[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
access control "set=" problem (ITS#3140)
Full_Name: HAGER Herve
Version: 2.2.x
OS: Red Hat 8 and Fedora Core 1
URL:
Submission from: (NULL) (212.103.10.226)
Hello,
OpenLDAP crashes when i perform an unbind ldapsearch on it. I found out that it
is the "set=" directive form an access clause in the slapd.conf which is in
cause, when the group specified contains another group which is in the "what"
part of the access clause. Because i konw this is hard to explain with my
low-level english, i realised a small example ldif :
dn: o=myorg,c=fr
objectclass: top
objectclass: organization
o: myorg
dn: ou=people,o=myorg,c=fr
objectclass: top
objectclass: organizationalunit
ou: people
dn: cn=toto,ou=people,o=myorg,c=fr
objectclass: top
objectclass: person
sn: toto
cn: toto
dn: cn=admins,o=myorg,c=fr
objectclass: top
objectclass: groupofnames
cn: admins
member: cn=group,ou=people,o=myorg,c=fr
dn: cn=group,ou=people,o=myorg,c=fr
objectclass: top
objectclass: groupofnames
cn: group
member: cn=toto,ou=people,o=myorg,c=fr
With the following access clause in the slapd.conf file :
access to *
by set="[cn=admins,o=myorg,c=fr]/member* & user" write
by * read
an unbind ldapsearch on the directory crashes, such as :
ldapsearch -b "o=myorg,c=fr"
The bug is verified on openldap 2.2.4, 2.2.10 and 2.2.11, so i assume all the
2.2.x versions are involved. The bug is not present on the 2.1.30 version.
There's no problem with a bind ldapsearch.
The bug happens on Red Hat 8 and Fedora Core 1, with openldap compiled from
source. Here is my configure command line :
./configure --prefix=/usr/local/openldap --enable-crypt --enable-lmpasswd
--without-cyrus-sasl --with-threads --with-tls --disable-bdb --enable-ldbm
--with-ldbm-gdbm --enable-slurpd --disable-ipv6 --enable-syslog
I hope i have given all relevant information to help fixing this problem.
Thanks for your help.
Best regards,
Herve