[email protected] wrote: > Full_Name: Devin J. Pohly > Version: 2.4.23 > OS: Linux > URL: http://openldap.pastebin.com/gvswpxLX > Submission from: (NULL) (98.235.33.55)
Thanks for the detailed report. This is now fixed in HEAD. > Description: > I have set up an LDAP directory which contains users and flat groups > (groupOfNames/member style). I want to use the access controls to only allow > users to see their own groups and membership, so I defined the following > controls: > > access to dn.onelevel="ou=group,o=org" attrs=entry > by dnattr=member read > access to dn.onelevel="ou=group,o=org" attrs=member > by dnattr=member selfread > > Steps to reproduce: > 1. Start a new instance of OpenLDAP with the slapd.conf file provided at > <http://openldap.pastebin.com/gvswpxLX> and an empty database. > 2. Get grouptest.ldif from<http://openldap.pastebin.com/X1DUyGmf> and add it > to > the directory: > ldapadd -x -H $LDAPURI -D uid=admin,o=org -w admin -f grouptest.ldif > This creates two users, foo and bar, and two groups, g1 and g2. Each user is > in > both groups. > 3. Compare the outputs of: > ldapsearch -x -H $LDAPURI -D uid=foo,ou=user,o=org -w foo -b ou=group,o=org > ldapsearch -x -H $LDAPURI -D uid=bar,ou=user,o=org -w bar -b ou=group,o=org > > Expected results: > Foo's query shows "member: foo" for both g1 and g2. Bar's query shows > "member: > bar" for both g1 and g2. > > Actual results: > Foo's query shows "member: foo" for both g1 and g2. Bar's query does not show > any member attributes. > > Note: Changing the order in which the users are listed changes the behavior; > only the first user listed matches 'self'. Changing the 'selfread' privilege > to > 'read' behaves correctly: both queries display both users' memberships in the > groups. So the problem lies somewhere in the way the 'self' modifier is > implemented. > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
