Re: [ApacheDS] ACI / FilterMatch not being considered

Thu, 17 Aug 2017 05:08:32 -0700 

Yes, this is a known issue (and quite an old one...) :
https://issues.apache.org/jira/browse/DIRSERVER-955


Le 17/08/2017 à 11:29, Sebastian Roland a écrit :
> Hi,
>
> I am about to setup an ACI that allows anonymous users only to filter for the 
> mail attribute (with any value)
> and retrieve the userCertificate attribute of the matched entry.
>
> The directory structure is as follows (simplified):
> dc=example,dc=com is configured as an AAA and 
> ou=protected-resources,dc=example,dc=com contains the
> user entries that are protected by the ACI. cn=example-aci,dc=example,dc=com 
> describes the ACI itself:
>
> dn: dc=example,dc=com
> administrativeRole: accessControlSpecificArea
> ...
>
> dn: ou=protected-resources,dc=example,dc=com
> dn: cn=foo,ou=protected-resources,dc=example,dc=com
> mail: f...@example.com
> telephoneNumber=12345
> userCertificate: MIIHHjC...
> ...
>
> dn: cn=bar,ou=protected-resources,dc=example,dc=com
> mail: b...@example.com
> telephoneNumber=12345
> userCertificate: MIIHHjC...
> ...
>
> dn: cn=example-aci,dc=example,dc=com
> subTreeSpecification: { base: "ou=protected-resources" }
> prescriptiveACI: {
>     identificationTag "anonymous-aci",
>     precedence 100,
>     authenticationLevel none,
>     itemOrUserFirst userFirst: 
>     {
>         userClasses { allUsers },
>         userPermissions 
>         {
>             {
>                 protectedItems { entry },
>                 grantsAndDenials { grantReturnDN, grantBrowse } 
>             }
>             ,
>             {
>                 protectedItems 
>                 {
>                     allAttributeValues { userCertificate },
>                     attributeType { userCertificate } 
>                 }
>                 ,
>                 grantsAndDenials { grantRead } 
>             }
>             ,
>             {
>                 protectedItems 
>                 {
>                     allAttributeValues { mail },
>                     attributeType { mail } 
>                 }
>                 ,
>                 grantsAndDenials { grantFilterMatch } 
>             }
>         }
>     }
> }
>
> I was assuming that the grantFilterMatch on the mail attributeType (and all 
> possible values) enforces that
> only the mail attribute can be used within an ldap search filter. So if 
> someone is filtering e.g. for telephoneNumber=12345
> those results are skipped and not considered within the response. However I 
> am able to apply every search filter
> and results are not stripped. Even explicitly denying filter on an 
> attributeType does not change behaviour.
>
> Example:
> ldapsearch -b dc=example,dc=com -LLL -s sub -H 'ldap://localhost:10389' -x 
> telephoneNumber=12345
>
> dn: cn=foo,ou=protected-resources,dc=example,dc=com
> userCertificate:: MIIHHjC...
>
> dn: cn=bar,ou=protected-resources,dc=example,dc=com
> userCertificate:: MIIHHjC...
>
>
> Any ideas?
>
> --Sebastian

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Reply via email to