Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

acls with identical access definitions are not implemented correctly #420

Open
WimRooseUG opened this issue May 3, 2024 · 3 comments
Open

acls with identical access definitions are not implemented correctly #420

WimRooseUG opened this issue May 3, 2024 · 3 comments

Comments

@WimRooseUG
Copy link

How to reproduce (e.g Puppet code you use)

Adding an acl before another with identical 'what' doesn't update olcaccess 'to', and results in duplicate acl's

Example (openldap::server::acces_wrapper)

Altering

ldapserver::access:
 - to attrs=ugentPostalAddress:
    - by * read

to

  - to filter=(objectClass=ugentEntitlement):
    - by * read
  - to attrs=ugentPostalAddress:
    - by * read

What are you seeing

puppet logs

Notice: /Stage[main]/Ldapserver/Openldap::Server::Access_wrapper[dc=UGent,dc=be]/Openldap::Server::Iterate_access[0 on dc=UGent,dc=be]/Openldap::Server::Access[0 on dc=UGent,dc=be]/Openldap_access[0 on dc=UGent,dc=be]/what: what changed 'attrs=ugentPostalAddress' to 'filter=(objectClass=ugentEntitlement)'
Notice: /Stage[main]/Ldapserver/Openldap::Server::Access_wrapper[dc=UGent,dc=be]/Openldap::Server::Iterate_access[1 on dc=UGent,dc=be]/Openldap::Server::Access[1 on dc=UGent,dc=be]/Openldap_access[1 on dc=UGent,dc=be]/ensure: created
Notice: Applied catalog in 0.55 seconds

slapcat

createTimestamp: 20240502203156Z
olcAccess: {0}to attrs=ugentPostalAddress by * read
olcAccess: {1}to attrs=ugentPostalAddress by * read
entryCSN: 20240503143152.471790Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20240503143152Z

Any additional information you'd like to impart

As far as I understand, this behaviour is caused by the @property_flush variabele only being set by the access method, which doesn't happen when the access directive is identical with the existing acl on that position.

I've noticed this while setting up a new ldap server for a database with 100+ acl's, where not all acl's with identical access directives (by * read f.i.) are defined in a single olcaccess directive.
@WimRooseUG WimRooseUG changed the title acl's with identical access definitions are not implemented correctly acls with identical access definitions are not implemented correctly May 6, 2024
JonasVerhofste added a commit to UGent-DICT/puppet-openldap that referenced this issue Oct 24, 2024
@JonasVerhofste
Use flush for all ldiff changes to an openldap_access resource
815a4f6 
Flushes happen every time a resource changes, whether it is creation,
destroy or modify. Ensure we do not needlesly copy-paste the ldapmodify
code in those three separate instances.

This also ensures that if a new property is ever added, we do not need
create a separate setter.

This commit thus also fixes a bug where if a `what` of an
openldap_access resource changed, it would not trigger an update.
The setter for that property was lost in the refactor of commit
91e9723. -> Fixes voxpupuli#420.
@cbergmann
Copy link

@WimRooseUG @JonasVerhofste added a fix for this problem. Is it possible to create a PR for this?

@JonasVerhofste
Copy link

@cbergmann I've actually been meaning to overhaul all the provider code in the same way as I did to openldap_access, removing the weird "custom flushing on top of native flushing" logic.
I am gonna make the PR after those changes have been tested on our various ldap clusters, but time has not been on my side. Though it is planned for somewhere in the coming two weeks.

@cbergmann
Copy link

hi @JonasVerhofste thanks for the heads up. I will watch this issue about the progress. In the meantime I will use the UGent-DICT ldiff_flushing branch. If you need someone to test something don't hesitate to ask.

Kind gards
Clemens

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cbergmann @JonasVerhofste @WimRooseUG