[Resending this as the first one didn't seem to appear on the mailing list, I apologize if this creates a duplicate.]

Hi,

I believe I have found 3 issues related to the rwm overlay and the extra_attrs (or olcExtraAttrs) setting written to fix the issues described in ITS#6513 ( http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6513;selectid=6513;...). The description is long but I tried to provide as much information as possible. I am hoping someone can test and confirm the issues or tell me what I'm doing wrong if there in fact is no issue.

I'm running version 2.4.32 on Ubuntu 10 and Debian Squeeze.

1) The documentation in the slapd-config manpage is incorrect. The olcExtraAttrs setting is said to be a global configuration setting when in reality it seems to be database specific. In the slapd.conf manpage, the corresponding setting (extra_attrs) is listed as being database-specific. I believe that is correct although I have not checked it.

2) olcExtraAttrs does not seem to work with the rwm overlay (like in ITS#6513). With the rwm overlay present, ACIs are not evaluated when requesting a specific attribute, regardless of whether olcExtraAttrs is specified or not. In order to apply the ACI, you can pass the ACI attribute name in the search. I'm providing a configuration file that can be used to reproduce the problem as well as some search examples to demonstrate the issue.

----Configuration file----

dn: cn=config objectClass: olcGlobal cn: config olcPidFile: /usr/local/var/run/slapd.pid olcArgsFile: /usr/local/var/run/slapd.args #olcLogLevel: -1 olcToolThreads: 1

dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break olcAccess: {1}to dn.base="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read olcRequires: authc

dn: olcDatabase=config,cn=config objectClass: olcDatabaseConfig olcDatabase: config olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break

dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema

include: file:///usr/local/etc/openldap/schema/core.ldif

dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModuleload: back_hdb olcModuleLoad: rwm

dn: olcOverlay=rwm,olcDatabase={-1}frontend,cn=config objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm

dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: hdb olcSuffix: dc=example,dc=com olcDbDirectory: /var/lib/ldap olcRootDN: cn=admin,dc=example,dc=com olcRootPW: pass olcDbConfig: set_cachesize 0 2097152 0 olcDbConfig: set_lk_max_objects 1500 olcDbConfig: set_lk_max_locks 1500 olcDbConfig: set_lk_max_lockers 1500 olcExtraAttrs: OpenLDAPaci olcAccess: to attrs=userpassword by anonymous auth olcAccess: to dn.base="dc=example,dc=com" by * search olcAccess: to * by self manage by dynacl/aci=OpenLDAPaci manage

----Note----

To disable the rwm overlay, comment the following 4 lines in the config:

dn: olcOverlay=rwm,olcDatabase={-1}frontend,cn=config objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm

----Test data----

dn: dc=example,dc=com objectClass: dcObject objectClass: top objectClass: organization dc: example o: example

dn: cn=a,dc=example,dc=com objectClass: top objectClass: person cn: a sn: a userPassword: pass

dn: cn=b,dc=example,dc=com objectClass: top objectClass: person cn: b sn: b userPassword: pass OpenLDAPaci: 1#entry#grant;r,s,c;[all]#access-id#cn=a,dc=example,dc=com

----Search examples----

Without rwm, requesting the whole object (works as expected): ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com

# b, example.com dn: cn=b,dc=example,dc=com objectClass: top objectClass: person cn: b sn: b

# numResponses: 2 # numEntries: 1

Without rwm, requesting an attribute (works as expected): ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com sn

# b, example.com dn: cn=b,dc=example,dc=com sn: b

# numResponses: 2 # numEntries: 1

With rwm, requesting the whole object (works as expected): ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com

# b, example.com dn: cn=b,dc=example,dc=com objectClass: top objectClass: person cn: b sn: b

# numResponses: 2 # numEntries: 1

With rwm, requesting an attribute (notice the object is not returned here): ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com sn

# numResponses: 1

With rwm, requesting an attribute and openldapaci (works as expected): ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com sn openldapaci

# b, example.com dn: cn=b,dc=example,dc=com sn: b OpenLDAPaci: 1#entry#grant;r,s,c;[all]#access-id#cn=a,dc=example,dc=com

# numResponses: 2 # numEntries: 1

3) The last issue came up when I was attempting to set up a certain kind of access control logic. It is highly similar to the previous problem but it doesn't involve ACIs. The issue is caused by the rwm overlay somehow blocking the ACL from accessing unrequested attributes just like in the previous case. olcExtraAttrs was created to fix this issue but I assume it would not fully solve the problem in my case. I have naturally not been able to test it due to the fact that I haven't gotten olcExtraAttrs to work.

The access control logic I was attempting to set up was such that objects could contain 2 new attributes: 'rights' and 'requiredRights', both being multivalued strings. 'requiredRights' tells what rights are required to access the object in question, and 'rights' tells what rights each object has. If the user's 'rights' and the target objects 'requiredRights' have at least one common string, access is granted. Fairly simple. The ACL used to evaluate access is as follows:

to * by set="this/requiredRights & user/rights" read

This method works unless I use the rwm overlay. I'm guessing the attributes required to evaluate the ACLs are somehow dropped and cannot be used. olcExtraAttrs would (if it worked) automatically add the needed attributes to the target object but, to my understanding, not to the user object. The user's attributes would however be needed to evaluate the set shown earlier.

The trick used in the last of the previously shown search examples does not work in this case. I can provide requiredRights and rights as additional attributes in the search and I assume requiredRights is returned for access control to use but rights isn't as it is an attribute of the user object. I don't have a cleaned-up version of the config at this time but one could be created if needed.