external-software/github_OpenIdentityPlatform_OpenDJ.git

refs
author	Jean-Noel Rouvignac <jean-noel.rouvignac@forgerock.com>
	Friday, July 26, 2013 17:24 +0200
committer	Jean-Noel Rouvignac <jean-noel.rouvignac@forgerock.com>
	Friday, July 26, 2013 17:24 +0200
commit	e9958df630e307d1d3d0eb3493fed952436ac196
tree	6a76631308ea6676abccdb5ef399af4e3e3de354 tree \| zip \| gz
parent	4cbebe02b711786bf13a4a6c86848b86550f1ca6 view \| diff

refs

author

Jean-Noel Rouvignac <jean-noel.rouvignac@forgerock.com>

Friday, July 26, 2013 17:24 +0200

committer

Jean-Noel Rouvignac <jean-noel.rouvignac@forgerock.com>

Friday, July 26, 2013 17:24 +0200

commit

e9958df630e307d1d3d0eb3493fed952436ac196

tree

6a76631308ea6676abccdb5ef399af4e3e3de354 tree | zip | gz

parent

4cbebe02b711786bf13a4a6c86848b86550f1ca6 view | diff

A global ACI allow querying data.
Added the following to restrict anonymous user's access to "dc=example,dc=com"

 (target ="ldap:///dc=example,dc=com")(version 3.0;acl "Deny anonymous access";
 deny (all)(userdn = "ldap:///anyone");)

This ACI stops all anonymous processing for all the operations, but comparison operations.
This is due to a bug in the ACI checks.
It is because the code for compare only checks ACIs which have the same targetattrs, but the added ACI one has no targetattrs at all: it is broader.





AciHandler.java:
In isAllowed(LocalBackendCompareOperation) also check whether the operation without targetattr would be allowed (Broader scoped ACI).