[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6057) "slapo-rwm interferes with content-sensitive ACLs"

ando@sys-net.it wrote:
> ----- admin@dmarkey.com wrote:
>> Full_Name: David Markey
>> Version: 2.4.15
>> OS: Debian
>> URL: ftp://ftp.openldap.org/incoming/
>> Submission from: (NULL) (
>> When using a slapo-rwm in conjunction with filter based ACL like
>> access to filter="memberOf=cn=staff,ou=groupofnames,dc=thunderbird"
>> This wont work unless the client explicitly requests the memberOf
>> attribute.
>> The client in this case in thunderbird, which doesn't request the
>> memberof
>> attribute
> You should specify the context of your use of slapo-rwm.  The limitation
> might not be in the overlay itself, but in your design of the DSA that uses
> slapo-rwm.  Unless a more detailed description of the configuration
> highlights a true software bug or design issue, I'm keen to considering
> this a user error.

I chatted with David about this on IRC. The situation is using slapo-rwm on 
top of back-relay, pointed at a local (back-bdb) database. He has an ACL in 
the relay database using a filter, e.g.:
	access to filter=(foo=bar) by * read

In slapo-rwm rwm_attr(), when an explicit list of attributes is requested in a 
search, any attributes that weren't requested are stripped from the entry. 
Thus, attribute foo disappears if it is not part of the attrs list, and then 
the entry cannot be retrieved by the client.

However, if no attr list is specified then slapo-rwm passes the entire entry 
through unmolested, and the ACL works.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/