A global ACI allow querying data.
Added the following to restrict anonymous user's access to "dc=example,dc=com"
(target ="ldap:///dc=example,dc=com")(version 3.0;acl "Deny anonymous access";
deny (all)(userdn = "ldap:///anyone");)
This ACI stops all anonymous processing for all the operations, but comparison operations.
This is due to a bug in the ACI checks.
It is because the code for compare only checks ACIs which have the same targetattrs, but the added ACI one has no targetattrs at all: it is broader.
AciHandler.java:
In isAllowed(LocalBackendCompareOperation) also check whether the operation without targetattr would be allowed (Broader scoped ACI).
| | |
|---|
| | | { |
|---|
| | | AciContainer container = |
|---|
| | | new AciLDAPOperationContainer(operation, ACI_COMPARE); |
|---|
| | | if (!isAllowed(container, operation)) |
|---|
| | | { |
|---|
| | | // first check more global ACIs without targetattrs defined on them |
|---|
| | | return false; |
|---|
| | | } |
|---|
| | | |
|---|
| | | String baseName; |
|---|
| | | String rawAttributeType = operation.getRawAttributeType(); |
|---|
| | |
|---|
| | | .getAssertionValue()); |
|---|
| | | container.setCurrentAttributeType(attributeType); |
|---|
| | | container.setCurrentAttributeValue(attributeValue); |
|---|
| | | // then check more precise ACIs with targetattrs defined on them |
|---|
| | | return isAllowed(container, operation); |
|---|
| | | } |
|---|
| | | |
|---|
