[ApacheDS] ACI / FilterMatch not being considered

Thu, 17 Aug 2017 02:29:55 -0700 

Hi,

I am about to setup an ACI that allows anonymous users only to filter for the 
mail attribute (with any value)
and retrieve the userCertificate attribute of the matched entry.

The directory structure is as follows (simplified):
dc=example,dc=com is configured as an AAA and 
ou=protected-resources,dc=example,dc=com contains the
user entries that are protected by the ACI. cn=example-aci,dc=example,dc=com 
describes the ACI itself:

dn: dc=example,dc=com
administrativeRole: accessControlSpecificArea
...

dn: ou=protected-resources,dc=example,dc=com
dn: cn=foo,ou=protected-resources,dc=example,dc=com
mail: f...@example.com
telephoneNumber=12345
userCertificate: MIIHHjC...
...

dn: cn=bar,ou=protected-resources,dc=example,dc=com
mail: b...@example.com
telephoneNumber=12345
userCertificate: MIIHHjC...
...

dn: cn=example-aci,dc=example,dc=com
subTreeSpecification: { base: "ou=protected-resources" }
prescriptiveACI: {
    identificationTag "anonymous-aci",
    precedence 100,
    authenticationLevel none,
    itemOrUserFirst userFirst: 
    {
        userClasses { allUsers },
        userPermissions 
        {
            {
                protectedItems { entry },
                grantsAndDenials { grantReturnDN, grantBrowse } 
            }
            ,
            {
                protectedItems 
                {
                    allAttributeValues { userCertificate },
                    attributeType { userCertificate } 
                }
                ,
                grantsAndDenials { grantRead } 
            }
            ,
            {
                protectedItems 
                {
                    allAttributeValues { mail },
                    attributeType { mail } 
                }
                ,
                grantsAndDenials { grantFilterMatch } 
            }
        }
    }
}

I was assuming that the grantFilterMatch on the mail attributeType (and all 
possible values) enforces that
only the mail attribute can be used within an ldap search filter. So if someone 
is filtering e.g. for telephoneNumber=12345
those results are skipped and not considered within the response. However I am 
able to apply every search filter
and results are not stripped. Even explicitly denying filter on an 
attributeType does not change behaviour.

Example:
ldapsearch -b dc=example,dc=com -LLL -s sub -H 'ldap://localhost:10389' -x 
telephoneNumber=12345

dn: cn=foo,ou=protected-resources,dc=example,dc=com
userCertificate:: MIIHHjC...

dn: cn=bar,ou=protected-resources,dc=example,dc=com
userCertificate:: MIIHHjC...


Any ideas?

--Sebastian

Reply via email to