[Date Prev][Date Next]
(ITS#3491) ACL and "operational" (generated) attrs issue
Full_Name: Pierangelo Masarati
Version: HEAD/2.3 (suspect earlier)
Submission from: (NULL) (220.127.116.11)
An ACL set like
access to attrs=userPassword
by * auth
access to *
by dnattr=entryDN read
by * search
fails with insufficient access even if a bound user searches its own entry.
This occus because access checking occurs with and entry that doesn't contain
the generated attributes. of course, using "self" instead of "dnattr=entryDN"
fixes the problem, however, in some cases the "entryDN" as well as other
generated attributes may be useful in ACLs as well as in other places where
generated data related to an object may need to be dereferenced.