Full_Name: Ralf Haferkamp Version: 2.4.23, HEAD OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (92.252.54.248) Submitted by: ralf
It seems that if the first ACL on a server is a value dependend ACL it is not evaluated correctly.
Steps to reproduce:
1. Set this global ACL on the server:
access to dn.base="" attrs=supportedControl val/objectIdentifierMatch=1.3.6.1.4.1.4203.666.5.14 by * none access to dn.base="" by * read
Now, when "1.3.6.1.4.1.4203.666.5.14" would be the first value of the supportedControl Attribute that the server would return, slapd will return no value of that attribute at all. OTOH when "1.3.6.1.4.1.4203.666.5.14" is not the first value, slapd will return all values of the "supportedControl" Attribute, including "1.3.6.1.4.1.4203.666.5.14". The expected result would be to return all values but "1.3.6.1.4.1.4203.666.5.14".
This problem only seems to be present if there are no other ACLs present before the first value dependent ACL.
This patch seems to fix the problem, it would be nice however if somebody with more insight into the acl code could review it before we commit it to HEAD. ------------------------------------------------------------- --- a/servers/slapd/acl.c +++ b/servers/slapd/acl.c @@ -405,7 +405,8 @@ access_allowed_mask( if ( state->as_desc == desc && state->as_access == access && state->as_result != -1 && - state->as_vd_acl == NULL ) + state->as_vd_acl == NULL && + state->as_vd_acl_count > 0 ) { Debug( LDAP_DEBUG_ACL, "=> access_allowed: result was in cache (%s)\n", -------------------------------------------------------------
thanks, Ralf