[Date Prev][Date Next] [Chronological] [Thread] [Top]

problem with slapacl operating in tool mode

I've just modified slapacl to retrieve the target entry via tool helpers (unless disabled by "-u" dryrun flag), so that access control can be consistently checked based on its contents (e.g. the filter clause, or sets and so on).

However, while testing this, I came into a problem: it appears that operations (like sets) that perform internal searches to collect info leave active transactions behind, creating problems at backend destruction. I think this is an issue related to the different behavior internal searches may take when acting in tool rather than server mode, but I haven't been able to trace it yet.

To trigger the problem, run test003; then, configure a (silly) ACL like

access to *
   by set="user/uid & [foo]" write

and run slapacl like

slapacl -D "cn=Ursula Hampster,ou=Alumni Association,ou=People,dc=example,dc=com" -b "dc=example,dc=com"

This triggers a backend_attribute() call that looks up the user's uid and leaves a transaction active:

Backend ACL: access to *
    by set="user/uid & [foo]" write

testrun/slapd.1.conf: line 45: warning: cannot assess the validity of the ACL scope within backend naming context
DN: "cn=ursula hampster,ou=alumni association,ou=people,dc=example,dc=com"
=> access_allowed: auth access to "dc=example,dc=com" "entry" requested
=> acl_get: [1] attr entry
=> acl_mask: access to entry "dc=example,dc=com", attr "entry" requested
=> acl_mask: to all values by "cn=ursula hampster,ou=alumni association,ou=people,dc=example,dc=com", (=n)
=> bdb_entry_get: found entry: "cn=ursula hampster,ou=alumni association,ou=people,dc=example,dc=com"
<= acl_mask: no more <who> clauses, returning =n (stop)
=> access_allowed: auth access denied by =n
entry: =n
bdb(dc=example,dc=com): Error: closing the transaction region with active transactions
bdb_db_destroy: close failed: Invalid argument (22)

so it appears to be unrelated to my changes... this partially defeats the usefulness of slapacl, because if it cannot perform exactly the same operations that slapd performs when checking access it becomes useless essentially because it cannot be trusted.

Any hints are appreciated.


SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497