Konovalov Andrey wrote:
Hi4All! :)
I notice that active RWM/Remap overlay affects ACL-subsystem when ACL
checks access to pseudoatribute "entry" and this strange situation
occurs even if i not use any rules for rewrite/remap. Нerewith without
the loaded overlay RWM all works correctly...
In debug mode slapd with active RWM (no rewrite rules!) deny all access
to attribute entry except for "root" user
=> access_allowed: search access to "uid=akkerman,cn=Directory Server
Admins,ou=Groups,dc=r2,dc=money,dc=ge,dc=com" "objectClass" requested
<= test_filter 5
=> acl_get: [13] attr entry
=> slap_access_allowed: result not in cache (entry)
=> acl_mask: access to entry "uid=akkerman,cn=Directory Server
Admins,ou=Groups,dc=r2,dc=money,dc=ge,dc=com", attr "entry" requested
=> acl_mask: to all values by "", (none(=0))
<= check a_dn_pat: *
<= acl_mask: [1] applying none(=0) (stop)
<= acl_mask: [1] mask: none(=0)
=> slap_access_allowed: read access denied by none(=0)
This problem may be solved by adding radically liberate rule to the
beginning of olcAccess sequence in cn=config:
olcAccess: {1}to * attrs=entry by * read
Is it a bug?
If you believe you spotted a bug you should file an ITS
<http://www.openldap.org/its>. See instructions here about how to
report a bug and what information you should provide
<http://www.openldap.org/faq/data/cache/56.html>.
Otherwise you should discuss software usage on the openldap-software list.
With respect to the issue you report, right now I don't have a clue.
However, you provide very little information. I didn't check yet if
it's enough to reproduce the issue you mention, but likely it isn't (no
version information, for example, and no detailed slapd.conf).
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497
Email: [email protected]
-----------------------------------
