[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACI syntax changes in 2.3 / OpenLDAPaci does not like multiple attributes
On Thu, 2006-02-09 at 21:03 +0100, Gerald Richter wrote:
> Hi,
>
> I currently try to move from 2.1 to 2.3 and notices that I get syntax errors
> during slapadd, for the OpenLDAPaci Attribute. The new syntax validation for
> ACIs doesn't like [entry] and [children] as attributes. Aren't they
> necessary anymore?
I'm not sure they were allowed ever. I think "entry" and "children" are
recognized, since they're valid built-in attributes in slapd. The point
is that before being cast into a syntax, (almost) everything was
accepted, and errors were delayed until access control actually
occurred; however, errors were not much apparent, since invalid (read:
unrecognized) values were kind of ignored.
> Additionaly it doesn't accepts more then one attribute, also while looking
> throught the source in aci.c it seems that the ACI code itself, still
> support multiple attributes. Here is an example:
>
> OpenLDAPaci: 1#entry#grant;r,s,c;cn#access-id#cn=admin,dc=testuml,dc=test
> OpenLDAPaci: 1#entry#grant;r,s,c;dc#access-id#cn=aaa,dc=testuml,dc=test
> OpenLDAPaci: 1#entry#grant;r,s,c;cn,dc#access-id#cn=xxx,dc=testuml,dc=test
>
> The first two entries are ok, while the third one fails. This seems a bug to
> me or do I oversee something?
The third case has never been valid, AFAIR; you should rather use
OpenLDAPaci: 1#entry#grant;r,s,c;cn;r,s,c;dc#access-id#cn=xxx,dc=testuml,dc=test
i.e. you must use sequences of "{grant|deny};(<access>;<attr>)*" where
"<attr>" is a single attribute, or "[all]".
> P.S. Is there any description about ACI syntax other then outdated in the
> FAQ?
None that I know of. Essentially, the original syntax should be
(almost) entirely supported; few new features are allowed, but
apparently no one ever felt the need to document it. I'd expect that
someone that actually uses ACI spends few cycles in preparing a doc
about them. I don't use ACIs and I think I already spent enough time in
factoring them out of slapd while (hopefully) preserving their
functionality...
p.
Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati@sys-net.it
------------------------------------------