[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Duplicate Attributes

To: OpenLDAP Software List <openldap-software@OpenLDAP.org>
Subject: Re: Duplicate Attributes
From: Dave Horsfall <daveh@ci.com.au>
Date: Wed, 7 May 2003 14:28:22 +1000 (EST)
Archive: No
In-reply-to: <200305070319.ABA15886@dommail.onthenet.com.au>
References: <200305070319.ABA15886@dommail.onthenet.com.au>

On Wed, 7 May 2003 gshumway@cityextreme.com wrote:

> Thanks but now you got me worried about the cisco-avpairs.

Good :-)

> I am using them to store acl's. I am getting my radiator
> radius server to get crab them and send them back to the NAS
> which seems to work fine. If i simply add multiple avpairs
> into the one attribute the NAS only gets the last one..

What I'm saying is that multi-valued attributes are not guaranteed
to be returned in any particular order by the LDAP server, but
Cisco ACLs are order-dependant.

Say you have:

cisco-avpair: deny evil-subnet
cisco-avpair: permit friendly-net

(where evil-subnet is a subnet of friendly-net) then they are likely to
be returned in the opposite order, thereby granting access to evil-subnet.

And if you want to add a new ACL, you have to add all of them in one
go (and you'll still have the above problem).

-- 
Dave Horsfall  DTM  VK2KFU  daveh@ci.com.au  Ph: +61 2 9906-7866  Fx: 9906-1556
Corinthian Engineering, Level 1, 401 Pacific Hwy, Artarmon, NSW 2064, Australia

References:
- Re: Duplicate Attributes
  - From: <gshumway@cityextreme.com>

Prev by Date: Re: Duplicate Attributes
Next by Date: add new entry question
Index(es):
- Chronological
- Thread