[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4253) val.regex broken

Full_Name: Quanah Gibson-Mount
Version: 2.3.13
OS: Solaris 8
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (171.66.155.86)


I have the following ACL in my ACL file:

access to dn.children="cn=people,dc=stanford,dc=edu" attrs=suPrivilegeGroup
val.regex="^securemail:.+"
    by dn.base="cn=voltage,cn=service,cn=applications,dc=stanford,dc=edu"
sasl_ssf=56 read
    by * break


which gets normalized just fine:

line 125 (access to dn.children="cn=people,dc=stanford,dc=edu"
attrs=suPrivilegeGroup val.regex="^securemail:.+" by
dn.base="cn=voltage,cn=service,cn=applications,dc=stanford,dc=edu" sasl_ssf=56
read by * break)
>>> dnNormalize: <cn=people,dc=stanford,dc=edu>
=> ldap_bv2dn(cn=people,dc=stanford,dc=edu,0)
ldap_err2string
<= ldap_bv2dn(cn=people,dc=stanford,dc=edu)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(cn=people,dc=stanford,dc=edu)=0 Success
<<< dnNormalize: <cn=people,dc=stanford,dc=edu>
>>> dnNormalize: <cn=voltage,cn=service,cn=applications,dc=stanford,dc=edu>
=> ldap_bv2dn(cn=voltage,cn=service,cn=applications,dc=stanford,dc=edu,0)
ldap_err2string
<= ldap_bv2dn(cn=voltage,cn=service,cn=applications,dc=stanford,dc=edu)=0
Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(cn=voltage,cn=service,cn=applications,dc=stanford,dc=edu)=0
Success
<<< dnNormalize: <cn=voltage,cn=service,cn=applications,dc=stanford,dc=edu>
Backend ACL: access to dn.children="cn=people,dc=stanford,dc=edu"
 attrs=suPrivilegeGroup
 val.regex="^securemail:.+"
    by dn.base="cn=voltage,cn=service,cn=applications,dc=stanford,dc=edu"
sasl_ssf=56 read
    by * break


but when I try and access this attribute, where this value exists, the above ACL
is never even tested:

<==slap_sasl2dn: Converted SASL name to
cn=voltage,cn=service,cn=applications,dc=stanford,dc=edu
slap_sasl_getdn: dn:id converted to
cn=voltage,cn=service,cn=applications,dc=stanford,dc=edu
SASL Canonicalize [conn=1]:
slapAuthcDN="cn=voltage,cn=service,cn=applications,dc=stanford,dc=edu"
SASL proxy authorize [conn=1]: authcid="service/voltage@stanford.edu"
authzid="service/voltage@stanford.edu"
conn=1 op=3 BIND authcid="service/voltage@stanford.edu"
authzid="service/voltage@stanford.edu"


conn=1 op=4 SRCH base="" scope=2 deref=0 filter="(uid=XXXXX)"
conn=1 op=4 SRCH attr=suprivilegegroup
==> limits_get: conn=1 op=4
dn="cn=voltage,cn=service,cn=applications,dc=stanford,dc=edu"


=> acl_mask: access to entry
"suRegID=b9f22736e76311d193aa2436000baa77,cn=people,dc=stanford,dc=edu", attr
"entry" requested
=> acl_mask: to all values by
"cn=voltage,cn=service,cn=applications,dc=stanford,dc=edu", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access to
"suRegID=b9f22736e76311d193aa2436000baa77,cn=people,dc=stanford,dc=edu"
"suPrivilegeGroup" requested
=> dn: [1]
=> dn: [2] cn=subschema
=> dn: [3] cn=monitor
=> acl_get: [4] attr suPrivilegeGroup
access_allowed: no res from state (suPrivilegeGroup)

=> acl_mask: access to entry
"suRegID=b9f22736e76311d193aa2436000baa77,cn=people,dc=stanford,dc=edu", attr
"suPrivilegeGroup" requested
=> acl_mask: to value by
"cn=voltage,cn=service,cn=applications,dc=stanford,dc=edu", (=0)

acl_get: valpat ^securemail:.+
=> dn: [29] cn=people,dc=stanford,dc=edu
=> acl_get: [29] matched


access_allowed: no res from state (suPrivilegeGroup)
=> acl_mask: access to entry
"suRegID=b9f22736e76311d193aa2436000baa77,cn=people,dc=stanford,dc=edu", attr
"suPrivilegeGroup" requested
=> acl_mask: to value by
"cn=voltage,cn=service,cn=applications,dc=stanford,dc=edu", (=0)

<= acl_get: done.
=> access_allowed: no more rules
send_search_entry: conn 1 access to attribute suPrivilegeGroup, value #0 not
allowed

=> access_allowed: no more rules
send_search_entry: conn 1 access to attribute suPrivilegeGroup, value #14 not
allowed

However, the account involved definately has a matching regex:

ldapsearch -LLL -Q -h ldap-test1 uid=XXXX suprivilegegroup

dn: suRegID=b9f22736e76311d193aa2436000baa77,cn=people,dc=stanford,dc=edu
suPrivilegeGroup: securemail:testers
suPrivilegeGroup: securemail:main