Uploaded image for project: 'Directory Studio'
  1. Directory Studio
  2. DIRSTUDIO-744

The strategy used when deleting the last attribute value causes issues in the case when ACLs/ACIs hide and forbid access to other values



    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.5.3
    • 2.0.0-M16, 2.0.0
    • studio-ldapbrowser
    • None


      This issue has been reported to me by Daniel Pluta, who I met at LDAPCon 2011.

      Here's a copy of the bug he described me and which i've been able to reproduce with OpenLDAP.

      ADS causes a problem when I want to delete a value from a multi-value attribute (here e.g. member) in case the following ACLs are active:

      access to dn.base="ou=groups,dc=foo,dc=bar" attrs=children
      by users read
      by * none

      access to dn.onelevel="ou=groups,dc=foo,dc=bar" attrs=entry,cn,description
      by users read
      by * none break

      access to dn.onelevel="ou=groups,dc=foo,dc=bar" attrs=entry,member
      by dnattr=member selfwrite
      by * none

      Based on these ACL each user that is a member of a group entry seems to
      be just the only member of these group (from the user's point of view,
      in case the user accesses the group's member attribute by read). When
      using Apache Directoy Studio to delete this only/single/last group
      member ("right click --> delete value") this results in a "to all value" operation, instead of a "to value memberDN" operation.

      => acl_mask: access to entry "cn=test,groups,dc=foo,dc=bar", attr
      "member" requested
      => acl_mask: to all values by "cn=user,ou=users,dc=foo,dc=bar", (=0)

      It seems to me that this "to all values ..." appears to be a bug in ADS, where the client (ADS) tries to be more clever than needed.




            pamarcelot Pierre-Arnaud Marcelot
            pamarcelot Pierre-Arnaud Marcelot
            0 Vote for this issue
            1 Start watching this issue