[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access control 'set=' problem (ITS#3140)



> This problem is not platform or back-end dependant, I agree with you.
> However, I do not see the endless loop you are talking about

Run slapd with ACL debug level, and you'll notice it ;) !

> : as I
> understand it, the set clause access control
>
> access to *
>         by set="[cn=admins,o=myorg,c=fr]/member* & user" write
>         by * read
>
> builds a set which contains all the DNs in the member attribute of
> "cn=admins,o=myorg,c=fr", and proceeds recursively until the DNs in the
> member attribute do not have a member attribute. I do not see any
> relation with the DN that access is currently checked for ; or the crash
> depends on that. This may loop if a group contains a second group which
> contains the first group (or with more intermediate groups), but this is
> not the case. Moreover, this access control worked fine with openldap
> 2.0.x and 2.1.x.

I'm not questioning it.  I simply aplied your ACL to the database
resulting from test003, and found slapd crashing after what appears to be
an endless loop.

>
> Maybe the signification of the set has changed with openldap 2.2.x,

I don't know for sure, but if it did, then I think it was unintentional.

> because when I set loglevel to -1 and perform a tail -f on the log file,
> I do see the output of the ldapsearch stopping while the log file keeps
> increasing for a few seconds before the server crashes.
>
> By the way, is there another way of performing such a recursive check
> without using sets ?

Not to my knowledge.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it




    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497