[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: acl entry causes segfault



Zitat von Pierangelo Masarati <ando@sys-net.it>:

Markus Krause wrote:
Hi list!

i am using OpenLDAP 2.3.34-5.2 on a SLES10 server.
in my LDAP database i am using the attribute "description" in some cases
to store information which i do not want to be readable by everyone. to
prevent it for all users but "admin" is use the following acl entry in
slapd.conf:
---- slapd.conf
access to attrs=description
        by dn="cn=Admin,o=test" write
        by group.exact="cn=Admingroup,ou=ACL,o=test" write
        by * none
---- slapd.conf
this works but denies access to all but admin and members of group
admingroup.

the i tried to set the following acl which should only deny access to
the description field in a subtree:
---- slapd.conf
access to dn.subtree="ou=people,o=test" attrs=description
        by dn="cn=Admin,o=test" write
        by group.exact="cn=Admingroup,o=test" write
        by * none
---- slapd.conf

this leads to a segmentation fault, the last lines of the debug output is:
--- slapd -d 65535
config_build_entry: "cn={9}misc"
config_build_entry: "olcDatabase={-1}frontend"
Segmentation fault
---
so i obviously am doing something very wrong!

how can i allow or deny access to some attributes in a specific subtree?

thanks in advance for any hints!

Something i found in addition (which no longer leads to a segfault although i am not sure if this is really the solution):
if i add an additional acl entry in slapd for attribute "description" all seems to work as it should, so slapd.conf now has:


---- part of slapd.conf
access to dn.subtree="ou=people,o=test" attrs=description
        by dn="cn=Admin,o=test" write
        by group.exact="cn=Admingroup,o=test" write
        by * none

access to dn.subtree="ou=IT Contacts,o=test" attrs=description
        by dn="cn=Admin,o=test" write
        by group.exact="cn=cn=Admingroup,o=test" write
        by * read
----

it seems odd to me that an additional acl with "by * read" to another branch of the ldap tree should make i work again ...

am i missing something??

regards
  markus


+-----------------------------------------------------------------+ | Markus Krause, Mogli-Soft | | Support for Mac OS X, Webmail/Horde, LDAP, RADIUS, MySQL | | by order of the | | Computing Center of the Max-Planck-Institute of Biochemistry | +--------------------------------+--------------------------------+ | E-Mail: krause@biochem.mpg.de | Tel.: 089 - 89 40 85 99 | | markus.krause@mac.com | Fax.: 089 - 89 40 85 98 | | Skype: markus.krause | iChat: markus.krause@mac.com | +--------------------------------+--------------------------------+

----------------------------------------------------------------------
     This message was sent using https://webmail2.biochem.mpg.de
If you encounter any problems please report to rz-linux@biochem.mpg.de