[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#3830) Buggy access attrs=... val=...
h.b.furuseth@usit.uio.no wrote:
> Full_Name: Hallvard B Furuseth
> Version: 2.3.4
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (129.240.186.42)
> Submitted by: hallvard
>
>
> 'access attrs=foo val=<bar>' seems to only be applied if
> <bar> matches the first value of attribute foo, and behavour
> is weird afterwards. E.g. the 2-line slapd.conf:
> access to attrs=supportedControl val.regex=^.* by * read
> access to * by * read
> only returns the first value of supportedControl. OTOH,
>
> Also, IIRC Kurt said once that val= is only applied to search
> operations, or something. If so, it needs to be documented
> how it works (when it works correctly:-)
>
I have committed a fix to HEAD, please test.
Note that the result may be deceptive. The ACL engine looks for a rule
whose constraints match the item being tested, and then evaluates the
result. Any rules that don't match the current item are ignored (and of
course, only the first matching rule is used).
For example, if you used these two rules
access to attrs=supportedControl val.regex=^2.* by * read
access to * by * read
any query would still see all of the values of the supportedControl
attribute. Since any value that does not begin with '2' will ignore the
first ACL rule, it will be caught by the next rule. With the current
patch, if you wanted to hide all other values, you would need an
additional rule for that purpose:
access to attrs=supportedControl val.regex=^2.* by * read
access to attrs=supportedControl val.regex=^.* by * none
access to * by * read
--
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support