[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5852) ACL behaviour does not match Admin Guide

On Mon, Dec 08, 2008 at 09:01:44PM +0000, quanah@zimbra.com wrote:

> > Full_Name: Andrew Findlay
> > Version: HEAD 2008-12-05
> > OS: SuSE 10.2
> > URL:
> > Submission from: (NULL) (
> >
> >
> > Section 7.2.5 Access Control Examples says:
> > ...
> > Also note that if no access to directive matches or no by <who> clause,
> > access is denied. That is, every access to directive ends with an
> > implicit by * none clause and every access list ends with an implicit
> > access to * by * none directive.
> >
> > The statement about access *lists* ending with a deny directive is wrong
> > (or at least misleading).
> I think it is quite clear:
>        The structure of the access control directives is
> ...
>      Lists of access directives are evaluated in the order  they  appear  in
>        slapd.conf.
> 	Each <who> clause list is implicitly terminated by a
> 	    by * none stop
> So, there are acl directives where each directive is an element of a list. 
> Every element of a list of acl directives is terminated by * none stop.

That is not the aspect that worries me here. The statement in 7.2.5
agrees with what you say about individual directives.

I am concerned about the behaviour of complete access *lists*.
For example, if my global acccess list says:

	access to * by * read

and the access list for a BDB database holding the suffix 'dc=example,dc=org'

	access to dn.exact="cn=nonesuch,dc=example,dc=org" by users read

(i.e. it is very restrictive and does not give ANON anything)

In this case the statement in 7.2.5 implies that ANON should not be able
to read dc=example,dc=org but tests show that it can. Changing the global
access list to:

	access to * by users read

prevents ANON from reading dc=example,dc=org and thus proves that the
per-database access list does not end with 'by * none stop' (but the
complete list including the global section does).

Sections 7.2.4 and 7.3.4 describe this behaviour rather better, but
do not mention the default-deny that gets appended to a non-empty
access list.

|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |