[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems resolving multi-valued attributes with acl directives (ITS#3269)



I haven't tried; we're building the OpenLDAP slapd daemon for Windows 
ourselves and I haen't had the time to try building with the latest and 
greatest.


 
Bill Woody

Principle Software Developer
Symantec Corporation
Office:
310-449-5424
Interoffice: 
6 [310] 5424
Email:
bill_woody@symantec.com




owner-openldap-bugs@OpenLDAP.org wrote on 08/05/2004 10:20:38 PM:

> bill_woody@symantec.com wrote:
> 
> > Full_Name: William Edward Woody
> > Version: 2.2.8
> > OS: Win32
> > URL: ftp://ftp.openldap.org/incoming/
> > Submission from: (NULL) (198.6.50.155)
> > 
> > 
> > I encountered a problem with entries with multi-valued attributes,
> where not all
> > of the values were being returned in v2.2.8 of OpenLDAP slapd.
> > 
> > When an entry is marked as having read access only to a group, reading 
the
> > objectClass attribute with 'cn=root' (full root privileges) will 
return all
> > objectClass attribute values. However, if one logs in using the access
> > privileges of a member in the group, only the first objectClass 
attribute is
> > returned.
> > 
> > I narrowed down the problem to the state caching used while resolving 
ACL
> > instructions. In servers/slapd/acl.c, the AccessControlState 
> object appears to
> > store the last resolved ACL item in the slapd.conf block access 
> control list,
> > and stores nothing with respect to the openLDAPaci attribute. Now 
> we've defined
> > our access control block to rely on openLDAPaci:
> 
> There was a recent change to ACL caching and OpenLDAPaci, does this 
> problem still occur for you in the current release (2.2.25)?
> 
> -- 
>    -- Howard Chu
>    Chief Architect, Symas Corp.       Director, Highland Sun
>    http://www.symas.com               http://highlandsun.com/hyc
>    Symas: Premier OpenSource Development and Support
> 
>