RE: (ITS#5805) Problem when modifying access control

[emmanuel . duru]

I wouldn't say that it is harmless.
To sum up, the problem is that when I modify frontend access control and
then config access control (olcAccess attribute in both cases), I can not
bind any more (neither with rootdn nor with any other dn).
Concerning further releases, I will try later. Maybe I will wait for the
2.4.13...

> -----Message d'origine-----
> De : Pierangelo Masarati [mailto:[EMAIL PROTECTED]
> Envoyé : dimanche 16 novembre 2008 22:01
> À : [EMAIL PROTECTED]
> Cc : openldap-its@openldap.org
> Objet : Re: (ITS#5805) Problem when modifying access control
> 
> [EMAIL PROTECTED] wrote:
> > Full_Name: Emmanuel Duru
> > Version: 2.4.11
> > OS: Windows
> > URL: ftp://ftp.openldap.org/incoming/
> > Submission from: (NULL) (80.78.0.137)
> >
> >
> > I have a single BDB database directory with root DN as a physical entry.
> My
> > access control is defined as follows in olcDatabase={-1}frontend:
> > olcAccess: {0}to attrs=userPassword  by self write  by anonymous auth
> by * no
> >  ne
> > olcAccess: {1}to dn=cn=manager,c=fr  by self write  by * none
> > olcAccess: {2}to *  by self write  by users read  by anonymous read  by
> * none
> >
> > I perform a modify operation as follows:
> > dn: olcDatabase={-1}frontend,cn=config
> > changetype: modify
> > replace: olcAccess
> > olcAccess: {0}to attrs=userPassword  by self write  by anonymous auth
> by * no
> >  ne
> > olcAccess: {1}to dn=cn=manager,c=fr  by self write  by * none
> > olcAccess: {2}to *  by self write  by users read  by anonymous read  by
> * none
> >
> > dn: olcDatabase={0}config,cn=config
> > changetype: modify
> > replace: olcAccess
> > olcAccess: {0}to *  by * none
> > -
> > replace: olcRootDN
> > olcRootDN: cn=manager,c=fr
> >
> > then I can not bind any more to the directory (invalid credentials).
> > The log says (do notice the line dn: [1]... with non printable
> characters):
> > do_bind: version=3 dn="cn=manager,c=fr" method=128
> > ==> bdb_bind: dn: cn=manager,c=fr
> > bdb_dn2entry("cn=manager,c=fr")
> > => access_allowed: auth access to "cn=manager,c=fr" "userPassword"
> requested
> > => dn: [1]  <some non printable characters>
anager,c=fr
> > => acl_get: [2] attr userPassword
> > => slap_access_allowed: result not in cache (userPassword)
> > => acl_mask: access to entry "cn=manager,c=fr", attr "userPassword"
> requested
> > => acl_mask: to value by "", (=0)
> > <= check a_dn_pat: *
> > <= acl_mask: [1] applying none(=0) (stop)
> > <= acl_mask: [1] mask: none(=0)
> > => slap_access_allowed: auth access denied by none(=0)
> > => access_allowed: no more rules
> >
> > When I stop the directory, the log says (filter_free lines may vary):
> > bdb_db_close: database "c=fr": alock_close failed
> > filter_free: unknown filter type=20224
> > filter_free: unknown filter type=496
> > slapd stopped.
> > filter_free: unknown filter type=29776
> > filter_free: unknown filter type=13944
> > filter_free: unknown filter type=29496
> >
> > When I restart slapd, all is fine: the access control is OK and I can
> bind.
> 
> I can't confirm your report with HEAD code.  I suggest you retry with
> either 2.4.12 or (better) re24, which is about to be released as 2.4.13.
>   I note that by performing the operations you indicate, the cn=config
> database (dn: olcDatabase={0}config,cn=config) ends up in an
> inconsistent state, because the rootdn does not belong to its naming
> context, but the rootpw is set, which should not be allowed.  A check
> for this does not exist, while it should.  In any case, this is harmless.
> 
> p.
> 
> 
> Ing. Pierangelo Masarati
> OpenLDAP Core Team
> 
> SysNet s.r.l.
> via Dossi, 8 - 27100 Pavia - ITALIA
> http://www.sys-net.it
> -----------------------------------
> Office:  +39 02 23998309
> Mobile:  +39 333 4963172
> Fax:     +39 0382 476497
> Email:   [EMAIL PROTECTED]
> -----------------------------------