[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#4573) @pwdPolicy expansion seems to include objectClass?
Full_Name: Andreas Hasenack
Version: 2.3.24
OS: linux
URL:
Submission from: (NULL) (200.140.247.99)
While testing some forms of restricting access to attributes of the pwdPolicy
object class (like pwdHistory, for example), I came accross a behaviour which
doesn't seem correct.
If I have an ACL set like this, for example:
access to dn.subtree="dc=example,dc=com"
attrs=@pwdPolicy
by dn="uid=supervisor,ou=people,dc=example,dc=com" read
by * none
access to dn.subtree="dc=example,dc=com"
by * read
Then this search (and many others) stop working:
$ ldapsearch -x -LLL -s base -b dc=example,dc=com
$
slapd -d 128 shows:
=> access_allowed: search access to "dc=example,dc=com" "objectClass" requested
=> dn: [1] dc=example,dc=com
=> acl_get: [1] matched
=> acl_get: [1] attr objectClass
=> acl_mask: access to entry "dc=example,dc=com", attr "objectClass" requested
=> acl_mask: to all values by "", (=0)
<= check a_dn_pat: uid=supervisor,ou=people,dc=example,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying none(=0) (stop)
<= acl_mask: [2] mask: none(=0)
=> access_allowed: search access denied by none(=0)
connection_read(12): no connection!
So, for some reason access to objectClass was denied as if it was included in
the @pwdPolicy expanded form.