[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#3491) ACL and "operational" (generated) attrs issue

Full_Name: Pierangelo Masarati
Version: HEAD/2.3 (suspect earlier)
OS: irrelevant
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

An ACL set like

access to attrs=userPassword
        by * auth

access to *
        by dnattr=entryDN read
        by * search

fails with insufficient access even if a bound user searches its own entry. 
This occus because access checking occurs with and entry that doesn't contain
the generated attributes.  of course, using "self" instead of "dnattr=entryDN"
fixes the problem, however, in some cases the "entryDN" as well as other
generated attributes may be useful in ACLs as well as in other places where
generated data related to an object may need to be dereferenced.