[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5851) ACL behaviour does not match slapd.access(5)

To: openldap-its@OpenLDAP.org
Subject: (ITS#5851) ACL behaviour does not match slapd.access(5)
From: andrew.findlay@skills-1st.co.uk
Date: Mon, 8 Dec 2008 19:05:09 GMT

Full_Name: Andrew Findlay
Version: HEAD 2008-12-05
OS: SuSE 10.2
URL: 
Submission from: (NULL) (88.97.25.132)


Some ACL behaviours do not match slapd.access(5).

slapd.access(5) says:

>  For entries not held in any backend (such as a root DSE),
>  the directives of the first  backend  (and any global directives) are used.

I created a slapd.conf where the global ACL was:
   access to * by * none
and the single BDB backend had acls:
   access to dn.exact="" by * read
   access to dn.exact="cn=nonesuch" by * read

The anon user could not read the root DSE:
   ldapsearch -LLL -H ldap://localhost:1389/ -b '' -s base -x '(objectclass=*)'
+

I next moved the root access clause to the global section:
   access to dn.exact="" by * read
   access to * by * none
The BDB backend now had this ACL:
   access to dn.exact="cn=nonesuch" by * read

Anon was now able to read the root DSE. Thus it appears that the root DSE is
controlled by the global ACL but not by the first backend ACL.

My feeling is that the behaviour is right and the manpage needs updating.
The Admin Guide has similar statements in 7.2.4 and 7.3.4.

The complete slapd.conf file follows for reference:
-------------------------------------------------------------------------------
# Logging - this goes to syslog as 'local4'
#
# 512+256 to enable stats logging
#
loglevel 768


# Schema definitions
#
include         ../../etc/schema/core.schema
include         ../../etc/schema/cosine.schema
include         ../../etc/schema/inetorgperson.schema

# These should have absolute pathnames on production systems
pidfile         ./slapd.pid
argsfile        ./slapd.args

########################################################################
# Default ACL
########################################################################

access to * by * none

########################################################################
#######################################################################
# The main database
#######################################################################
########################################################################

database        bdb
suffix          "dc=example,dc=org"
rootdn          "cn=root,dc=example,dc=org"

password-hash {SSHA}

#
rootpw          password

# The database directory MUST exist prior to running slapd AND
# should only be accessable by the slapd/tools. Mode 700 recommended.
# This should be an absolute pathname on production servers.
#
directory       ./openldap-db

# Entry cache size
#
cachesize       4000

# How often we force a checkpoint on the underlying database
# kilobytes and seconds
#
checkpoint 128 300

########################################################################
# Indices to maintain
########################################################################

index   objectClass             eq

########################################################################
# ACLs for this database
########################################################################

access to dn.exact="" by * read
access to dn.exact="cn=nonesuch" by * read

Prev by Date: Re: (ITS#5840) bdb_online_index and shutdown
Next by Date: (ITS#5852) ACL behaviour does not match Admin Guide
Index(es):
- Chronological
- Thread