[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3830) Buggy access attrs=... val=...

Howard Chu writes:
> I have committed a fix to HEAD, please test.

Thanks.  The reported problem is fixed.
I've stumbled on to two new ones instead - including a crash:

"access non-DN-attr=foo val=bar" uses the attribute's EQUALITY
rule to check for a match - and so value_match() crashes on
assert( mr != NULL ) if the attribute has no EQUALITY rule.
E.g. "access to attrs=supportedControl val=1.2 by * read".

I suggest that slapd then exits with an error message during startup:
"val.regex style for non-DN attr without EQUALITY rule":
That does mean one can't use 'val=<not regexp>' on an attribute for
access control on inherited attributes with EQUALITY rules, but it's
less surprising than to just have the match fail at run-time.

Not sure if slap_acl_get() needs to check if there is an EQUALITY
rule in any case.

I note that acl_mask_dnattr() also calls value_match() with some
attribute's EQUALITY rule; maybe that needs something similar.

Also, the value from 'val=' does not get normalized.  So
  access to attrs=configContext val=CN=CONFIG by * none
  access to * by * read
does show configContext: cn=config.  OTOH,
  access to attrs=objectClass val=OPENLDAPROOTDSE by * none
works fine - it only shows objectClass: top.

Don't anthropomorphize computers. They hate that.