[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
AW: "break" broken?
> -----Ursprüngliche Nachricht-----
> Von: David Olivier [mailto:David.Olivier@univ-lyon2.fr]
>
> I'm on openldap 2.0.7. I have come upon some strange behaviour in the
>
> <control> ::= [ stop | continue | break ]
>
> clause, that doesn't seem to conform to what is said in that
> FAQ. I think
> it is a bug.
>
> In my tests, I attempt to bind as some entry I will call myBindDn;
> specifically:
>
> myBindDn = "uid=testAdm,ou=people,dc=univ-lyon2,dc=fr"
>
> For this, it appears from the FAQ and from my own tests that I need:
>
> privilege: "auth" ("x")
>
> to be granted on: myBindDn, attribute userPassword
>
> to: "anonymous".
>
> My first test is with the following ACLs:
>
> ============== slapd.acl.conf: ======= (1)
> defaultaccess none
>
> # First and only access clause:
> access to dn.base="uid=testAdm,ou=people,dc=univ-lyon2,dc=fr"
> attrs=userPassword
> by anonymous
> auth
> =========== End of slapd.acl.conf. === (1)
>
> Bind is successful, as expected.
>
> In my second test I just add a "break" clause:
>
> ============== slapd.acl.conf: ======= (2)
> defaultaccess none
>
> # First and only access clause:
> access to dn.base="uid=testAdm,ou=people,dc=univ-lyon2,dc=fr"
> attrs=userPassword
> by anonymous
> auth break
> =========== End of slapd.acl.conf. === (2)
>
> This time, bind fails! Error code 50, "Insufficient Access
> Rights". Note
> that these are all my ACLs; i.e. there is no other access
> clause after this
> one.
>
> In other words, the only difference between test (1) and (2)
> is that after
> granting "anonymous" the "auth" privileges to myBindDn, the
> server should
> go on and analyze any further access clauses, to add or
> remove privileges.
> But here there are no more access clauses, so the "break"
> should have no
> effect! Instead, does have an effect: it cancels the
> privileges already
> granted.
>
> What makes me feel its a bug is that if I add to (2) another
> access clause:
>
> ============== slapd.acl.conf: ======= (3)
> defaultaccess none
>
> # First access clause:
> access to dn.base="uid=testAdm,ou=people,dc=univ-lyon2,dc=fr"
> attrs=userPassword
> by anonymous
> auth break
>
> # Second access clause:
> access to dn.base="uid=testAdm,ou=people,dc=univ-lyon2,dc=fr"
> attrs=userPassword
> by dn.base="uid=smurgle,ou=people,dc=univ-lyon2,dc=fr"
> none
> =========== End of slapd.acl.conf. === (3)
>
> bind becomes successful again!
the debug output of the server might be of interest here. what does it say
when granting access to the entry? i.e. which of the acl's grants access..?
(i know, access 'none' shouldn't allow anything, but i think this all looks
weird enough for everything..)
> ============== workaround: =======
> # Last access clause:
> access to *
> by dn.base="cn=No-One, o=no-org, c=Utopia"
> write
> ======= End of workaround. =======
and here.. if access 'none' in stead of 'write' has the "same" effect, it
might be the better choice..
daniel
_________________________________________
Tiefnig Daniel
Server-Technology
INFONOVA IT GesmbH
Seering 6, A-8141 Unterpremstätten
AUSTRIA
E-Mail: mailto:daniel.tiefnig@infonova.at
Web: http://www.infonova.at