[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ACI syntax changes in 2.3 / OpenLDAPaci does not like multipleattributes

>> The third case has never been valid,
> But we use it in production for about 2 years with OpenLDAP 2.1 and it
> works
> :-)

You see, since there has never been an agreed specification of ACIs
everyone have their own ideas on it.  I took (don't remember where)

                oid # scope # action;rights;attr;rights;attr
                        $ action;rights;attr;rights;attr # type # subject

           [NOTE: the following comment is very outdated,
           as the draft version it refers to (Ando, 2004-11-20)].

           See draft-ietf-ldapext-aci-model-04.txt section 9.1 for

It likely comes from the above draft.  It says "attr", not "attrs" or
"attrlist".  There might be portions of code that take it differently...

>> AFAIR; you should rather use
>> OpenLDAPaci:
>> 1#entry#grant;r,s,c;cn;r,s,c;dc#access-id#cn=xxx,dc=testuml,dc=test
>> i.e. you must use sequences of
>> "{grant|deny};(<access>;<attr>)*" where "<attr>" is a single
>> attribute, or "[all]".
> If you look at aci.c in function aci_list_has_attr it splits the attribute
> list at ',', so it seems to me that it would still work, if the syntax
> validater accepts it.
> If this is true, I could create a patch to make it work again.

Sure.  Submit it via the ITS.  I suggest you take this as a chance for
looking at the code and write down a specification that essentially states
what the code is doing now; it will serve as documentation and guideline
for software development (if any) and mostly for software maintenance. 
You should also revitalize test041 (HEAD only, right now) so that the
syntax is checked consistently (e.g. try to add ACIs that selectively
violate rules and note if the parser fails or not).


Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it