[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6693) Value dependent ACL issues

Full_Name: Ralf Haferkamp
Version: 2.4.23, HEAD
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (
Submitted by: ralf

It seems that if the first ACL on a server is a value dependend ACL it is not
evaluated correctly.

Steps to reproduce:

1. Set this global ACL on the server:

access to dn.base="" attrs=supportedControl 
 by * none
access to dn.base=""
 by * read

Now, when "" would be the first value of the
supportedControl Attribute that the server would return, slapd will return no
value of that attribute at all.
OTOH when "" is not the first value, slapd will return
all values of the "supportedControl" Attribute, including
The expected result would be to return all values but

This problem only seems to be present if there are no other ACLs present before
the first value dependent ACL.

This patch seems to fix the problem, it would be nice however if somebody with
more insight into the acl code could review it before we commit it to HEAD.
--- a/servers/slapd/acl.c
+++ b/servers/slapd/acl.c
@@ -405,7 +405,8 @@ access_allowed_mask(
                if ( state->as_desc == desc &&
                        state->as_access == access &&
                        state->as_result != -1 &&
-                       state->as_vd_acl == NULL )
+                       state->as_vd_acl == NULL &&
+                       state->as_vd_acl_count > 0 )
                        Debug( LDAP_DEBUG_ACL,
                                "=> access_allowed: result was in cache