[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL filter and backend SQL

Please reply on the list.

Jaime Tomé Gomes Ventura wrote:

Pierangelo Masarati wrote:

Jaime Tomé Gomes Ventura wrote:

I'm using openldap 2.2.23 and backend sql as module.
I cant get this rule to work:

Basically, allow bind only to users having attribute ippNetStatus = ACTIVO.
access to * filter=(ippNetStatus=ACTIVO)
by anonymous auth
by self write

I've made a replication to a bdb database and this rule works just fine on it .

Is this a backend-sql bug?

It's rather a feature :) see ITS#3480 for details. It's now fixed in HEAD/2.3 (please test).


Thank. :)
Was this a feature on 2.1x ?

I mean that from the beginning back-sql was computing only the requested attributes (plus those required by the filter), while ACLs may use more e.g. in the "filter" clause; in fact, they assume that when an entry is passd to access_allowed(), that entry be complete.

The behavior of back-sql is well known and considered a design limitation rather than a bug, because it is a reasonable trade-off between performances and versatility. However, in 2.3, there is the possibility to specify an additional set of attributes to be retrieved in all cases an entry will be used in ACL checking. See the "fetch_attrs" and "fetch_all_attrs" directive in 2.3's slapd-sql(5) man page.

No need to say that the problem cannot be worked around either in 2.1 nor in 2.2.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497