[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL processing: additive privs (using control continue)

To: Dora Paula <deepee@gmx.net>
Subject: Re: ACL processing: additive privs (using control continue)
From: Howard Chu <hyc@symas.com>
Date: Sat, 04 Aug 2012 09:08:22 -0700
Cc: devzero2000 <pinto.elia@gmail.com>, openldap-technical@openldap.org
In-reply-to: <501D221B.40105@gmx.net>
References: <501CDC55.4050104@gmx.net> <CAH5b-BWmH=d+Lyw7Cbfrncm-2e1scQ_NH1seo414OzypnnPxeQ@mail.gmail.com> <501D221B.40105@gmx.net>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/16.0 Firefox/16.0 SeaMonkey/2.13a1

Dora Paula wrote:
> 
>> Iiuc, your acl permit search ( There are any entries of question type
>> in term of search filter) to any authenticated user. If the user is
>> also member of the group grant also read privilege ( give me the
>> entries question type) .
> 
> That's what I've expected, too, and what is the standard behavior if you 
> use "users" continued by "self" for example.
> 
> In case of a continued groupdn evaluation the behavior changes:
> 
> If the current bindDn is not a member of the group or the group's entry 
> does not exist the previously granted search privilege (=s) is reset: 
> The aclmask gets reset to =0 which means "none". Please have a look into 
> the attached details (file "acl.txt" in my previous posting).
> 
> My question was: Is this the intended behavior? I would have expected 
> the search privileges to stay untouched, even in case the group's entry 
> does not exist.

I haven't looked at the code yet but it's possible this is a bug. Please
submit an ITS with your explanation and sample config/ldif.
> 
> Thanks again.
> 
> 
>> Regards
>>
>> 2012/8/4, Dora Paula<deepee@gmx.net>:
>>> Hi list,
>>>
>>> just a short question about "continue" and additive privileges, given
>>> the following acl statement:
>>>
>>> access to dn.subtree="o=test" attrs=sn
>>>    by users =s continue
>>>    by group/groupOfNames/member="cn=readers,ou=groups,o=test" +r
>>>
>>> If the current user's bindDn isn't a member of the group
>>> "cn=readers,..." or the group's entry does not exist, the previously set
>>> privilege "=s" will be reset to "none"?
>>>
>>> As the slapd.access man page just gives a "silly" and an "even more
>>> silly" example regarding "continue" I'm not sure this is the intended
>>> behavior.
>>>
>>> Attached you'll find my minimalistic testbed:
>>>     slapd.conf
>>>     sample ldif data
>>>     two ldapsearch commands (including their slapd.log level 128)
>>>
>>> I'm using openldap MASTER.
>>>
>>> Thank you very much.
>>>
>>> Cheers
>>> Dora
>>>
>>>
> 
> 


-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: ACL processing: additive privs (using control continue)
  - From: Kurt Zeilenga <kurt@OpenLDAP.org>

References:
- ACL processing: additive privs (using control continue)
  - From: Dora Paula <deepee@gmx.net>
- Re: ACL processing: additive privs (using control continue)
  - From: devzero2000 <pinto.elia@gmail.com>
- Re: ACL processing: additive privs (using control continue)
  - From: Dora Paula <deepee@gmx.net>

Prev by Date: Re: ACL processing: additive privs (using control continue)
Next by Date: Re: ACL processing: additive privs (using control continue)
Index(es):
- Chronological
- Thread