puppet-openldap icon indicating copy to clipboard operation
puppet-openldap copied to clipboard

Published 20 hours ago verified publisher icon voxpupuli

acls with identical access definitions are not implemented correctly

Open WimRooseUG opened this issue 1 year ago • 3 comments

How to reproduce (e.g Puppet code you use)

Adding an acl before another with identical 'what' doesn't update olcaccess 'to', and results in duplicate acl's

Example (openldap::server::acces_wrapper)

Altering

ldapserver::access:
 - to attrs=ugentPostalAddress:
    - by * read

to

  - to filter=(objectClass=ugentEntitlement):
    - by * read
  - to attrs=ugentPostalAddress:
    - by * read

What are you seeing

puppet logs

Notice: /Stage[main]/Ldapserver/Openldap::Server::Access_wrapper[dc=UGent,dc=be]/Openldap::Server::Iterate_access[0 on dc=UGent,dc=be]/Openldap::Server::Access[0 on dc=UGent,dc=be]/Openldap_access[0 on dc=UGent,dc=be]/what: what changed 'attrs=ugentPostalAddress' to 'filter=(objectClass=ugentEntitlement)'
Notice: /Stage[main]/Ldapserver/Openldap::Server::Access_wrapper[dc=UGent,dc=be]/Openldap::Server::Iterate_access[1 on dc=UGent,dc=be]/Openldap::Server::Access[1 on dc=UGent,dc=be]/Openldap_access[1 on dc=UGent,dc=be]/ensure: created
Notice: Applied catalog in 0.55 seconds

slapcat

createTimestamp: 20240502203156Z
olcAccess: {0}to attrs=ugentPostalAddress by * read
olcAccess: {1}to attrs=ugentPostalAddress by * read
entryCSN: 20240503143152.471790Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20240503143152Z

Any additional information you'd like to impart

As far as I understand, this behaviour is caused by the @property_flush variabele only being set by the access method, which doesn't happen when the access directive is identical with the existing acl on that position.

I've noticed this while setting up a new ldap server for a database with 100+ acl's, where not all acl's with identical access directives (by * read f.i.) are defined in a single olcaccess directive.

WimRooseUG avatar May 03 '24 15:05 WimRooseUG

@WimRooseUG @JonasVerhofste added a fix for this problem. Is it possible to create a PR for this?

cbergmann avatar Feb 23 '25 21:02 cbergmann

@cbergmann I've actually been meaning to overhaul all the provider code in the same way as I did to openldap_access, removing the weird "custom flushing on top of native flushing" logic. I am gonna make the PR after those changes have been tested on our various ldap clusters, but time has not been on my side. Though it is planned for somewhere in the coming two weeks.

JonasVerhofste avatar Feb 23 '25 21:02 JonasVerhofste

hi @JonasVerhofste thanks for the heads up. I will watch this issue about the progress. In the meantime I will use the UGent-DICT ldiff_flushing branch. If you need someone to test something don't hesitate to ask.

Kind gards Clemens

cbergmann avatar Feb 24 '25 09:02 cbergmann