[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6688) OpenLDAP 2.4.23 doesn't enforce ACLs on back-perl subordinate database



Hi all,

An update on this bug report: with a modified slapd.conf and a small 
patch to the back-perl module, I can use the ACL mask to ensure that the 
perl search function doesn't get invoked if disallowed by the ACLs.

The patch works by creating a "fake" empty entry whose DN is the base of 
the search, and then passing this entry into access_allowed() using code 
borrowed from one of the other backends to either deny or allow access.

http://pastebin.siriusit.co.uk/perlacl/slapd2.conf
http://pastebin.siriusit.co.uk/perlacl/openldap-backperl-acls.patch

Is this something that could be considered for inclusion upstream or 
does it require more work?


ATB,

Mark.

-- 
Mark Cave-Ayland - Senior Technical Architect
PostgreSQL - PostGIS
Sirius Corporation plc - control through freedom
http://www.siriusit.co.uk
t: +44 870 608 0063

Sirius Labs: http://www.siriusit.co.uk/labs