https://bugs.openldap.org/show_bug.cgi?id=9810
Issue ID: 9810 Summary: slapacl peername Product: OpenLDAP Version: 2.4.59 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: ratness@gmail.com Target Milestone: ---
Found in 2.4.59 on a $WORK system, replicated in 2.6.1:
[root@centos-s-1vcpu-1gb-ams3-01 ~]# rpm -qf /opt/symas/sbin/slapacl symas-openldap-servers-2.6.1-2.el7.x86_64
This is a box where I don't even have slapd running, but that's okay because my point is visible without it:
[root@centos-s-1vcpu-1gb-ams3-01 ~]# /opt/symas/sbin/slapacl -F /etc/openldap/slapd.d -D 'someuser' -b 'somewhere' -o peername.ip=127.0.0.1 entry/read usage: slapacl [-v] [-d debuglevel] [-f configfile] [-F configdir] [-o <name>[=<value>]] [-U authcID | -D authcDN] [-X authzID | -o authzDN=<DN>] -b DN [-u] [attr[/access][:value]] [...]
When I ask for `-o peername.ip=127.0.0.1` the `slapacl` command bails out with usage, indicating a parse failure.
If I then run `slapacl` with `-o peername=ip=127.0.0.1`, I get:
[root@centos-s-1vcpu-1gb-ams3-01 ~]# /opt/symas/sbin/slapacl -F /etc/openldap/slapd.d -D 'someuser' -b 'somewhere' -o peername=ip=127.0.0.1 entry/read invalid config directory /etc/openldap/slapd.d, error 2 slapacl: bad configuration directory!
(which I would expect here since I have no server running)
Demo on 2.4.59 at work: $ /usr/sbin/slapacl -F /etc/openldap/slapd.d -D uid=replicator,ou=logins,dc=example -b 'mail=me@example.com,o=com,dc=mozilla' -o peername=ip=127.0.0.1 entry/read authcDN: "uid=replicator,ou=logins,dc=example" read access to entry: ALLOWED $ /usr/sbin/slapacl -F /etc/openldap/slapd.d -D uid=replicator,ou=logins,dc=example -b 'mail=me@example.com,o=com,dc=mozilla' -o peername=ip=127.0.0.2 entry/read authcDN: "uid=replicator,ou=logins,dc=example" read access to entry: DENIED
slapacl(8) mentions peername, but also aims us at slapd.access(5), which lists peername[.<peernamesytle>].
It's possible I'm dense and this isn't a bug, but minimally the equalsign repetition is really awkward to my eye. I'd suggest at least an example in slapacl(8) so it's easier to figure out.
https://bugs.openldap.org/show_bug.cgi?id=9810
Greg ratness@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|slapacl peername |slapacl peername syntax | |different from slapd.access
https://bugs.openldap.org/show_bug.cgi?id=9810
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |INVALID Keywords|needs_review |
--- Comment #1 from Howard Chu hyc@openldap.org --- (In reply to Greg from comment #0)
slapacl(8) mentions peername, but also aims us at slapd.access(5), which lists peername[.<peernamesytle>].
peername[.peernamestyle] is irrelevant for slapacl. The keywords listed in slapacl(8) are the only supported options, in the exact form listed.
The reference to slapd.access(5) explains the required syntax of peername (without any style attached, in addition to with other styles).
https://bugs.openldap.org/show_bug.cgi?id=9810
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
-
openldap-its@openldap.org