[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#6804) 'self' access modifier only works for first entry
Full_Name: Devin J. Pohly
Version: 2.4.23
OS: Linux
URL: http://openldap.pastebin.com/gvswpxLX
Submission from: (NULL) (98.235.33.55)
Description:
I have set up an LDAP directory which contains users and flat groups
(groupOfNames/member style). I want to use the access controls to only allow
users to see their own groups and membership, so I defined the following
controls:
access to dn.onelevel="ou=group,o=org" attrs=entry
by dnattr=member read
access to dn.onelevel="ou=group,o=org" attrs=member
by dnattr=member selfread
Steps to reproduce:
1. Start a new instance of OpenLDAP with the slapd.conf file provided at
<http://openldap.pastebin.com/gvswpxLX> and an empty database.
2. Get grouptest.ldif from <http://openldap.pastebin.com/X1DUyGmf> and add it to
the directory:
ldapadd -x -H $LDAPURI -D uid=admin,o=org -w admin -f grouptest.ldif
This creates two users, foo and bar, and two groups, g1 and g2. Each user is in
both groups.
3. Compare the outputs of:
ldapsearch -x -H $LDAPURI -D uid=foo,ou=user,o=org -w foo -b ou=group,o=org
ldapsearch -x -H $LDAPURI -D uid=bar,ou=user,o=org -w bar -b ou=group,o=org
Expected results:
Foo's query shows "member: foo" for both g1 and g2. Bar's query shows "member:
bar" for both g1 and g2.
Actual results:
Foo's query shows "member: foo" for both g1 and g2. Bar's query does not show
any member attributes.
Note: Changing the order in which the users are listed changes the behavior;
only the first user listed matches 'self'. Changing the 'selfread' privilege to
'read' behaves correctly: both queries display both users' memberships in the
groups. So the problem lies somewhere in the way the 'self' modifier is
implemented.