[Date Prev][Date Next] [Chronological] [Thread] [Top]

AW: "break" broken?

To: openldap-software@OpenLDAP.org
Subject: AW: "break" broken?
From: Tiefnig Daniel <daniel.tiefnig@infonova.at>
Date: Wed, 30 May 2001 17:51:46 +0200

> -----Ursprüngliche Nachricht-----
> Von: David Olivier [mailto:David.Olivier@univ-lyon2.fr]
> 
> I'm on openldap 2.0.7. I have come upon some strange behaviour in the
> 
>     <control> ::= [ stop | continue | break ]
> 
> clause, that doesn't seem to conform to what is said in that 
> FAQ. I think 
> it is a bug.
> 
> In my tests, I attempt to bind as some entry I will call myBindDn; 
> specifically:
> 
>     myBindDn = "uid=testAdm,ou=people,dc=univ-lyon2,dc=fr"
> 
> For this, it appears from the FAQ and from my own tests that I need:
> 
>    privilege: "auth" ("x")
> 
>    to be granted on: myBindDn, attribute userPassword
> 
>    to: "anonymous".
> 
> My first test is with the following ACLs:
> 
> ============== slapd.acl.conf: ======= (1)
> defaultaccess   none
> 
> # First and only access clause:
> access to dn.base="uid=testAdm,ou=people,dc=univ-lyon2,dc=fr" 
> attrs=userPassword
>        by anonymous
>           auth
> =========== End of slapd.acl.conf. === (1)
> 
> Bind is successful, as expected.
> 
> In my second test I just add a "break" clause:
> 
> ============== slapd.acl.conf: ======= (2)
> defaultaccess   none
> 
> # First and only access clause:
> access to dn.base="uid=testAdm,ou=people,dc=univ-lyon2,dc=fr" 
> attrs=userPassword
>        by anonymous
>           auth    break
> =========== End of slapd.acl.conf. === (2)
> 
> This time, bind fails! Error code 50, "Insufficient Access 
> Rights". Note 
> that these are all my ACLs; i.e. there is no other access 
> clause after this 
> one.
> 
> In other words, the only difference between test (1) and (2) 
> is that after 
> granting "anonymous" the "auth" privileges to myBindDn, the 
> server should 
> go on and analyze any further access clauses, to add or 
> remove privileges. 
> But here there are no more access clauses, so the "break" 
> should have no 
> effect! Instead, does have an effect: it cancels the 
> privileges already 
> granted.
> 
> What makes me feel its a bug is that if I add to (2) another 
> access clause:
> 
> ============== slapd.acl.conf: ======= (3)
> defaultaccess   none
> 
> # First access clause:
> access to dn.base="uid=testAdm,ou=people,dc=univ-lyon2,dc=fr" 
> attrs=userPassword
>        by anonymous
>           auth    break
> 
> # Second access clause:
> access to dn.base="uid=testAdm,ou=people,dc=univ-lyon2,dc=fr" 
> attrs=userPassword
>        by dn.base="uid=smurgle,ou=people,dc=univ-lyon2,dc=fr"
>           none
> =========== End of slapd.acl.conf. === (3)
> 
> bind becomes successful again!

the debug output of the server might be of interest here. what does it say
when granting access to the entry? i.e. which of the acl's grants access..?
(i know, access 'none' shouldn't allow anything, but i think this all looks
weird enough for everything..)

> ============== workaround: =======
> # Last access clause:
> access to *
>        by dn.base="cn=No-One, o=no-org, c=Utopia"
>           write
> ======= End of workaround. =======

and here.. if access 'none' in stead of 'write' has the "same" effect, it
might be the better choice..

daniel
_________________________________________
Tiefnig Daniel
Server-Technology

INFONOVA IT GesmbH
Seering 6, A-8141 Unterpremstätten
AUSTRIA

E-Mail: mailto:daniel.tiefnig@infonova.at
Web: http://www.infonova.at

Follow-Ups:
- Re: AW: "break" broken?
  - From: David Olivier <David.Olivier@univ-lyon2.fr>

Prev by Date: "break" broken?
Next by Date: Supported syntaxes?
Index(es):
- Chronological
- Thread