[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: "break" broken?



At 08:17 AM 5/30/01, David Olivier wrote:
>I am in the process of trying to understand the ACLs, as documented in the FAQ, <http://www.openldap.org/faq/data/cache/447.html>.
>
>(Thanks to the author of this FAQ! But I think it should appear in the "Software" section of the FAQ, rather than the "Developper's" section.)

That's likely because the answer has not yet been verified as
being accurate.  Once it is verified, it will be added to the
Admin Guide.


>I'm on openldap 2.0.7. I have come upon some strange behaviour in the
>
>   <control> ::= [ stop | continue | break ]
>
>clause, that doesn't seem to conform to what is said in that FAQ. I think it is a bug.

The FAQ answer might be wrong, it is an answer under development.

>In my tests, I attempt to bind as some entry I will call myBindDn; specifically:
>
>   myBindDn = "uid=testAdm,ou=people,dc=univ-lyon2,dc=fr"
>
>For this, it appears from the FAQ and from my own tests that I need:
>
>  privilege: "auth" ("x")
>
>  to be granted on: myBindDn, attribute userPassword
>
>  to: "anonymous".
>
>My first test is with the following ACLs:
>
>============== slapd.acl.conf: ======= (1)
>defaultaccess   none
>
># First and only access clause:
>access to dn.base="uid=testAdm,ou=people,dc=univ-lyon2,dc=fr" attrs=userPassword
>      by anonymous
>         auth
>=========== End of slapd.acl.conf. === (1)
>
>Bind is successful, as expected.
>
>In my second test I just add a "break" clause:
>
>============== slapd.acl.conf: ======= (2)
>defaultaccess   none
>
># First and only access clause:
>access to dn.base="uid=testAdm,ou=people,dc=univ-lyon2,dc=fr" attrs=userPassword
>      by anonymous
>         auth    break
>=========== End of slapd.acl.conf. === (2)
>
>This time, bind fails!

That's what it should do.  You broken into the global implicit
        access to * by * none
rule which sets the permission to none.

>Error code 50, "Insufficient Access Rights". Note that these are all my ACLs; i.e. there is no other access clause after this one.

Excepting the global implicit rule.


>Following the FAQ the meaning of "break" is:
>
>>You can also request that further analysis of this access clause (the
>><who>) be stopped here but keep on reading other access clauses. You do
>>this by specifying break. This is useful if you have clauses that match
>>this target later in your configuration and want to be able to
>>add or remove privileges.

It is useful for adding and removing permissions, as in using "+" and
"-" permission operations.  It's less useful when used with "=".

>In other words, the only difference between test (1) and (2) is that after granting "anonymous" the "auth" privileges to myBindDn, the server should go on and analyze any further access clauses, to add or remove privileges.

You failed to provide any such rules.

>But here there are no more access clauses, so the "break" should have no effect!

There is the global implicit "access to * by * none" rule.

>Instead, does have an effect: it cancels the privileges already granted.

That's what you told it to do.

>What makes me feel its a bug is that if I add to (2) another access clause:
>
>============== slapd.acl.conf: ======= (3)
>defaultaccess   none
>
># First access clause:
>access to dn.base="uid=testAdm,ou=people,dc=univ-lyon2,dc=fr" attrs=userPassword
>      by anonymous
>         auth    break
>
># Second access clause:
>access to dn.base="uid=testAdm,ou=people,dc=univ-lyon2,dc=fr" attrs=userPassword
>      by dn.base="uid=smurgle,ou=people,dc=univ-lyon2,dc=fr"
>         none
>=========== End of slapd.acl.conf. === (3)
>
>bind becomes successful again!

That likely should be "none" as well.  That could be bug as
their is an implicit "by * none stop" clause, as opposed to
a "by * +none stop" clause, ending each rule.

>Here, the <what> part of the second acces clause matches, but no <who> section applies. However, it seems that finding one more access clause where the <what> matches, even if no <who> section applies, is enough to make the "break" happy.
>
>This is confirmed by a fourth test, in which the <what> part doesn't match:
>
>============== slapd.acl.conf: ======= (4)
>defaultaccess   none
>
># First access clause:
>access to dn.base="uid=testAdm,ou=people,dc=univ-lyon2,dc=fr" attrs=userPassword
>      by anonymous
>         auth    break
>
># Second access clause:
>access to dn.base="uid=blotch,ou=people,dc=univ-lyon2,dc=fr" attrs=userPassword
>      by dn.base="uid=smurgle,ou=people,dc=univ-lyon2,dc=fr"
>         none
>=========== End of slapd.acl.conf. === (4)
>
>This time bind fails. The <what> in the second access clause does not match.
>
>If I am right about this being a BUG (big bad bug), I will put it in the ITS thing as such. But since I am not sure of myself I would like other people's opinions.
>
>I have tried my tests with "ACL debugging" on (loglevel 128). As far as I understand the messages, they seem to confirm my analysis: "break" needs another matching access clause to be happy.
>
>Workaround
>==========
>
>It seems one simple way to make "break" behave itself is to add a bogus access clause to the end of the ACLs, that will match any <what>, but apply to no <who>:
>
>============== workaround: =======
># Last access clause:
>access to *
>      by dn.base="cn=No-One, o=no-org, c=Utopia"
>         write
>======= End of workaround. =======
>
>With this added, cases (2) and (4) both become successful again.
>
>---
>David Olivier
>Klebs gardien Alpages CRI courrier brebis Lyon 2 Lumière