[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6057) "slapo-rwm interferes with content-sensitive ACLs"



> I chatted with David about this on IRC. The situation is using
> slapo-rwm on 
> top of back-relay, pointed at a local (back-bdb) database. He has an
> ACL in 
> the relay database using a filter, e.g.:
> 	access to filter=(foo=bar) by * read
> 
> In slapo-rwm rwm_attr(), when an explicit list of attributes is
> requested in a 
> search, any attributes that weren't requested are stripped from the
> entry. 
> Thus, attribute foo disappears if it is not part of the attrs list,
> and then 
> the entry cannot be retrieved by the client.
> 
> However, if no attr list is specified then slapo-rwm passes the entire
> entry 
> through unmolested, and the ACL works.

This is because search ACLs assume they will see the whole entry regardless of what attributes were requested in the search operation.  The "right" solution consists in making ACL evaluation functions fetch the attr they need from the database, rather than from the entry, as it might have already been massaged.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------