[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6513) dynacl/aci fails on searches with attributes

>> Full_Name: Peter Marschall
>> Version: 2.4.21
>> OS: Linux
>> URL: ftp://ftp.openldap.org/incoming/Peter-Marschall-100411.patch
>> Submission from: (NULL) (
>> Hi,
>> Playing around with dynacl/aci a bit I cam across the following issue:
>> Searches that do not contain the attribute OpenLDAPaci in the list of
>> attribues
>> queried, omit objects.
> dynacl/aci (as the original aci code it's based on) relies on the fact
> that the entry is complete.  This is the case when the entry is stored
> locally, e.g. in back-bdb/hdb.  Otherwise, no mechanism is in place to
> retrieve operational attributes.  Please note that in the latter case,
> even ACL rules based on, say, createTimestamp or so would operate
> incorrectly.
> My guess is that you're trying to use ACIs with a non-local storage.  In
> that case your analysis is correct.  Can you provide your (sanitized)
> configuration?
> The "right" solution is much more general, not only related to dynacl.
> Slapd needs to know in advance what (operational) attributes are required
> for policy enforcing, and they need to be added to requested attrs when
> entries are collected from remote storage.  Your patch seems to fix your
> specific need, but it is clearly inefficient.

Automatically detecting what attributes need to be added to requests for
proxying sounds like an overkill.  Probably, a reasonable workaround could
be to add a configuration directive that lists what attributes need to be
added to requests.  This directive should be honored by proxy backends and
in general by all those backends that do not pass back complete entries to
the frontend.  In the case of proxy backends its use would be
straightforward, since requested attrs need to be mapped anyway in the
request.  Adding some more would not be a big deal.  Things might be a bit
more complicated in case of, say, special configurations like proxycache,
where ACIs would need to be added to all attribute templates, and so.  Yet
another reason to avoid ACIs :)