[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL Evaluation bug (ITS#3173)

To: openldap-its@OpenLDAP.org
Subject: ACL Evaluation bug (ITS#3173)
From: quanah@stanford.edu
Date: Thu, 3 Jun 2004 16:45:48 GMT

Full_Name: Quanah Gibson-Mount
Version: 2.2.11
OS: Solaris 8
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (171.66.182.82)


I was working on ITS#3114, when I found that if I simply changed my ACL's,
everything worked.

Originally, I had:

access to *
        by dn.base="cn=replicator,cn=service,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=56 write
        by group.base="cn=Supervisor,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=56 write
        by group.base="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=56 read
        by dn.base="cn=RegistryDataAuditor,cn=service,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=5
6 read
        by group.base="cn=ldapReplica,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=56 read
        by * break


This caused the ADD's I did to block.  I changed the ACL order after looking at
the debug output at -d -1 level, which showed taht the ldapReplica group was not
being iterated through.

This ACL worked:
access to *
        by dn.base="cn=replicator,cn=service,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=56 write
        by group.base="cn=ldapReplica,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=56 read
        by group.base="cn=Supervisor,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=56 write
        by group.base="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=56 read
        by dn.base="cn=RegistryDataAuditor,cn=service,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=5
6 read
        by * break


However, I'm now blocked by ITS#3172, so I can't give the more detailed output,
as I inadverdently blew away my initial -d -1 output file that had the iteration
information in it.

Prev by Date: SASL causes segmentation fault (ITS#3172)
Next by Date: Re: ACL Evaluation bug (ITS#3173)
Index(es):
- Chronological
- Thread