[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL processing: additive privs (using control continue)
On Aug 4, 2012, at 9:08 AM, Howard Chu <hyc@symas.com> wrote:
> Dora Paula wrote:
>>
>>> Iiuc, your acl permit search ( There are any entries of question type
>>> in term of search filter) to any authenticated user. If the user is
>>> also member of the group grant also read privilege ( give me the
>>> entries question type) .
>>
>> That's what I've expected, too, and what is the standard behavior if you
>> use "users" continued by "self" for example.
>>
>> In case of a continued groupdn evaluation the behavior changes:
>>
>> If the current bindDn is not a member of the group or the group's entry
>> does not exist the previously granted search privilege (=s) is reset:
>> The aclmask gets reset to =0 which means "none". Please have a look into
>> the attached details (file "acl.txt" in my previous posting).
>>
>> My question was: Is this the intended behavior? I would have expected
>> the search privileges to stay untouched, even in case the group's entry
>> does not exist.
>
> I haven't looked at the code yet but it's possible this is a bug.
Not a bug. As documented, every access statement ends implicitly with a "by * none" clause.
-- Kurt
> Please
> submit an ITS with your explanation and sample config/ldif.
>>
>> Thanks again.
>>
>>
>>> Regards
>>>
>>> 2012/8/4, Dora Paula<deepee@gmx.net>:
>>>> Hi list,
>>>>
>>>> just a short question about "continue" and additive privileges, given
>>>> the following acl statement:
>>>>
>>>> access to dn.subtree="o=test" attrs=sn
>>>> by users =s continue
>>>> by group/groupOfNames/member="cn=readers,ou=groups,o=test" +r
>>>>
>>>> If the current user's bindDn isn't a member of the group
>>>> "cn=readers,..." or the group's entry does not exist, the previously set
>>>> privilege "=s" will be reset to "none"?
>>>>
>>>> As the slapd.access man page just gives a "silly" and an "even more
>>>> silly" example regarding "continue" I'm not sure this is the intended
>>>> behavior.
>>>>
>>>> Attached you'll find my minimalistic testbed:
>>>> slapd.conf
>>>> sample ldif data
>>>> two ldapsearch commands (including their slapd.log level 128)
>>>>
>>>> I'm using openldap MASTER.
>>>>
>>>> Thank you very much.
>>>>
>>>> Cheers
>>>> Dora
>>>>
>>>>
>>
>>
>
>
> --
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/
>