[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#6520) ACL bug with various .expand styles
Full_Name: Kean Johnston
Version: 2.4.21
OS: Linux (Debian Lenny)
URL: ftp://ftp.openldap.org/incoming/kean-johnston-100413.patch
Submission from: (NULL) (41.133.19.25)
Assumption: the following ACL should result in $0 being expanded for the set:
access to dn.one="ou=hosts,dc=example,dc=com" attrs=authorizedService
by set.expand="[cn=access,$0]/member* & user" compare
by * =rsdx break
Reason for assumption: man slapd.access states:
Forms of the <what> clause other than regex may provide submatches as
well. The base(object), the sub(tree), the one(level), and the chil-
dren forms provide $0 as the match of the entire string. The
sub(tree), the one(level), and the children forms also provide $1 as
the match of the rightmost part of the DN as defined in the <what>
clause.
Bug: does not work as expected. The reason is that in slap.h slap_style_t starts
with ACL_STYLE_REGEX = 0, so any structure that uses slap_style_t and uses
memset to null out the structure will have its default style be ACL_STYLE_REGEX.
In acl.c there are 4 places where you test for ACL_STYLE_REGEX on
a->acl_attrval_style without checking if an actual attribute value was supplied.
The patch below fixes those cases. The better (arguably) fix would be to change
slap_style_t to start with ACL_STYLE_NONE = 0, and then explicitly set the style
when it is encountered in aclparse.c. However, I did not want to change slap.h
in case it changes some ABI and the change to aclparse.c is larger.
As things currently stand, dn.expand, set.expand and group.expand will not
expand $0 and $1 as documented if you use dn.{base,one,sub,children} in the what
clause.
I have attached a patch, and as per instruction:
I, James Kean Johnston, hereby place the following modifications to OpenLDAP
Software (and only these modifications) into the public domain. Hence, these
modifications may be freely used and/or redistributed for any purpose with or
without attribution and/or other notice.
ftp://ftp.openldap.org/incoming/kean-johnston-100413.patch