(ITS#7422) olcExtraAttrs doesn't work - openldap-bugs

24 Oct 2012


      Full_Name: 
Version: 2.4.32
OS: Ubuntu 10, Debian Squeeze
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (130.233.152.136)
olcExtraAttrs does not seem to work with the rwm overlay (like in ITS#6513).
With the rwm overlay present, ACIs are not evaluated when requesting a specific
attribute, regardless of whether olcExtraAttrs is specified or not. In order to
apply the ACI, you can pass the ACI attribute name in the search. I'm providing
a configuration file that can be used to reproduce the problem as well as some
search examples to demonstrate the issue.
----Configuration file----
dn: cn=config
objectClass: olcGlobal
cn: config
olcPidFile: /usr/local/var/run/slapd.pid
olcArgsFile: /usr/local/var/run/slapd.args
#olcLogLevel: -1
olcToolThreads: 1
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by *
break
 olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to dn.base="cn=subschema" by * read
olcRequires: authc
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
 olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
manage by * break
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
include: file:///usr/local/etc/openldap/schema/core.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModuleload: back_hdb
olcModuleLoad: rwm
dn: olcOverlay=rwm,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
 olcOverlay: rwm
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=example,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=example,dc=com
 olcRootPW: pass
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcExtraAttrs: OpenLDAPaci
olcAccess: to attrs=userpassword
 by anonymous auth
olcAccess: to dn.base="dc=example,dc=com"
 by * search
olcAccess: to *
 by self manage
 by dynacl/aci=OpenLDAPaci manage
----Note----
To disable the rwm overlay, comment the following 4 lines in the config:
dn: olcOverlay=rwm,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
----Test data----
dn: dc=example,dc=com
objectClass: dcObject
 objectClass: top
objectClass: organization
dc: example
o: example
dn: cn=a,dc=example,dc=com
objectClass: top
objectClass: person
cn: a
sn: a
userPassword: pass
dn: cn=b,dc=example,dc=com
 objectClass: top
objectClass: person
cn: b
sn: b
userPassword: pass
OpenLDAPaci: 1#entry#grant;r,s,c;[all]#access-id#cn=a,dc=example,dc=com
----Search examples----
Without rwm, requesting the whole object (works as expected):
 ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com
# b, example.com
dn: cn=b,dc=example,dc=com
objectClass: top
objectClass: person
 cn: b
sn: b
# numResponses: 2
# numEntries: 1
Without rwm, requesting an attribute (works as expected):
ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com sn
# b, example.com
 dn: cn=b,dc=example,dc=com
sn: b
# numResponses: 2
# numEntries: 1
With rwm, requesting the whole object (works as expected):
ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com
# b, example.com
dn: cn=b,dc=example,dc=com
objectClass: top
objectClass: person
cn: b
sn: b
# numResponses: 2
# numEntries: 1
With rwm, requesting an attribute (notice the object is not returned here):
 ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com sn
# numResponses: 1
With rwm, requesting an attribute and openldapaci (works as expected):
ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com sn
openldapaci
# b, example.com
dn: cn=b,dc=example,dc=com
sn: b
OpenLDAPaci: 1#entry#grant;r,s,c;[all]#access-id#cn=a,dc=example,dc=com
# numResponses: 2
# numEntries: 1
( Taken from my post on the openldap-technical mailing list:
http://www.openldap.org/lists/openldap-technical/201210/msg00104.html )