external-software/github_OpenIdentityPlatform_OpenDJ.git

refs
author	Jean-Noel Rouvignac <jean-noel.rouvignac@forgerock.com>
	Friday, July 26, 2013 17:24 +0200
committer	Jean-Noel Rouvignac <jean-noel.rouvignac@forgerock.com>
	Friday, July 26, 2013 17:24 +0200
commit	36b59d045aa7ef553d0704a637d00e46e4050254
tree	4f296ded162707d17ee68bf53ba33371c38bc216 tree \| zip \| gz
parent	98b65b5da5b0962b7faa47d869947f48246fbbd4 view \| diff

refs

author

Jean-Noel Rouvignac <jean-noel.rouvignac@forgerock.com>

Friday, July 26, 2013 17:24 +0200

committer

Jean-Noel Rouvignac <jean-noel.rouvignac@forgerock.com>

Friday, July 26, 2013 17:24 +0200

commit

36b59d045aa7ef553d0704a637d00e46e4050254

tree

4f296ded162707d17ee68bf53ba33371c38bc216 tree | zip | gz

parent

98b65b5da5b0962b7faa47d869947f48246fbbd4 view | diff

A global ACI allow querying data.
Added the following to restrict anonymous user's access to "dc=example,dc=com"

 (target ="ldap:///dc=example,dc=com")(version 3.0;acl "Deny anonymous access";
 deny (all)(userdn = "ldap:///anyone");)

This ACI stops all anonymous processing for all the operations, but comparison operations.
This is due to a bug in the ACI checks.
It is because the code for compare only checks ACIs which have the same targetattrs, but the added ACI one has no targetattrs at all: it is broader.





AciHandler.java:
In isAllowed(LocalBackendCompareOperation) also check whether the operation without targetattr would be allowed (Broader scoped ACI).