[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6513) dynacl/aci fails on searches with attributes



--Boundary-00=_glFxL04kLcJl7l6
Content-Type: Text/Plain;
  charset="iso-8859-15"
Content-Transfer-Encoding: quoted-printable

Thanks for your quick answer Pierangelo,

On Monday, 12. April 2010, masarati@aero.polimi.it wrote:
> > [...]
> > My guess is that you're trying to use ACIs with a non-local storage.  In
> > that case your analysis is correct.  Can you provide your (sanitized)
> > configuration?

I am using a local hdb backend.

In order to generate a minimal test case I found out, that it seems to be=20
related to the rwm overlay.

Although I have set rwm-rewriteEngine to off, rwm seems to be partially=20
active.
Commenting out the rwm directives completely makes the searches work as=20
expected.

Please find attached a testcase with slapd.conf and ldif data.
To experience the issue simply perform a search with e.g. attribute 1.1 as =
one=20
of the users in the data.
Then comment the rwm-... lines in slapd.conf, restart slapd and try again.
Voil=E0 the difference.

> > [...]
>=20
> Automatically detecting what attributes need to be added to requests for
> proxying sounds like an overkill.  Probably, a reasonable workaround could
> be to add a configuration directive that lists what attributes need to be
> added to requests.  This directive should be honored by proxy backends and
> in general by all those backends that do not pass back complete entries to
> the frontend.  In the case of proxy backends its use would be
> straightforward, since requested attrs need to be mapped anyway in the
> request.  Adding some more would not be a big deal. =20
That would be absolutely sufficient for me.

> Things might be a bit
> more complicated in case of, say, special configurations like proxycache,
> where ACIs would need to be added to all attribute templates, and so.  Yet
> another reason to avoid ACIs :)
As much as I'd like to, but I fear I can't.
I am trying to migrate from a non-OpenLDAP directory solution with a comple=
x=20
permission structure in in-tree ACLs to OpenLDAP.
Unfortunately the permissions are set up in a way that do not let them writ=
e=20
as a short list of ACLs.
Changing the permission structure is not possible as lots of applications=20
depend on it.

=2D-=20
Peter Marschall
peter@adpm.de

--Boundary-00=_glFxL04kLcJl7l6
Content-Type: application/x-compressed-tar;
  name="testcase.tgz"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="testcase.tgz"

H4sIAOZWxEsAA+1YbW/jNgzuV/tXCMkBa3duXtz0CqQItq7JDTcc0sOKfjp0gyzJiTZH8iS5Sfbr
R8mOm+SSJn1bN8AEAtsUxYekSJqOTnBKG0SK+ODVqAX0odOy1/bZqbsCI8yvrVYHFg/a7ZMP7dZp
q3MG/HZ42jo9QK3XM+meMm2wQuhggpUmY5xukwOx+BVj9FZUR01mSDOhOG3qMhfQ8TG6Spn43L/4
giaYC6SZumMK2UU+yhQ2XAoU84T5fh1xQZKMsg2riM0MExoedYAgvmyC4abRaPjFHm8J3i03iVSs
kd8/JKS52C0GMkaqUcqUlmIhDQZPx0wxRCUyY4ZUJgyfMGevRiPpp5zae89r3mHVhOU8MkV8YNXH
aqSdyEYJu2pREjkacTFChzVIHqNriGsUS4XsE9eGE33kg0zC7ljiORF0cfnZ7lQMU4QJYTrfgcU8
knSOjERKStO/HgCLouvcoVzQM9KjosFmmJhereZ70dz73mnaKEBEL4/HiqTD1kZxYvgdhIaPxmAV
wMroD0bMZYLBImxAIMoMQzJGOEmKRb2EY0V0b2mTA1lBv6ATLgLZM4BXgyQTeMScVAa5pnNz7CMW
UswnMgPczIy3W2i3fQGkqVR0l2HLsg5EsyRGvensEWau2ZUHEXiuItYDp6FG0OBq2OgPVk9DZ5FR
jPVqBcIjDKBzgUnSxISjqeKGrZkQYfInE7QpoW4TPEcTSTOb4Hmo/PwxxWbsNTOtmgmP8tIpVhKJ
qWd1/D6m0TJPTSc+6H8ZAjspNjjCGsqRxVxw2zr0i6n3F9o964WrfGyg8G0coPT7P9meZWyDOzQy
RZHCAopC2/yx6/ZojnydxTGfeV55RusdpHRh0UJAm2VzBUcvFcQe3jLQCqHoj/ySmzePMu5WtdWM
7XmDJHRRqb7ToAVahRhlXI8ZRQJDp7K1ny7S1zYEKsC69VxxK+nU80pR0P5JUE7yLLB93boO7ZOy
mZcnKrHFGjBh1Pzyepjf3Nx86nse+6sQJCLQIhhB9YkhWBOAniSQgcycjKtPl4+oyLwuIKUIyaz3
9bfg9n1hHrImoPzeLyQ9l1zwOy5UDAQ0UObJOF7mXsKRwXvFg4TBWWKWl37NbN+uHTbeB0c/AOKh
gzwK1sDf1VDtXRuY78Kysmrd2iYQzbAi4488MUxtXx/YOPWHD5myAX8f5AtoWP0hdDOONdoKttgz
wQbyl+6/QbGYKYWTHOYhCViFsx1cffTfemap6OXItq5GQvlrjrb5/N/ZOv93OmeL+T/sdNp2/j9p
n1Tz/79Bdei8djzvoja8LOGy6Mj3b4MudOp0lQEzNRb8bzfn+xIE7JbFBwMMJF3UqrtXR30Eb1Rz
rgIS6IAGs/Ovjn1bT7Mo4aReYGY9mPrTdvBocJxkMDL4Musip+H5RoTPNiJ8nhE3dvwNXiQkTtW6
NcXEuc2e/HVuB2TClOExJ9iw0sg9dS3mA1HOBwnIyCytw5Byaf0qvfzZsr/1d1+jYcq/PZ8G95wc
LUglFGxCJGWBtjtNANPQZJhNIqbqdtrfEvDnHf9/N+DhloCHbxDwLUf+pIjnup5XcVsi8jb2wHmR
RYEET2wH+f8dq7yVv0J8IoqGadX7y5/D3fsvC3uyS2I/uug0HL6G/WUd+2XqddEvkq34EW70Y88Y
7+9HuJ8f4TY/wl1+7GxYD3viavEqtt9LejX42p8wWyP7nvxjMmu1Th1MPf/34ZjT+n543xzmQ03k
CUEINwZhR9q8eBB24FWfPBVVVFFFFVVUUUUVVVRRRRVVVNH/l/4B1nCcvQAoAAA=

--Boundary-00=_glFxL04kLcJl7l6--