[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#4654) slapacl behavior seems suspect
Full_Name: M Butcher
Version: 2.3.27
OS: Linux (Ubuntu 6.06)
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (75.34.42.242)
Problem: Running slapacl, attributes marked as 'auth' and '=x' are shown to be
readible.
I first noticed this on 2.3.25 and posted the message to the list. In the
meantime, 2.3.27 was released. At Pierangelo's request, I tested against
2.3.27.
Step-by-step account of what I did to test:
1. Built from 2.3.27 and installed
2. Deleted old database files (from 2.3.25)
4. Manually checked version on slapd, symlink on slapacl. Also checked to make
sure backend directory was empty.
5. Created minimal slapd and minimal testing ldif (see below)
6. Used 'slapadd -l testing.ldif' to add the LDIF
7. Ran test against cn -- read authorized on =x (full output posted below)
8. Ran test against userPassword -- read authorized on auth (full output pasted
below)
7 and 8 seem to indicate incorrect behavior (or is there a reason slapacl would
give read access to auth/=x?)
Let me know if you need configure/make info, or if more logging would be
helpful. It seems quite easy for me to reproduce the bug consistently.
The LDIF (comments removed in original):
########
# BEGIN
dn: dc=example,dc=com
description: Example.Com, your trusted non-existent corporation.
dc: example
o: Example.Com
objectClass: top
objectClass: dcObject
objectClass: organization
dn: ou=Users,dc=example,dc=com
ou: Users
description: Example.Com Users
objectClass: organizationalUnit
dn: uid=matt,ou=Users,dc=example,dc=com
ou: Users
uid: matt
cn: Matt Butcher
sn: Butcher
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
userPassword: secret
dn: uid=barbara,ou=Users,dc=example,dc=com
ou: Users
uid: barbara
sn: Jensen
cn: Barbara Jensen
userPassword: secret
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
# END
########
SLAPD.CONF
########
# BEGIN
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
loglevel none
modulepath /usr/local/libexec/openldap
moduleload back_hdb
access to attrs=userPassword
by anonymous auth
by self write
by * none
access to attrs=cn
by users =x
by self write
by * none
access to *
by self write
by users read
by * none
database hdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
directory /usr/local/var/openldap-data
index objectClass eq
index cn eq,sub,pres,approx
# END
########
RUNNING SLAPACL
# slapacl -D 'uid=matt,ou=Users,dc=example,dc=com' -b
'uid=barbara,ou=Users,dc=example,dc=com' -d acl 'cn/read'
Backend ACL: access to attrs=userPassword
by anonymous auth
by self write
by * none
Backend ACL: access to attrs=cn
by users =x
by self write
by * none
Backend ACL: access to *
by self write
by users read
by * none
authcDN: "uid=matt,ou=users,dc=example,dc=com"
=> access_allowed: read access to "" "cn" requested
=> access_allowed: backend default read access granted to
"uid=matt,ou=users,dc=example,dc=com"
read access to cn: ALLOWED
# slapacl -D 'uid=matt,ou=Users,dc=example,dc=com' -b
'uid=barbara,ou=Users,dc=example,dc=com' -d acl 'userPassword/read'
Backend ACL: access to attrs=userPassword
by anonymous auth
by self write
by * none
Backend ACL: access to attrs=cn
by users =x
by self write
by * none
Backend ACL: access to *
by self write
by users read
by * none
authcDN: "uid=matt,ou=users,dc=example,dc=com"
=> access_allowed: read access to "" "userPassword" requested
=> access_allowed: backend default read access granted to
"uid=matt,ou=users,dc=example,dc=com"
read access to userPassword: ALLOWED
Same thing woutout debugging (if this is what Pierangelo wants...):
# slapacl -D 'uid=matt,ou=Users,dc=example,dc=com' -b
'uid=barbara,ou=Users,dc=example,dc=com' 'cn/read'
authcDN: "uid=matt,ou=users,dc=example,dc=com"
read access to cn: ALLOWED
# slapacl -D 'uid=matt,ou=Users,dc=example,dc=com' -b
'uid=barbara,ou=Users,dc=example,dc=com' 'userPassword/read'
authcDN: "uid=matt,ou=users,dc=example,dc=com"
read access to userPassword: ALLOWED