[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#3446) ACL val clause ineffective with bind

To: openldap-its@OpenLDAP.org
Subject: (ITS#3446) ACL val clause ineffective with bind
From: richton@nbcs.rutgers.edu
Date: Fri, 17 Dec 2004 00:05:45 GMT

Full_Name: Aaron Richton
Version: 2.2.19
OS: Solaris 9
URL: 
Submission from: (NULL) (67.85.190.119)


Start with test010-passwd, altered to halt the test after Pass 1. Note 

ldapsearch -x -H "ldap://localhost:9011/"; -D "cn=md5,o=University of
Michigan,c=US" -LLL -b "o=University of Michigan,c=US" -w newsecret '(cn=md5)'
userPassword

returns

dn: cn=md5,o=University of Michigan,c=US
userPassword:: e1NNRDV9TXZ0cWdGV2s3d0JTbm1xK3dlcmNQNFZ4UCtnPQ==


Edit the slapd config file. Replace the first "access" stanza with

access to attr=userpassword
        by * none

restart slapd, rerun ldapsearch as above, and note "Invalid credentials." Since
no "auth," we've observed expected behavior.

Replace the first "access" stanza with

access to attr=userpassword val.regex=^[{]SMD5[}].*
        by * none

Rerun ldapsearch as above. The read is prohibited, but the bind is not.

dn: cn=md5,o=University of Michigan,c=US

is output. I would expect "Invalid credentials." I'd claim this to be an ACL
processing bug.

Prev by Date: Re: (ITS#3445) HEAD fails to build on Windows (zn_malloc)
Next by Date: (ITS#3447) HEAD proxycache is not sending answerable queries
Index(es):
- Chronological
- Thread