Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
1.5.3
-
None
Description
This issue has been reported to me by Daniel Pluta, who I met at LDAPCon 2011.
Here's a copy of the bug he described me and which i've been able to reproduce with OpenLDAP.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
ADS causes a problem when I want to delete a value from a multi-value attribute (here e.g. member) in case the following ACLs are active:
access to dn.base="ou=groups,dc=foo,dc=bar" attrs=children
by users read
by * none
access to dn.onelevel="ou=groups,dc=foo,dc=bar" attrs=entry,cn,description
by users read
by * none break
access to dn.onelevel="ou=groups,dc=foo,dc=bar" attrs=entry,member
by dnattr=member selfwrite
by * none
Based on these ACL each user that is a member of a group entry seems to
be just the only member of these group (from the user's point of view,
in case the user accesses the group's member attribute by read). When
using Apache Directoy Studio to delete this only/single/last group
member ("right click --> delete value") this results in a "to all value" operation, instead of a "to value memberDN" operation.
=> acl_mask: access to entry "cn=test,groups,dc=foo,dc=bar", attr
"member" requested
=> acl_mask: to all values by "cn=user,ou=users,dc=foo,dc=bar", (=0)
It seems to me that this "to all values ..." appears to be a bug in ADS, where the client (ADS) tries to be more clever than needed.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%