[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4573) @pwdPolicy expansion seems to include objectClass?

Full_Name: Andreas Hasenack
Version: 2.3.24
OS: linux
Submission from: (NULL) (

While testing some forms of restricting access to attributes of the pwdPolicy
object class (like pwdHistory, for example), I came accross a behaviour which
doesn't seem correct.

If I have an ACL set like this, for example:

access to dn.subtree="dc=example,dc=com"
        by dn="uid=supervisor,ou=people,dc=example,dc=com" read
        by * none

access to dn.subtree="dc=example,dc=com"
        by * read

Then this search (and many others) stop working:
$ ldapsearch -x -LLL -s base -b dc=example,dc=com

slapd -d 128 shows:
=> access_allowed: search access to "dc=example,dc=com" "objectClass" requested
=> dn: [1] dc=example,dc=com
=> acl_get: [1] matched
=> acl_get: [1] attr objectClass
=> acl_mask: access to entry "dc=example,dc=com", attr "objectClass" requested
=> acl_mask: to all values by "", (=0)
<= check a_dn_pat: uid=supervisor,ou=people,dc=example,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying none(=0) (stop)
<= acl_mask: [2] mask: none(=0)
=> access_allowed: search access denied by none(=0)
connection_read(12): no connection!

So, for some reason access to objectClass was denied as if it was included in
the @pwdPolicy expanded form.