[Date Prev][Date Next] [Chronological] [Thread] [Top]
(ITS#4019) access control broken

To: openldap-its@OpenLDAP.org
Subject: (ITS#4019) access control broken
From: sdm900@gmail.com
Date: Sat, 10 Sep 2005 13:32:57 GMT
Full_Name: Dr Stuart Midgley
Version: 2.3.7
OS: RHEL3
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (202.45.119.39)


I have been setting up an ldap server with access control lists to allow certain
users access to certain user fields.  Following are the relavent access
controls.

access to dn.regex="uid=[^,]+,cn=users,dc=beer,dc=ivec,dc=org"
filter="(|(ou=beer)(ou=cider))"
    by * none break

access to dn.regex="uid=[^,]+,cn=users,dc=beer,dc=ivec,dc=org"
filter="(ou=beer)"
    by dn="uid=beer,cn=users,dc=beer,dc=ivec,dc=org" write break

access to dn.regex="uid=[^,]+,cn=users,dc=beer,dc=ivec,dc=org"
filter="(ou=cider)"
    by dn="uid=cider,cn=users,dc=beer,dc=ivec,dc=org" write



the relavent entries from my data base (yes, I am using the apple schema to
allow a macosx server to connect up correctly)

dn: uid=cider,cn=users,dc=beer,dc=ivec,dc=org
uid: cider
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
sn: 99
gidNumber: 1001
uidNumber: 1001
userPassword: cider
loginShell: /bin/bash
homeDirectory: /home/cider
cn: Cider admin user

dn: uid=beer,cn=users,dc=beer,dc=ivec,dc=org
uid: beer
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
sn: 99
gidNumber: 1002
uidNumber: 1002
userPassword: beer
loginShell: /bin/bash
homeDirectory: /home/beer
cn: Beer admin user

dn: uid=testa,cn=users,dc=beer,dc=ivec,dc=org
uid: testa
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
sn: 99
gidNumber: 1003
uidNumber: 1003
userPassword: testa
loginShell: /bin/bash
homeDirectory: /home/testa
cn: Test User A
ou: beer
ou: cider

dn: uid=testb,cn=users,dc=beer,dc=ivec,dc=org
uid: testb
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
sn: 99
gidNumber: 1004
uidNumber: 1004
userPassword: testb
loginShell: /bin/bash
homeDirectory: /home/testb
cn: Test User B
ou: cider



Now, I test the filters I have in my access control lists (cn=Manager is the
rootdn)

 > ldapsearch -x -W -D 'cn=Manager,dc=beer,dc=ivec,dc=org' -b
cn=users,dc=beer,dc=ivec,dc=org '(ou=beer)'
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <cn=users,dc=beer,dc=ivec,dc=org> with scope subtree
# filter: (ou=beer)
# requesting: ALL
#

# testa, users, beer.ivec.org
dn: uid=testa,cn=users,dc=beer,dc=ivec,dc=org
uid: testa
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
sn: 99
gidNumber: 1003
uidNumber: 1003
userPassword:: dGVzdGE=
loginShell: /bin/bash
homeDirectory: /home/testa
cn: Test User A
ou: beer
ou: cider

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


I get the correct response.  Then I do

> ldapsearch -x -W -D 'cn=Manager,dc=beer,dc=ivec,dc=org' -b
cn=users,dc=beer,dc=ivec,dc=org '(ou=cider)'
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <cn=users,dc=beer,dc=ivec,dc=org> with scope subtree
# filter: (ou=cider)
# requesting: ALL
#

# testa, users, beer.ivec.org
dn: uid=testa,cn=users,dc=beer,dc=ivec,dc=org
uid: testa
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
sn: 99
gidNumber: 1003
uidNumber: 1003
userPassword:: dGVzdGE=
loginShell: /bin/bash
homeDirectory: /home/testa
cn: Test User A
ou: beer
ou: cider

# testb, users, beer.ivec.org
dn: uid=testb,cn=users,dc=beer,dc=ivec,dc=org
uid: testb
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
sn: 99
gidNumber: 1004
uidNumber: 1004
userPassword:: dGVzdGI=
loginShell: /bin/bash
homeDirectory: /home/testb
cn: Test User B
ou: cider

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2


and again, the correct response.  Finally

> ldapsearch -x -W -D 'cn=Manager,dc=beer,dc=ivec,dc=org' -b
cn=users,dc=beer,dc=ivec,dc=org '(|(ou=cider)(ou=beer))'
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <cn=users,dc=beer,dc=ivec,dc=org> with scope subtree
# filter: (|(ou=cider)(ou=beer))
# requesting: ALL
#

# testa, users, beer.ivec.org
dn: uid=testa,cn=users,dc=beer,dc=ivec,dc=org
uid: testa
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
sn: 99
gidNumber: 1003
uidNumber: 1003
userPassword:: dGVzdGE=
loginShell: /bin/bash
homeDirectory: /home/testa
cn: Test User A
ou: beer
ou: cider

# testb, users, beer.ivec.org
dn: uid=testb,cn=users,dc=beer,dc=ivec,dc=org
uid: testb
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
sn: 99
gidNumber: 1004
uidNumber: 1004
userPassword:: dGVzdGI=
loginShell: /bin/bash
homeDirectory: /home/testb
cn: Test User B
ou: cider

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2



so I think my filter syntax is correct.

Now, when I bind as uid=beer or uid=cider, I don't get the right response....

