[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access control 'set=' problem (ITS#3140)



I'm not quite familiar with sets in ACLs, but don't you get
exactly the same result by using group ACLs rules?  Why don't
you try

access to *
        by group.exact="cn=admins,o=myorg,c=fr" write
        by * read

Of course the crash is a bug...

p.

> Full_Name: HAGER Herve
> Version: 2.2.x
> OS: Red Hat 8 and Fedora Core 1
> URL:
> Submission from: (NULL) (212.103.10.226)
>
>
> Hello,
>
> OpenLDAP crashes when i perform an unbind ldapsearch on it. I found out
> that it is the "set=" directive form an access clause in the slapd.conf
> which is in cause, when the group specified contains another group which
> is in the "what" part of the access clause. Because i konw this is hard
> to explain with my low-level english, i realised a small example ldif :
>
> dn: o=myorg,c=fr
> objectclass: top
> objectclass: organization
> o: myorg
>
> dn: ou=people,o=myorg,c=fr
> objectclass: top
> objectclass: organizationalunit
> ou: people
>
> dn: cn=toto,ou=people,o=myorg,c=fr
> objectclass: top
> objectclass: person
> sn: toto
> cn: toto
>
> dn: cn=admins,o=myorg,c=fr
> objectclass: top
> objectclass: groupofnames
> cn: admins
> member: cn=group,ou=people,o=myorg,c=fr
>
> dn: cn=group,ou=people,o=myorg,c=fr
> objectclass: top
> objectclass: groupofnames
> cn: group
> member: cn=toto,ou=people,o=myorg,c=fr
>
> With the following access clause in the slapd.conf file :
> access to *
>         by set="[cn=admins,o=myorg,c=fr]/member* & user" write
>         by * read
> an unbind ldapsearch on the directory crashes, such as :
> ldapsearch -b "o=myorg,c=fr"
>
> The bug is verified on openldap 2.2.4, 2.2.10 and 2.2.11, so i assume
> all the 2.2.x versions are involved. The bug is not present on the
> 2.1.30 version. There's no problem with a bind ldapsearch.
>
> The bug happens on Red Hat 8 and Fedora Core 1, with openldap compiled
> from source. Here is my configure command line :
> ./configure --prefix=/usr/local/openldap --enable-crypt
> --enable-lmpasswd --without-cyrus-sasl --with-threads --with-tls
> --disable-bdb --enable-ldbm --with-ldbm-gdbm --enable-slurpd
> --disable-ipv6 --enable-syslog
>
> I hope i have given all relevant information to help fixing this
> problem. Thanks for your help.
>
> Best regards,
> Herve


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it




    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497