[Issue 9810] New: slapacl peername

Tue, 15 Mar 2022 20:16:27 -0700 

https://bugs.openldap.org/show_bug.cgi?id=9810

          Issue ID: 9810
           Summary: slapacl peername
           Product: OpenLDAP
           Version: 2.4.59
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Keywords: needs_review
          Severity: normal
          Priority: ---
         Component: slapd
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

Found in 2.4.59 on a $WORK system, replicated in 2.6.1:

[root@centos-s-1vcpu-1gb-ams3-01 ~]# rpm -qf /opt/symas/sbin/slapacl
symas-openldap-servers-2.6.1-2.el7.x86_64

This is a box where I don't even have slapd running, but that's okay because my
point is visible without it:

[root@centos-s-1vcpu-1gb-ams3-01 ~]# /opt/symas/sbin/slapacl -F
/etc/openldap/slapd.d -D 'someuser' -b 'somewhere' -o peername.ip=127.0.0.1
entry/read
usage: slapacl [-v] [-d debuglevel] [-f configfile] [-F configdir] [-o
<name>[=<value>]]
        [-U authcID | -D authcDN] [-X authzID | -o authzDN=<DN>]
        -b DN [-u] [attr[/access][:value]] [...]

When I ask for `-o peername.ip=127.0.0.1` the `slapacl` command bails out with
usage, indicating a parse failure.


If I then run `slapacl` with `-o peername=ip=127.0.0.1`, I get:

[root@centos-s-1vcpu-1gb-ams3-01 ~]# /opt/symas/sbin/slapacl -F
/etc/openldap/slapd.d -D 'someuser' -b 'somewhere' -o peername=ip=127.0.0.1
entry/read
invalid config directory /etc/openldap/slapd.d, error 2
slapacl: bad configuration directory!

(which I would expect here since I have no server running)


Demo on 2.4.59 at work:
$ /usr/sbin/slapacl -F /etc/openldap/slapd.d -D
uid=replicator,ou=logins,dc=example -b '[email protected],o=com,dc=mozilla'
-o peername=ip=127.0.0.1 entry/read
authcDN: "uid=replicator,ou=logins,dc=example"
read access to entry: ALLOWED
$ /usr/sbin/slapacl -F /etc/openldap/slapd.d -D
uid=replicator,ou=logins,dc=example -b '[email protected],o=com,dc=mozilla'
-o peername=ip=127.0.0.2 entry/read
authcDN: "uid=replicator,ou=logins,dc=example"
read access to entry: DENIED


slapacl(8) mentions peername, but also aims us at slapd.access(5), which lists
peername[.<peernamesytle>].

It's possible I'm dense and this isn't a bug, but minimally the equalsign
repetition is really awkward to my eye.  I'd suggest at least an example in
slapacl(8) so it's easier to figure out.

-- 
You are receiving this mail because:
You are on the CC list for the issue.

Reply via email to