> ldapsearch -x -W -D 'uid=cider,cn=users,dc=beer,dc=ivec,dc=org' -b
cn=users,dc=beer,dc=ivec,dc=org
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <cn=users,dc=beer,dc=ivec,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# users, beer.ivec.org
dn: cn=users,dc=beer,dc=ivec,dc=org
cn: users
objectClass: container

# cider, users, beer.ivec.org
dn: uid=cider,cn=users,dc=beer,dc=ivec,dc=org
uid: cider
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
sn: 99
gidNumber: 1001
uidNumber: 1001
loginShell: /bin/bash
homeDirectory: /home/cider
cn: Cider admin user

# beer, users, beer.ivec.org
dn: uid=beer,cn=users,dc=beer,dc=ivec,dc=org
uid: beer
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
sn: 99
gidNumber: 1002
uidNumber: 1002
loginShell: /bin/bash
homeDirectory: /home/beer
cn: Beer admin user

# testb, users, beer.ivec.org
dn: uid=testb,cn=users,dc=beer,dc=ivec,dc=org
uid: testb
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
sn: 99
gidNumber: 1004
uidNumber: 1004
loginShell: /bin/bash
homeDirectory: /home/testb
cn: Test User B
ou: cider

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 4


I should also get uid=testa here...



> ldapsearch -x -W -D 'uid=beer,cn=users,dc=beer,dc=ivec,dc=org' -b
cn=users,dc=beer,dc=ivec,dc=org
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <cn=users,dc=beer,dc=ivec,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# users, beer.ivec.org
dn: cn=users,dc=beer,dc=ivec,dc=org
cn: users
objectClass: container

# cider, users, beer.ivec.org
dn: uid=cider,cn=users,dc=beer,dc=ivec,dc=org
uid: cider
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
sn: 99
gidNumber: 1001
uidNumber: 1001
loginShell: /bin/bash
homeDirectory: /home/cider
cn: Cider admin user

# beer, users, beer.ivec.org
dn: uid=beer,cn=users,dc=beer,dc=ivec,dc=org
uid: beer
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
sn: 99
gidNumber: 1002
uidNumber: 1002
loginShell: /bin/bash
homeDirectory: /home/beer
cn: Beer admin user

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3


and I should uid=testa here as well...  When I change the 2nd acl to

access to dn.regex="uid=[^,]+,cn=users,dc=beer,dc=ivec,dc=org"
filter="(ou=beer)"
    by dn="uid=beer,cn=users,dc=beer,dc=ivec,dc=org" write


and my searches again


> ldapsearch -x -W -D 'uid=cider,cn=users,dc=beer,dc=ivec,dc=org' -b
cn=users,dc=beer,dc=ivec,dc=org
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <cn=users,dc=beer,dc=ivec,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# users, beer.ivec.org
dn: cn=users,dc=beer,dc=ivec,dc=org
cn: users
objectClass: container

# cider, users, beer.ivec.org
dn: uid=cider,cn=users,dc=beer,dc=ivec,dc=org
uid: cider
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
sn: 99
gidNumber: 1001
uidNumber: 1001
loginShell: /bin/bash
homeDirectory: /home/cider
cn: Cider admin user

# beer, users, beer.ivec.org
dn: uid=beer,cn=users,dc=beer,dc=ivec,dc=org
uid: beer
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
sn: 99
gidNumber: 1002
uidNumber: 1002
loginShell: /bin/bash
homeDirectory: /home/beer
cn: Beer admin user

# testb, users, beer.ivec.org
dn: uid=testb,cn=users,dc=beer,dc=ivec,dc=org
uid: testb
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
sn: 99
gidNumber: 1004
uidNumber: 1004
loginShell: /bin/bash
homeDirectory: /home/testb
cn: Test User B
ou: cider

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 4



again, is incorrect...  but now at least, I am getting the next one correct


> ldapsearch -x -W -D 'uid=beer,cn=users,dc=beer,dc=ivec,dc=org' -b
cn=users,dc=beer,dc=ivec,dc=org
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <cn=users,dc=beer,dc=ivec,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# users, beer.ivec.org
dn: cn=users,dc=beer,dc=ivec,dc=org
cn: users
objectClass: container

# cider, users, beer.ivec.org
dn: uid=cider,cn=users,dc=beer,dc=ivec,dc=org
uid: cider
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
sn: 99
gidNumber: 1001
uidNumber: 1001
loginShell: /bin/bash
homeDirectory: /home/cider
cn: Cider admin user

# beer, users, beer.ivec.org
dn: uid=beer,cn=users,dc=beer,dc=ivec,dc=org
uid: beer
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
sn: 99
gidNumber: 1002
uidNumber: 1002
loginShell: /bin/bash
homeDirectory: /home/beer
cn: Beer admin user

# testa, users, beer.ivec.org
dn: uid=testa,cn=users,dc=beer,dc=ivec,dc=org
uid: testa
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
sn: 99
gidNumber: 1003
uidNumber: 1003
loginShell: /bin/bash
homeDirectory: /home/testa
cn: Test User A
ou: beer
ou: cider

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 4




which is correct.  It appears the concatenation of access control lists is not
correct (break is broken ;)  ).


Thanks
Stu.
Prev by Date: Re: access control broken (ITS#4019)
Next by Date: (ITS#4020) JLDAP - org.ietf residual dependency
Index(es):
- Chronological
- Thread