[Date Prev][Date Next] [Chronological] [Thread] [Top]

possible small bug in acl.c

To: openldap-devel@OpenLDAP.org
Subject: possible small bug in acl.c
From: "Mark Blackman" <mark.blackman@netscalibur.co.uk>
Date: Mon, 07 Jan 2002 13:35:32 +0000

First of all, let me say thanks for all the work that has been
put in get openldap to this level.

I'm posting this to the developers list as I need help interpreting the
intentions of the coders as expressed in servers/slapd/acl.c.

Depending on whether or not I understand the acl_mask code correctly, there
may be a bug/typo in the peername ACL code.

specifically in 2.0.18/servers/slapd/acl.c
(some whitespace removed/line numbers added)

522 if ( b->a_peername_pat != NULL ) {
523         Debug( LDAP_DEBUG_ACL, "<= check a_peername_path: %s\n",
524                 b->a_peername_pat, 0, 0 );
525 
526         if ( strcmp( b->a_peername_pat, "*" ) != 0) {
527                 if ( b->a_peername_style == ACL_STYLE_REGEX) {
528                         if (!regex_matches( b->a_peername_pat, conn->c_peer_name,
529                                         e->e_ndn, matches ) ) 
530                         {
531                                 continue;
532                         }
533                 } else {
534                         if ( strcasecmp( b->a_peername_pat, conn->c_peer_name ) == 0 )
535                                 continue;
536                 }
537         }
538 }

I believe that the "continue" control statement is called on ACL match
**failure**, but the strcasecmp comparison (corresponding to a peername.exact)
on line 534 goes to "continue" when there **is** a match (strcasecmp==0)
between the <who> clause and the peername. This same form occurs in a few
other places as well (line 498,516,552).

Either this is a typo/bug or I'm not interpreting this code properly. In any
case, it appears to do the wrong thing as I always get an apparent peername match on
the first peername when its a non-match. 

I'm just asking if this is intentional logic or a typo?

As a final note, I find it rather unexpected that conn->c_peer_name appears be
of the form "IP=xxx.xxx.xxx.xxx:yyy" rather than just "xxx.xxx.xxx.xxx".
Ideally this would be documented in the OpenLDAP administrators guide either
as an example or as an explicit requirement.

I'm ignoring the ACL_REGEX forms because my regex engine seems to be a bit
slow (FreeBSD), which is why I've noticed these effects.

Thanks
Mark Blackman
Senior Systems Administrator		Tel: +44 (0)870 887 8896
Netscalibur UK Limited			Fax: +44 (0)870 887 8868

Follow-Ups:
- Re: possible small bug in acl.c
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: ACL performance again
Next by Date: More about ACL performance
Index(es):
- Chronological
- Thread