[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3830) Buggy access attrs=... val=...



h.b.furuseth@usit.uio.no wrote:
> Full_Name: Hallvard B Furuseth
> Version: 2.3.4
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (129.240.186.42)
> Submitted by: hallvard
>
>
> 'access attrs=foo val=<bar>' seems to only be applied if
> <bar> matches the first value of attribute foo, and behavour
> is weird afterwards.  E.g. the 2-line slapd.conf:
>   access to attrs=supportedControl val.regex=^.* by * read
>   access to * by * read
> only returns the first value of supportedControl.  OTOH,
>
> Also, IIRC Kurt said once that val= is only applied to search
> operations, or something.  If so, it needs to be documented
> how it works (when it works correctly:-)
>   
I have committed a fix to HEAD, please test.

Note that the result may be deceptive. The ACL engine looks for a rule 
whose constraints match the item being tested, and then evaluates the 
result. Any rules that don't match the current item are ignored (and of 
course, only the first matching rule is used).

For example, if you used these two rules

  access to attrs=supportedControl val.regex=^2.* by * read
  access to * by * read

any query would still see all of the values of the supportedControl 
attribute. Since any value that does not begin with '2' will ignore the 
first ACL rule, it will be caught by the next rule. With the current 
patch, if you wanted to hide all other values, you would need an 
additional rule for that purpose:

  access to attrs=supportedControl val.regex=^2.* by * read
  access to attrs=supportedControl val.regex=^.* by * none
  access to * by * read

-- 
  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support