[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL Evaluation bug (ITS#3173)
Full_Name: Quanah Gibson-Mount
Version: 2.2.11
OS: Solaris 8
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (171.66.182.82)
I was working on ITS#3114, when I found that if I simply changed my ACL's,
everything worked.
Originally, I had:
access to *
by dn.base="cn=replicator,cn=service,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=56 write
by group.base="cn=Supervisor,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=56 write
by group.base="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=56 read
by dn.base="cn=RegistryDataAuditor,cn=service,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=5
6 read
by group.base="cn=ldapReplica,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=56 read
by * break
This caused the ADD's I did to block. I changed the ACL order after looking at
the debug output at -d -1 level, which showed taht the ldapReplica group was not
being iterated through.
This ACL worked:
access to *
by dn.base="cn=replicator,cn=service,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=56 write
by group.base="cn=ldapReplica,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=56 read
by group.base="cn=Supervisor,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=56 write
by group.base="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=56 read
by dn.base="cn=RegistryDataAuditor,cn=service,cn=Applications,dc=stanford,dc=edu"
sasl_ssf=5
6 read
by * break
However, I'm now blocked by ITS#3172, so I can't give the more detailed output,
as I inadverdently blew away my initial -d -1 output file that had the iteration
information in it.