[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Problems resolving multi-valued attributes with acl directives (ITS#3269)
bill_woody@symantec.com wrote:
> Full_Name: William Edward Woody
> Version: 2.2.8
> OS: Win32
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (198.6.50.155)
>
>
> I encountered a problem with entries with multi-valued attributes, where not all
> of the values were being returned in v2.2.8 of OpenLDAP slapd.
>
> When an entry is marked as having read access only to a group, reading the
> objectClass attribute with 'cn=root' (full root privileges) will return all
> objectClass attribute values. However, if one logs in using the access
> privileges of a member in the group, only the first objectClass attribute is
> returned.
>
> I narrowed down the problem to the state caching used while resolving ACL
> instructions. In servers/slapd/acl.c, the AccessControlState object appears to
> store the last resolved ACL item in the slapd.conf block access control list,
> and stores nothing with respect to the openLDAPaci attribute. Now we've defined
> our access control block to rely on openLDAPaci:
There was a recent change to ACL caching and OpenLDAPaci, does this
problem still occur for you in the current release (2.2.25)?
--
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support