[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Problems resolving multi-valued attributes with acl directives (ITS#3269)
As a followup--I tried rebuilding using v2.2.15--the latest version that
is on the OpenLDAP front page. (I had to recompile for Windows to test, so
it took a little time.) The problem seemed to be cleared up with
2.2.15--but I got a hang which I don't have time now to debug. (We are
attempting to port a rather mature product from IBM SecureWay to OpenLDAP,
so there are about a million things that could be going wrong. I do know
it is OpenLDAP that is hanging, though--though I can't be certain it isn't
something I did to recompile OpenLDAP with MSVC v6.)
I tried with v2.2.13--and while I'm not experiencing a hang, the problem
appears to manifest itself there.
Bill Woody
Principle Software Developer
Symantec Corporation
Office:
310-449-5424
Interoffice:
6 [310] 5424
Email:
bill_woody@symantec.com
hyc@symas.com
Sent by: owner-openldap-bugs@OpenLDAP.org
08/05/2004 10:20 PM
To
openldap-its@OpenLDAP.org
cc
Subject
Re: Problems resolving multi-valued attributes with acl directives
(ITS#3269)
bill_woody@symantec.com wrote:
> Full_Name: William Edward Woody
> Version: 2.2.8
> OS: Win32
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (198.6.50.155)
>
>
> I encountered a problem with entries with multi-valued attributes, where
not all
> of the values were being returned in v2.2.8 of OpenLDAP slapd.
>
> When an entry is marked as having read access only to a group, reading
the
> objectClass attribute with 'cn=root' (full root privileges) will return
all
> objectClass attribute values. However, if one logs in using the access
> privileges of a member in the group, only the first objectClass
attribute is
> returned.
>
> I narrowed down the problem to the state caching used while resolving
ACL
> instructions. In servers/slapd/acl.c, the AccessControlState object
appears to
> store the last resolved ACL item in the slapd.conf block access control
list,
> and stores nothing with respect to the openLDAPaci attribute. Now we've
defined
> our access control block to rely on openLDAPaci:
There was a recent change to ACL caching and OpenLDAPaci, does this
problem still occur for you in the current release (2.2.25)?
--
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support