[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: possible small bug in acl.c
Looks like a bug. I suggest you file an issue report.
Patch welcomed. http://www.openldap.org/its/
Kurt
At 05:35 AM 2002-01-07, Mark Blackman wrote:
>First of all, let me say thanks for all the work that has been
>put in get openldap to this level.
>
>I'm posting this to the developers list as I need help interpreting the
>intentions of the coders as expressed in servers/slapd/acl.c.
>
>Depending on whether or not I understand the acl_mask code correctly, there
>may be a bug/typo in the peername ACL code.
>
>specifically in 2.0.18/servers/slapd/acl.c
>(some whitespace removed/line numbers added)
>
>522 if ( b->a_peername_pat != NULL ) {
>523 Debug( LDAP_DEBUG_ACL, "<= check a_peername_path: %s\n",
>524 b->a_peername_pat, 0, 0 );
>525
>526 if ( strcmp( b->a_peername_pat, "*" ) != 0) {
>527 if ( b->a_peername_style == ACL_STYLE_REGEX) {
>528 if (!regex_matches( b->a_peername_pat, conn->c_peer_name,
>529 e->e_ndn, matches ) )
>530 {
>531 continue;
>532 }
>533 } else {
>534 if ( strcasecmp( b->a_peername_pat, conn->c_peer_name ) == 0 )
>535 continue;
>536 }
>537 }
>538 }
>
>I believe that the "continue" control statement is called on ACL match
>**failure**, but the strcasecmp comparison (corresponding to a peername.exact)
>on line 534 goes to "continue" when there **is** a match (strcasecmp==0)
>between the <who> clause and the peername. This same form occurs in a few
>other places as well (line 498,516,552).
>
>Either this is a typo/bug or I'm not interpreting this code properly. In any
>case, it appears to do the wrong thing as I always get an apparent peername match on
>the first peername when its a non-match.
>
>I'm just asking if this is intentional logic or a typo?
>
>As a final note, I find it rather unexpected that conn->c_peer_name appears be
>of the form "IP=xxx.xxx.xxx.xxx:yyy" rather than just "xxx.xxx.xxx.xxx".
>Ideally this would be documented in the OpenLDAP administrators guide either
>as an example or as an explicit requirement.
>
>I'm ignoring the ACL_REGEX forms because my regex engine seems to be a bit
>slow (FreeBSD), which is why I've noticed these effects.
>
>Thanks
>Mark Blackman
>Senior Systems Administrator Tel: +44 (0)870 887 8896
>Netscalibur UK Limited Fax: +44 (0)870 887 8868