[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: selfread access doesn't work as expected



On Wednesday 13 May 2009, Christian Fischer wrote:
> Hi all,
>
> I'm running openldap-2.3.43 on gentoo amd64.
>
> Shouldn't give the following access directive members of
> ou=People,dc=foo,dc=bar selfread permissions to attrs=member and all others
> (eg. the bind user cn=ldapbind,ou=dsa,dc=foo,dc=bar) unlimited read
> permissions?
>
>
> access to dn.subtree="ou=Group,dc=foo,dc=bar" attrs=member
>        by dn.children="ou=People,dc=foo,dc=bar" selfread
>        by * read
>
> Selfread works only if i restrict * to none, but that's not what i want.
> 'by * read' is not what i want at least but it simplifies the example.
>
> access to dn.subtree="ou=Group,dc=foo,dc=bar" attrs=member
>        by dn.children="ou=People,dc=foo,dc=bar" selfread
>        by * none
>
> It should expand to
> 'by dn.children="ou=People,dc=foo,dc=bar" selfread stop'
> but it seems to continue.
>
> What's wrong?
>
> Regards
> Christian

I've given selfread one more try.

Seems that it really expands to continue and the 'by * none' clause is 
mantatory to get it working.

A working directive to grant read access to the member attribute without 
affecting other members must be (in my case)

access to dn.subtree="ou=Group,dc=foo,dc=bar" attrs=member
        by dn.children="ou=dsa,dc=foo,dc=bar" read
        by dn.children="ou=People,dc=foo,dc=bar" selfread
        by * none

Well, i think this is a bug because the behavior differs from the one stated 
in the man pages.

Maybe Quanah likes to file the bug if he has read the manual page.

Is there a simple way to expand this to the memberUid attribute?

Bye
Christian
-- 
"Without music to decorate it, time is just a bunch of boring production
 deadlines or dates by which bills must be paid."
        --- Frank Vincent Zappa