[Issue 9810] New: slapacl peername
by openldap-its@openldap.org
https://bugs.openldap.org/show_bug.cgi?id=9810
Issue ID: 9810
Summary: slapacl peername
Product: OpenLDAP
Version: 2.4.59
Hardware: All
OS: All
Status: UNCONFIRMED
Keywords: needs_review
Severity: normal
Priority: ---
Component: slapd
Assignee: bugs(a)openldap.org
Reporter: ratness(a)gmail.com
Target Milestone: ---
Found in 2.4.59 on a $WORK system, replicated in 2.6.1:
[root@centos-s-1vcpu-1gb-ams3-01 ~]# rpm -qf /opt/symas/sbin/slapacl
symas-openldap-servers-2.6.1-2.el7.x86_64
This is a box where I don't even have slapd running, but that's okay because my
point is visible without it:
[root@centos-s-1vcpu-1gb-ams3-01 ~]# /opt/symas/sbin/slapacl -F
/etc/openldap/slapd.d -D 'someuser' -b 'somewhere' -o peername.ip=127.0.0.1
entry/read
usage: slapacl [-v] [-d debuglevel] [-f configfile] [-F configdir] [-o
<name>[=<value>]]
[-U authcID | -D authcDN] [-X authzID | -o authzDN=<DN>]
-b DN [-u] [attr[/access][:value]] [...]
When I ask for `-o peername.ip=127.0.0.1` the `slapacl` command bails out with
usage, indicating a parse failure.
If I then run `slapacl` with `-o peername=ip=127.0.0.1`, I get:
[root@centos-s-1vcpu-1gb-ams3-01 ~]# /opt/symas/sbin/slapacl -F
/etc/openldap/slapd.d -D 'someuser' -b 'somewhere' -o peername=ip=127.0.0.1
entry/read
invalid config directory /etc/openldap/slapd.d, error 2
slapacl: bad configuration directory!
(which I would expect here since I have no server running)
Demo on 2.4.59 at work:
$ /usr/sbin/slapacl -F /etc/openldap/slapd.d -D
uid=replicator,ou=logins,dc=example -b 'mail=me(a)example.com,o=com,dc=mozilla'
-o peername=ip=127.0.0.1 entry/read
authcDN: "uid=replicator,ou=logins,dc=example"
read access to entry: ALLOWED
$ /usr/sbin/slapacl -F /etc/openldap/slapd.d -D
uid=replicator,ou=logins,dc=example -b 'mail=me(a)example.com,o=com,dc=mozilla'
-o peername=ip=127.0.0.2 entry/read
authcDN: "uid=replicator,ou=logins,dc=example"
read access to entry: DENIED
slapacl(8) mentions peername, but also aims us at slapd.access(5), which lists
peername[.<peernamesytle>].
It's possible I'm dense and this isn't a bug, but minimally the equalsign
repetition is really awkward to my eye. I'd suggest at least an example in
slapacl(8) so it's easier to figure out.
--
You are receiving this mail because:
You are on the CC list for the issue.