(ITS#5601) set-acl failure under back-ldap+rwm - openldap-bugs

7 Jul 2008


      Full_Name: Matthew Backes
Version: 2.3, 2.4
OS: all
URL: 
Submission from: (NULL) (76.88.99.93)
Set-acl who-clauses fail to match when accessing data through back-ldap
and slapo-rwm.
Given a local server with only the object:
dn: cn=data,dc=local
objectClass: organizationalPerson
cn: data
sn: sn data
description: user
where sn is an example attribute that we will protect:
database bdb
suffix "cn=data,dc=local"
directory ./local
checkpoint 1024 1
cachesize 10
index objectClass,dc,entryCSN,entryUUID eq
index cn,sn,ou,title,description eq,sub
access to dn.subtree="cn=data,dc=local" attrs=sn
       by set="user/title & this/description" write
       by * none
access to dn.subtree="cn=data,dc=local"
       by * read
So that any bound object with a title attribute matching the description
attribute of the target should be able to see sn.
Remote data:
dn: dc=remote
objectClass: organization
objectClass: dcObject
o: remote
dc: remote
dn: cn=user,dc=remote
objectClass: organizationalPerson
cn: user
sn: user
title: user
userPassword: secret
If we have the local slapd's back-ldap configured as:
database ldap
suffix "dc=remote"
uri "ldap://127.0.0.1:2389"
acl-bind bindmethod=simple
        binddn="cn=user,dc=remote"
        credentials=secret
then everything works correctly.
But if we remap the DN using slapo-rwm instead:
database ldap
suffix "dc=remote,dc=local"
uri "ldap://127.0.0.1:2389"
acl-bind bindmethod=simple
        binddn="cn=user,dc=remote"
        credentials=secret
overlay rwm
rwm-suffixmassage "dc=remote,dc=local" "dc=remote"
Then the acl step fails:
=> access_allowed: read access to "cn=data,dc=local" "sn" requested
=> dn: [1] cn=data,dc=local
=> acl_get: [1] matched
=> acl_get: [1] attr sn
access_allowed: no res from state (sn)
=> acl_mask: access to entry "cn=data,dc=local", attr "sn" requested
=> acl_mask: to value by "cn=user,dc=remote", (=0) 
<= check a_set_pat: user/title & this/description
<= check a_dn_pat: *
<= acl_mask: [2] applying none(=0) (stop)
<= acl_mask: [2] mask: none(=0)
=> access_allowed: read access denied by none(=0)
send_search_entry: conn 1 access to attribute sn, value #0 not allowed
And the remote server was never queried for the title attribute.