[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems resolving multi-valued attributes with acl directives (ITS#3269)



bill_woody@symantec.com wrote:

> Full_Name: William Edward Woody
> Version: 2.2.8
> OS: Win32
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (198.6.50.155)
> 
> 
> I encountered a problem with entries with multi-valued attributes, where not all
> of the values were being returned in v2.2.8 of OpenLDAP slapd.
> 
> When an entry is marked as having read access only to a group, reading the
> objectClass attribute with 'cn=root' (full root privileges) will return all
> objectClass attribute values. However, if one logs in using the access
> privileges of a member in the group, only the first objectClass attribute is
> returned.
> 
> I narrowed down the problem to the state caching used while resolving ACL
> instructions. In servers/slapd/acl.c, the AccessControlState object appears to
> store the last resolved ACL item in the slapd.conf block access control list,
> and stores nothing with respect to the openLDAPaci attribute. Now we've defined
> our access control block to rely on openLDAPaci:

There was a recent change to ACL caching and OpenLDAPaci, does this 
problem still occur for you in the current release (2.2.25)?

-- 
   -- Howard Chu
   Chief Architect, Symas Corp.       Director, Highland Sun
   http://www.symas.com               http://highlandsun.com/hyc
   Symas: Premier OpenSource Development and Support