[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5601) set-acl failure under back-ldap+rwm



Full_Name: Matthew Backes
Version: 2.3, 2.4
OS: all
URL: 
Submission from: (NULL) (76.88.99.93)


Set-acl who-clauses fail to match when accessing data through back-ldap
and slapo-rwm.

Given a local server with only the object:

dn: cn=data,dc=local
objectClass: organizationalPerson
cn: data
sn: sn data
description: user

where sn is an example attribute that we will protect:

database bdb
suffix "cn=data,dc=local"
directory ./local
checkpoint 1024 1
cachesize 10
index objectClass,dc,entryCSN,entryUUID eq
index cn,sn,ou,title,description eq,sub

access to dn.subtree="cn=data,dc=local" attrs=sn
       by set="user/title & this/description" write
       by * none
access to dn.subtree="cn=data,dc=local"
       by * read

So that any bound object with a title attribute matching the description
attribute of the target should be able to see sn.

Remote data:

dn: dc=remote
objectClass: organization
objectClass: dcObject
o: remote
dc: remote

dn: cn=user,dc=remote
objectClass: organizationalPerson
cn: user
sn: user
title: user
userPassword: secret

If we have the local slapd's back-ldap configured as:

database ldap
suffix "dc=remote"
uri "ldap://127.0.0.1:2389";
acl-bind bindmethod=simple
        binddn="cn=user,dc=remote"
        credentials=secret

then everything works correctly.

But if we remap the DN using slapo-rwm instead:

database ldap
suffix "dc=remote,dc=local"
uri "ldap://127.0.0.1:2389";
acl-bind bindmethod=simple
        binddn="cn=user,dc=remote"
        credentials=secret
overlay rwm
rwm-suffixmassage "dc=remote,dc=local" "dc=remote"

Then the acl step fails:

=> access_allowed: read access to "cn=data,dc=local" "sn" requested
=> dn: [1] cn=data,dc=local
=> acl_get: [1] matched
=> acl_get: [1] attr sn
access_allowed: no res from state (sn)
=> acl_mask: access to entry "cn=data,dc=local", attr "sn" requested
=> acl_mask: to value by "cn=user,dc=remote", (=0) 
<= check a_set_pat: user/title & this/description
<= check a_dn_pat: *
<= acl_mask: [2] applying none(=0) (stop)
<= acl_mask: [2] mask: none(=0)
=> access_allowed: read access denied by none(=0)
send_search_entry: conn 1 access to attribute sn, value #0 not allowed

And the remote server was never queried for the title attribute.