[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: ACI syntax changes in 2.3 / OpenLDAPaci does not like multipleattributes
Hi,
>
> > Additionaly it doesn't accepts more then one attribute, also while
> > looking throught the source in aci.c it seems that the ACI code
> > itself, still support multiple attributes. Here is an example:
> >
> > OpenLDAPaci:
> > 1#entry#grant;r,s,c;cn#access-id#cn=admin,dc=testuml,dc=test
> > OpenLDAPaci:
> > 1#entry#grant;r,s,c;dc#access-id#cn=aaa,dc=testuml,dc=test
> > OpenLDAPaci:
> > 1#entry#grant;r,s,c;cn,dc#access-id#cn=xxx,dc=testuml,dc=test
> >
> > The first two entries are ok, while the third one fails.
> This seems a
> > bug to me or do I oversee something?
>
> The third case has never been valid,
But we use it in production for about 2 years with OpenLDAP 2.1 and it works
:-)
> AFAIR; you should rather use
>
> OpenLDAPaci:
> 1#entry#grant;r,s,c;cn;r,s,c;dc#access-id#cn=xxx,dc=testuml,dc=test
>
> i.e. you must use sequences of
> "{grant|deny};(<access>;<attr>)*" where "<attr>" is a single
> attribute, or "[all]".
>
If you look at aci.c in function aci_list_has_attr it splits the attribute
list at ',', so it seems to me that it would still work, if the syntax
validater accepts it.
If this is true, I could create a patch to make it work again.
Gerald
** Virus checked by BB-5000 Mailfilter **