[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5400) authz-regexp migration issue: ACLs of 2.3 no longer work with 2.4.8

michael@stroeder.com wrote:

> Take note of this:
> authz-regexp
>     "uid=([a-zA-Z0-9]+),cn=digest-md5,cn=auth"
>     "ldap:///ou=authz-test,dc=stroeder,dc=local??sub?(uid=$1)"
> [..]
> access to
>       dn.onelevel="ou=Users,ou=authz-test,dc=stroeder,dc=local"
>       by * auth
> See test of recent RE23 (port 2003) vs. recent RE24 (port 2004):

As indicated in OpenLDAP 2.4's man page, now the LDA search operation
requires "search" privileges on the "entry" pseudo-attribute of the
searchBase.  This was introduced to be able to honor the "disclose"
privilege (or, at least, in conjunction with code that is used to honore
the "disclose" privilege).  The man page is erroneous in stating that
this requirement and that feature were introduced in OpenLDAP 2.3: the
code is indeed present in OpenLDAP 2.3, but actually #ifdef'd; it only
became the default behavior in OpenLDAP 2.4.

This requirement, as usual, is downgraded to "auth" when performing
authc/authz related lookups.

I'd take this ITS as a request to fix the documentation (indicate the
change since 2.4 and not since 2.3) and to better notify the different
behavior since 2.3.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it