[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL's using group access do not work (ITS#2118)



I also note that your forth ACL should never be reached
as the third is "by *".

At 09:11 AM 2002-09-30, quanah@stanford.edu wrote:
>Full_Name: Quanah Gibson-Mount
>Version: HEAD
>OS: Solaris 8
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (171.64.19.82)
>
>
>Using Openldap-head from September 24th, on a Solaris 8 system, with Berkeley DB
>backend.  Cyrus sasl & kerberos 5 installed.
>
>Running the command "ldapsearch sukrb5name=quanah@stanford.edu" fails, even
>though I am a member of a group with * read access into the openldap directory.
>
>Given the following ACL file:
>
># ACL include file for slapd
>#
># this is for testing
>
>access to dn=""
>        by * read
>
>access to attrs=krb5PrincipalName,suKrb5Name,member
>        by * read
>
>access to *
>        by dn="cn=replicator,cn=Applications,dc=stanford,dc=edu" write
>        by group="cn=Supervisor,cn=Applications,dc=stanford,dc=edu" read
>        by group="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu" read
>        by anonymous auth
>
>access to dn=".*,cn=Accounts,dc=stanford,dc=edu" attrs=suSeasSunetID,suMaildrop
>        by dn="cn=StanfordMailRouter,cn=Applications,dc=stanford,dc=edu" read
>
>
>With the group supervisor defined as:
>
># supervisor, Applications, stanford.edu
>dn: cn=supervisor,cn=Applications,dc=stanford,dc=edu
>objectClass: groupOfNames
>cn: supervisor
>member: suRegID=87faaba8f61311d2ae662436000baa77,cn=People,dc=stanford,dc=edu
>member: suRegID=85e49978f61311d2ae662436000baa77,cn=People,dc=stanford,dc=edu
>
>When I bind using K5 with GSSAPI, the SASL-Regexp converts me to:
>
><==slap_sasl2dn: Converted
> SASL name to suRegID=85e49978f61311d2ae662436000baa77,cn=people,dc=stanford,dc=edu
>getdn: dn:id converted to
>suRegID=85e49978f61311d2ae662436000baa77,cn=people,dc=stanford,dc=edu
>SASL Canonicalize [conn=1]
>: authcDN="suRegID=85e49978f61311d2ae662436000baa77,cn=people,dc=stanford,dc=edu"
>do_bind: SASL/GSSAPI bind:
> dn="suRegID=85e49978f61311d2ae662436000baa77,cn=people,dc=stanford,dc=edu"
>ssf=56
>
>As you can clearly see, the DN I have been converted to, is a member of the
>supervisor group.  However, when slapd goes to check my access:
>
>[ID 806586 local4.debug] => string_expand: pattern:
>  cn=Supervisor,cn=Applications,dc=stanford,dc=edu
>[ID 489063 local4.debug] => string_expand: expanded
>: cn=Supervisor,cn=Applications,dc=stanford,dc=edu
>[ID 114958 local4.debug] >>> dnNormalize: <cn=Super
>visor,cn=Applications,dc=stanford,dc=edu>
>[ID 532571 local4.debug] <<< dnNormalize: <cn=super
>visor,cn=applications,dc=stanford,dc=edu>
>[ID 248973 local4.debug] => bdb_group: gr dn: "cn=s
>upervisor,cn=applications,dc=stanford,dc=edu"
>[ID 231450 local4.debug] => bdb_group: op dn: "suRe
>gID=85e49978f61311d2ae662436000baa77,cn=people,dc=stanford,dc=edu"
>[ID 529798 local4.debug] => bdb_group: oc: "groupOf
>Names" at: "member"
>[ID 461965 local4.debug] => bdb_group: tr dn: "suRe
>gID=85e49978f61311d2ae662436000baa77,cn=people,dc=stanford,dc=edu"
>[ID 749508 local4.debug] bdb_dn2entry_rw("cn=superv
>isor,cn=applications,dc=stanford,dc=edu")
>[ID 157115 local4.debug] => bdb_dn2id( "cn=supervis
>or,cn=applications,dc=stanford,dc=edu" )
>[ID 108501 local4.debug] ====> bdb_cache_find_entry
>_dn2id("cn=supervisor,cn=applications,dc=stanford,dc=edu"): 5 (1 tries)
>[ID 472485 local4.debug] ====> bdb_cache_find_entry
>_id( 5 ) "cn=supervisor,cn=Applications,dc=stanford,dc=edu" (found) (1 tries)
>[ID 257784 local4.debug] => bdb_group: found group:
> "cn=supervisor,cn=applications,dc=stanford,dc=edu"
>[ID 721865 local4.debug] <= bdb_group: found object
>Class groupOfNames and member
>[ID 114958 local4.debug] >>> dnNormalize: <suRegID=
>85e49978f61311d2ae662436000baa77,cn=people,dc=stanford,dc=edu>
>[ID 631365 local4.debug] <= bdb_group: "suRegID=85e
>49978f61311d2ae662436000baa77,cn=people,dc=stanford,dc=edu" not in
>"cn=supervisor,cn=applications,dc
>=stanford,dc=edu": member
>[ID 241745 local4.debug] ====> bdb_cache_return_ent
>ry_r( 5 ): returned (0)
>[ID 340953 local4.debug] bdb_group: rc=1
>
>
>Clearly, I am in supervisor, yet slapd continues to mark me as not being a
>member.  Going back through my logs, it appears that last time that slapd
>actually would authenticate me correctly to a group was with Openldap-2.1.3.
>
>
>--Quanah