Hi4All! :)
I notice that active RWM/Remap overlay affects ACL-subsystem when ACL checks access to pseudoatribute "entry" and this strange situation occurs even if i not use any rules for rewrite/remap. Нerewith without the loaded overlay RWM all works correctly... In debug mode slapd with active RWM (no rewrite rules!) deny all access to attribute entry except for "root" user
=> access_allowed: search access to "uid=akkerman,cn=Directory Server Admins,ou=Groups,dc=r2,dc=money,dc=ge,dc=com" "objectClass" requested <= test_filter 5 => acl_get: [13] attr entry => slap_access_allowed: result not in cache (entry) => acl_mask: access to entry "uid=akkerman,cn=Directory Server Admins,ou=Groups,dc=r2,dc=money,dc=ge,dc=com", attr "entry" requested => acl_mask: to all values by "", (none(=0)) <= check a_dn_pat: * <= acl_mask: [1] applying none(=0) (stop) <= acl_mask: [1] mask: none(=0) => slap_access_allowed: read access denied by none(=0)
This problem may be solved by adding radically liberate rule to the beginning of olcAccess sequence in cn=config: olcAccess: {1}to * attrs=entry by * read
Is it a bug?
Konovalov Andrey wrote:
Hi4All! :)
I notice that active RWM/Remap overlay affects ACL-subsystem when ACL checks access to pseudoatribute "entry" and this strange situation occurs even if i not use any rules for rewrite/remap. Нerewith without the loaded overlay RWM all works correctly... In debug mode slapd with active RWM (no rewrite rules!) deny all access to attribute entry except for "root" user
=> access_allowed: search access to "uid=akkerman,cn=Directory Server Admins,ou=Groups,dc=r2,dc=money,dc=ge,dc=com" "objectClass" requested <= test_filter 5 => acl_get: [13] attr entry => slap_access_allowed: result not in cache (entry) => acl_mask: access to entry "uid=akkerman,cn=Directory Server Admins,ou=Groups,dc=r2,dc=money,dc=ge,dc=com", attr "entry" requested => acl_mask: to all values by "", (none(=0)) <= check a_dn_pat: * <= acl_mask: [1] applying none(=0) (stop) <= acl_mask: [1] mask: none(=0) => slap_access_allowed: read access denied by none(=0)
This problem may be solved by adding radically liberate rule to the beginning of olcAccess sequence in cn=config: olcAccess: {1}to * attrs=entry by * read
Is it a bug?
If you believe you spotted a bug you should file an ITS http://www.openldap.org/its. See instructions here about how to report a bug and what information you should provide http://www.openldap.org/faq/data/cache/56.html.
Otherwise you should discuss software usage on the openldap-software list.
With respect to the issue you report, right now I don't have a clue. However, you provide very little information. I didn't check yet if it's enough to reproduce the issue you mention, but likely it isn't (no version information, for example, and no detailed slapd.conf).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
-
Konovalov Andrey -
Pierangelo Masarati