[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4730) Overlay that generates operational attributes to support GUI interaction

masarati@aero.polimi.it wrote:
> Michael Ströder wrote:
>> There's a special corner-case:
>> If the user bound (e.g. anonymous in my test configuration) has no write
>> access to any attribute an empty attribute value list is returned for
>> 'allowedAttributesEffective'.
> You mean an instance of the allowedAttributesEffective with the empty
> value?

Yes. Here's the python-ldap trace log:
Note the 'allowedAttributesEffective': [] in the result.

I can also enable OpenLDAP debugging log if that would be more evidence for you.

---------------------------- snip ----------------------------
*** ldap://localhost:2071 - LDAPObject.search_ext
(('ou=schulung,dc=stroeder,dc=local', 0, '(objectClass=*)',
['hasSubordinates', 'entryCSN', 'tokenGroupsGlobalAndUniversal',
'localEntryID', 'createTimestamp', 'uSNCreated', 'fromEntry',
'administrativeRole', 'structuralObjectClass', 'mS-DS-CreatorSID',
'msDS-Approx-Immed-Subordinates', 'nsAccountLock', 'authzTo',
'nsLookthroughLimit', 'GUID', 'authzFrom', '*', 'passwordExpWarned',
'whenChanged', 'modifiersName', 'isMemberOf', 'sDRightsEffective',
'governingStructureRule', 'primaryGroupToken', 'pwdPolicySubentry',
'accountUnlockTime', 'passwordHistory', 'subordinateCount',
'allowedAttributesEffective', 'creatorsName', 'entryUUID', 'aclentry',
'uSNChanged', 'tokenGroupsNoGCAcceptable', 'entryDN', 'passwordRetryCount',
'tokenGroups', 'passwordExpirationTime', 'aci', 'passwordAllowChangeTime',
'whenCreated', 'retryCountResetTime', 'canonicalName', 'entryUSN',
'subschemaSubentry', 'numSubordinates', 'modifyTimestamp'], 0, [], None, 300,
=> result: 13
*** ldap://localhost:2071 - LDAPObject.result3 ((13, 1, 300),{})
=> result: (101, [('ou=schulung,dc=stroeder,dc=local', {'hasSubordinates':
['TRUE'], 'entryCSN': ['20090818120115.850129Z#000000#000#000000'],
'objectClass': ['organizationalUnit'], 'creatorsName':
['uid=diradm,ou=schulung,dc=stroeder,dc=local'], 'entryUUID':
['d0ed3070-150d-4a5a-bec3-5c21e78c31c3'], 'allowedAttributesEffective': [],
'modifiersName': ['uid=diradm,ou=schulung,dc=stroeder,dc=local'],
'createTimestamp': ['20090818120115Z'], 'entryDN':
['ou=schulung,dc=stroeder,dc=local'], 'subschemaSubentry': ['cn=Subschema'],
'structuralObjectClass': ['organizationalUnit'], 'ou': ['schulung'],
'modifyTimestamp': ['20090818120115Z']})], 13, [])
---------------------------- snip ----------------------------

>  I'm not seeing anything like that.

At which level?

>> Indeed this is helpful since my web2ldap can
>> then distinguish between this attribute being not available at all or no
>> attributes are allowed to be written. But I'm not sure whether that
>> complies
>> to the LDAP data model. What do you think?
> In any case, I'd consider it an error, which deserves to be fixed.

If you fix it with hunking out the empty values list the distinction within
web2ldap would be then to look at the schema and decide whether
allowedAttributesEffective is available. I can see that attr type description
of allowedAttributesEffective is hard-coded in allowed.c so that seems fairly
reliable to me.

Ciao, Michael.