Re: (ITS#5805) Problem when modifying access control - openldap-bugs

16 Nov 2008


      emmanuel.duru@atosorigin.com wrote:
...
Full_Name: Emmanuel Duru
Version: 2.4.11
OS: Windows
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (80.78.0.137)
I have a single BDB database directory with root DN as a physical entry. My
access control is defined as follows in olcDatabase={-1}frontend:
olcAccess: {0}to attrs=userPassword  by self write  by anonymous auth  by * no
 ne
olcAccess: {1}to dn=cn=manager,c=fr  by self write  by * none
olcAccess: {2}to *  by self write  by users read  by anonymous read  by * none
I perform a modify operation as follows:
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword  by self write  by anonymous auth  by * no
 ne
olcAccess: {1}to dn=cn=manager,c=fr  by self write  by * none
olcAccess: {2}to *  by self write  by users read  by anonymous read  by * none
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to *  by * none


replace: olcRootDN
olcRootDN: cn=manager,c=fr
then I can not bind any more to the directory (invalid credentials).
The log says (do notice the line dn: [1]... with non printable characters):
do_bind: version=3 dn="cn=manager,c=fr" method=128
==> bdb_bind: dn: cn=manager,c=fr
bdb_dn2entry("cn=manager,c=fr")
=> access_allowed: auth access to "cn=manager,c=fr" "userPassword" requested
=> dn: [1]  <some non printable characters>anager,c=fr
=> acl_get: [2] attr userPassword
=> slap_access_allowed: result not in cache (userPassword)
=> acl_mask: access to entry "cn=manager,c=fr", attr "userPassword" requested
=> acl_mask: to value by "", (=0) 
<= check a_dn_pat: *
<= acl_mask: [1] applying none(=0) (stop)
<= acl_mask: [1] mask: none(=0)
=> slap_access_allowed: auth access denied by none(=0)
=> access_allowed: no more rules
When I stop the directory, the log says (filter_free lines may vary):
bdb_db_close: database "c=fr": alock_close failed
filter_free: unknown filter type=20224
filter_free: unknown filter type=496
slapd stopped.
filter_free: unknown filter type=29776
filter_free: unknown filter type=13944
filter_free: unknown filter type=29496
When I restart slapd, all is fine: the access control is OK and I can bind.
I can't confirm your report with HEAD code.  I suggest you retry with 
either 2.4.12 or (better) re24, which is about to be released as 2.4.13. 
  I note that by performing the operations you indicate, the cn=config 
database (dn: olcDatabase={0}config,cn=config) ends up in an 
inconsistent state, because the rootdn does not belong to its naming 
context, but the rootpw is set, which should not be allowed.  A check 
for this does not exist, while it should.  In any case, this is harmless.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------