attributes.  of course, using "self" instead of "dnattr=entryDN"
fixes the problem, however, in some cases the "entryDN" as well as other
generated attributes may be useful in ACLs as well as in other places where
generated data related to an object may need to be dereferenced.

p.

Prev by Date: Re: (ITS#3490) glue overlay causes segfault
Next by Date: RE: (ITS#3490) glue overlay causes segfault
Index(es):
- Chronological
- Thread