[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: access control 'set=' problem (ITS#3140)
> This problem is not platform or back-end dependant, I agree with you.
> However, I do not see the endless loop you are talking about
Run slapd with ACL debug level, and you'll notice it ;) !
> : as I
> understand it, the set clause access control
>
> access to *
> by set="[cn=admins,o=myorg,c=fr]/member* & user" write
> by * read
>
> builds a set which contains all the DNs in the member attribute of
> "cn=admins,o=myorg,c=fr", and proceeds recursively until the DNs in the
> member attribute do not have a member attribute. I do not see any
> relation with the DN that access is currently checked for ; or the crash
> depends on that. This may loop if a group contains a second group which
> contains the first group (or with more intermediate groups), but this is
> not the case. Moreover, this access control worked fine with openldap
> 2.0.x and 2.1.x.
I'm not questioning it. I simply aplied your ACL to the database
resulting from test003, and found slapd crashing after what appears to be
an endless loop.
>
> Maybe the signification of the set has changed with openldap 2.2.x,
I don't know for sure, but if it did, then I think it was unintentional.
> because when I set loglevel to -1 and perform a tail -f on the log file,
> I do see the output of the ldapsearch stopping while the log file keeps
> increasing for a few seconds before the server crashes.
>
> By the way, is there another way of performing such a recursive check
> without using sets ?
Not to my knowledge.
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497