Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-5419

ACI: no attributes returned when using targetattr to deny one attribute

    XMLWordPrintable

Details

    Description

      Found using OpenDJ 6.5.0-SNAPSHOT rev 561453327e4fd926201f7393d2e30d957be0039d

      Scenario
      1. install a server with some data
      2. remove the following global aci

      global-aci:(targetattr!=\"userPassword||authPassword||debugsearchindex||changes||changeNumber||changeType||changeTime||targetDN||newRDN||newSuperior||deleteOldRDN\")(version 3.0; acl \"Anonymous read access\"; allow (read,search,compare) userdn=\"ldap:///anyone\";)
      

      3. add the following acis

      $ ./opendj/bin/ldapmodify -h localhost -p 1390 -D 'cn=Directory Manager' -w password 
      dn: ou=People,ou=aci branch,o=Search Tests,o=ACI Tests,dc=example,dc=com
      changetype: modify
      add: aci
      aci: (targetattr="*")(targetfilter="(roomnumber=4135)")(version 3.0; acl "add_aci10"; allow (search,read) userdn="ldap:///all";)
      
      $ ./opendj/bin/ldapmodify -h localhost -p 1390 -D 'cn=Directory Manager' -w password 
      dn: ou=aci branch,o=Search Tests,o=ACI Tests,dc=example,dc=com
      changetype: modify
      add: aci
      aci: (targetattr="*")(targetfilter="(!(telephone=*99))")(version 3.0; acl "add_aci10"; allow (search,read) userdn="ldap:///all";)
      
      $ ./opendj/bin/ldapmodify -h localhost -p 1390 -D 'cn=Directory Manager' -w password  
      dn: o=Search Tests, o=ACI Tests,dc=example,dc=com
      changetype: modify
      add: aci
      aci: (targetattr="cn || sn || telephonenumber")(version 3.0; acl "add_aci10"; deny (search,read) userdn="ldap:///all";)
      

      4. search for a first user 'dmiller'

      dn: uid=dmiller, ou=People, ou=aci branch, o=Search Tests, o=ACI Tests, dc=example,dc=com
      cn: David Miller
      sn: Miller
      givenname: David
      objectclass: top
      objectclass: person
      objectclass: organizationalPerson
      objectclass: inetOrgPerson
      ou: Accounting
      ou: People
      l: Sunnyvale
      uid: dmiller
      mail: dmiller@example.com
      telephonenumber: +1 408 555 9423
      facsimiletelephonenumber: +1 408 555 0111
      roomnumber: 4135
      userpassword: gosling
      title: engineer
      title: architect
      title: sweeper
      carlicense: ABC 123

      $ ./opendj/bin/ldapsearch -h localhost -p 1390 -D 'uid=auser,ou=People,o=ACI Tests,dc=example,dc=com' -w ACIRules -b 'uid=dmiller,ou=people,ou=aci branch,o=search tests,o=aci tests,dc=example,dc=com' 'objectclass=*' cn sn uid roomnumber
      roomnumber: 4135
      uid: dmiller'
      

      => here we get the 'dn', 'roomnumber' and 'uid' attributes as expected
      5. now search another user 'scarter'

      dn: uid=scarter, ou=People, ou=aci branch, o=Search Tests, o=ACI Tests, dc=example,dc=com
      cn: Sam Carter
      sn: Carter
      givenname: Sam
      objectclass: top
      objectclass: person
      objectclass: organizationalPerson
      objectclass: inetOrgPerson
      ou: Accounting
      ou: People
      l: Sunnyvale
      uid: scarter
      mail: scarter@example.com
      telephonenumber: +1 408 555 4798
      facsimiletelephonenumber: +1 408 555 9751
      roomnumber: 4612
      userpassword: sprain
      title: engineer
      title: architect
      title: sweeper
      carlicense: ABC 123

      $./opendj/bin/ldapsearch -h localhost -p 1390 -D 'uid=auser,ou=People,o=ACI Tests,dc=example,dc=com' -w ACIRules -b 'uid=scarter,ou=people,ou=aci branch,o=search tests,o=aci tests,dc=example,dc=com' 'objectclass=*' cn sn uid roomnumber
      $
      

      => no attributes are returned but we should get the same attributes than in step 4

      To reproduce the issue:

      $ ./run-pybot.py -s aci_group -t Different_Targetfilters_And_Targetattr_Deny_One_Attr -v DJ
      

      or running script in attachment

      Attachments

        Activity

          People

            matthew Matthew Swift
            csovant Christophe Sovant
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: