https://bugs.openldap.org/show_bug.cgi?id=9253
Bug ID: 9253 Summary: Access not retained when last examined olcAccess has a "break" control Product: OpenLDAP Version: unspecified Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: kop@karlpinc.com Target Milestone: ---
When the last examined olcAccess control is "break" then it does not matter what access rights have been granted by the rules, access is denied.
Reproduce by having a database with a single access rule:
to attrs=userPassword by anonymous =x
Note that ldapwhoami successfully does a simple bind.
Then, modify so that the single existing access rule is:
to attrs=userPassword by anonymous =x break
Users can no longer do a simple bind.
You will see similar behavior with SASL binds, or any number of access rules. Access is denied when the the last examined access control is "break".
The problem is at line 309 of: servers/slapd/acl.c (In master/HEAD, and probably all versions)
https://bugs.openldap.org/show_bug.cgi?id=9253
--- Comment #1 from Karl O. Pinc kop@karlpinc.com --- Created attachment 726 --> https://bugs.openldap.org/attachment.cgi?id=726&action=edit Improve olcAccess <control> docs
https://bugs.openldap.org/show_bug.cgi?id=9253
--- Comment #2 from Karl O. Pinc kop@karlpinc.com --- The initial bug report is bad. The behavior is documented.
Attached is a patch that improves documentation on <control>s.
I, Karl O. Pinc, hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice.
https://bugs.openldap.org/show_bug.cgi?id=9253
--- Comment #3 from Howard Chu hyc@openldap.org --- I don't really see the patch as an improvement. The doc is already correct, and as you've noted the bug report is invalid. Should just close this and move on.
https://bugs.openldap.org/show_bug.cgi?id=9253
--- Comment #4 from Karl O. Pinc kop@karlpinc.com --- IMO the patch improves the sentence structure and paragraph organization of the existing docs. It gives "stop", "continue", and "break" each their own paragraphs. I think it would be helpful to have those changes even if you don't want to mention the implicit final access rule in the context of the "break" control.
Of course, I don't want to presume to say what's best, just that you might look at the patch in a different way.
https://bugs.openldap.org/show_bug.cgi?id=9253
--- Comment #5 from Howard Chu hyc@openldap.org --- (In reply to Karl O. Pinc from comment #4)
IMO the patch improves the sentence structure and paragraph organization of the existing docs. It gives "stop", "continue", and "break" each their own paragraphs. I think it would be helpful to have those changes even if you don't want to mention the implicit final access rule in the context of the "break" control.
Of course, I don't want to presume to say what's best, just that you might look at the patch in a different way.
Other folks can chime in with opinions as well. I think it's useless to say "you must be careful using break" - obviously you must be careful using *everything* in this document. And you must read the document carefully, and no amount of us saying "do this carefully" will fix that problem for careless readers.
https://bugs.openldap.org/show_bug.cgi?id=9253
--- Comment #6 from Karl O. Pinc kop@karlpinc.com --- Sure. My thoughts when writing the "carefully" part was that if you tell the reader why they need to be careful they might remember to be careful, even if they don't remember the reason. Maybe that's bloat, which is always hard to avoid.
-
openldap-its@openldap.org