[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8775) PASSMOD exop fails with RWM and tight ACLs

To: openldap-its@OpenLDAP.org
Subject: (ITS#8775) PASSMOD exop fails with RWM and tight ACLs
From: quinot@adacore.com
Date: Wed, 22 Nov 2017 10:50:58 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Thomas Quinot
Version: slapd 2.X (Nov 22 2017 11:39:03)
OS: Linux
URL: ftp://ftp.openldap.org/incoming/quinot-171122.diff
Submission from: (NULL) (2a02:2ab8:224:1:36e6:d7ff:fe09:66dd)


If a tight ACL is globally defined for userPassword:

access to attrs=userPassword
        by dn="cn=Manager,o=Local" write
        by self write
        by anonymous auth

and there is a virtual naming context implemented using a relay backend with rwm
overlay:

database        @BACKEND@
suffix          "dc=example,dc=com"
[...]
database relay
suffix o=OtherExample,c=US
relay dc=example,dc=com
overlay         rwm
rwm-suffixmassage       "dc=example,dc=com"

then an end-user's attempt to update her own password will fail with:
err=53 text=unwilling to verify old password

because at some point we attempt to apply the above ACL to the original
(virtual) DN, but considering the resolved (real) DN for the user:

5a1553ea => acl_mask: access to entry "cn=Ursula Hampster,ou=Alumni
Association,ou=People,o=OtherExample,c=US", attr "userPassword" requested
5a1553ea => acl_mask: to value by "cn=ursula hampster,ou=alumni
association,ou=people,dc=example,dc=com", (=0)

Prev by Date: Re: (ITS#8767) Binddn issue with a comma in the DN
Next by Date: (ITS#8776) lessOrEqual does not work as expected
Index(es):
- Chronological
- Thread