[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7673) rwm and bad ACL evaluation



Full_Name: Russell Mosemann
Version: 2.4.36
OS: Debian 6 and 7
URL: 
Submission from: (NULL) (192.160.64.50)


Including rwm directives causes ACL evaluation to be incorrectly performed. rwm
plays no role in rewriting any part of the incoming query or outgoing results.
Simply commenting the rwm lines without making any other configuration changes
permits the query to succeed. The query is coming from an authenticated entry
that is allowed to search the subtree.

# rwm configuration - Commenting the follow lines allows the query to succeed.

overlay             rwm
rwm-rewriteEngine   on
rwm-rewriteMap      slapd flt2dn "ldap:///ou=accounts,o=cune?dn?sub";
rwm-rewriteContext  bindDN
rwm-rewriteRule     "^(mail=[a-z0-9-]+\\.[a-z0-9-]+@cune\\.org),ou=People,o=cune$"
                    "${flt2dn((\&($1)(accountStatus=active)(userClass=stu)))}"
                    ":@I"

# There are only 4 ACLs.

# Allow authentication
access to dn.subtree="ou=accounts,o=cune" attrs=userPassword
  by self write
  by peername.ip=127.0.0.0%255.255.255.0 search
  by peername.ip=10.0.0.0%255.255.192.0 search
  by anonymous auth

# Allow reading of certain attributes.
access to dn.subtree="ou=accounts,o=cune"
  filter=(&(userClass=stu)(accountStatus=active))
  attrs=cn,entry,mail,objectClass,sn,uid,userClass,accountStatus
  by dn="qmailGID=306,ou=accounts,o=cune" read
  by peername.ip=127.0.0.0%255.255.255.0 read
  by peername.ip=10.0.0.0%255.255.192.0 read
  by * none

# Search access to the base is required to search children.
access to dn.base="ou=accounts,o=cune"
  by dn="qmailGID=306,ou=accounts,o=cune" search
  by peername.ip=127.0.0.0%255.255.255.0 read
  by peername.ip=10.0.0.0%255.255.192.0 read
  by * none

# No access to other parts.
access to dn.subtree="o=cune"
  by dn="qmailGID=306,ou=accounts,o=cune" none
  by peername.ip=127.0.0.0%255.255.255.0 read
  by peername.ip=10.0.0.0%255.255.192.0 read
  by * none


The query is from the authenticated entry "qmailGID=306,ou=accounts,o=cune"
searching the base "ou=accounts,o=cune" with the filter "(uid=Test.Entry)". This
is the debugging output when the rwm lines above are commented. The query
succeeds.

521cdb75 => send_search_entry: conn 1001 dn="qmailUID=2,ou=accounts,o=cune"
521cdb75 => access_allowed: read access to "qmailUID=2,ou=accounts,o=cune"
"entry" requested
521cdb75 => dn: [1] ou=accounts,o=cune
521cdb75 => acl_get: [1] matched
521cdb75 => dn: [2] ou=accounts,o=cune
521cdb75 => acl_get: [2] matched
521cdb75 => test_filter
521cdb75     AND
521cdb75 => test_filter_and
521cdb75 => test_filter
521cdb75     EQUALITY
521cdb75 => access_allowed: search access to "qmailUID=2,ou=accounts,o=cune"
"userClass" requested
521cdb75 <= test_filter 6
521cdb75 => test_filter
521cdb75     EQUALITY
521cdb75 => access_allowed: search access to "qmailUID=2,ou=accounts,o=cune"
"accountStatus" requested
521cdb75 <= test_filter 6
521cdb75 <= test_filter_and 6
521cdb75 <= test_filter 6
521cdb75 => acl_get: [2] attr entry
521cdb75 => acl_mask: access to entry "qmailUID=2,ou=accounts,o=cune", attr
"entry" requested
521cdb75 => acl_mask: to all values by "qmailGID=306,ou=accounts,o=cune", (=0)
521cdb75 <= check a_dn_pat: qmailGID=306,ou=accounts,o=cune
521cdb75 <= acl_mask: [1] applying read(=rscxd) (stop)
521cdb75 <= acl_mask: [1] mask: read(=rscxd)
521cdb75 => slap_access_allowed: read access granted by read(=rscxd)
521cdb75 => access_allowed: read access granted by read(=rscxd)
ber_flush2: 40 bytes to sd 22
  0000:  30 26 02 01 02 64 21 04  1d 71 6d 61 69 6c 55 49   0&...d!..qmailUI
  0010:  44 3d 32 2c 6f 75 3d 61  63 63 6f 75 6e 74 73 2c   D=2,ou=accounts,
  0020:  6f 3d 63 75 6e 65 30 00                            o=cune0.
ldap_write: want=40, written=40
  0000:  30 26 02 01 02 64 21 04  1d 71 6d 61 69 6c 55 49   0&...d!..qmailUI
  0010:  44 3d 32 2c 6f 75 3d 61  63 63 6f 75 6e 74 73 2c   D=2,ou=accounts,
  0020:  6f 3d 63 75 6e 65 30 00                            o=cune0.
521cdb75 <= send_search_entry: conn 1001 exit.
521cdb75 send_ldap_result: conn=1001 op=1 p=3
521cdb75 send_ldap_result: err=0 matched="" text=""
521cdb75 send_ldap_response: msgid=2 tag=101 err=0


This is the debugging output after uncommenting the rwm lines and making no
other configuration changes. Search access allowed in the second ACL is not
found, and it proceeds to the fourth ACL where all access is denied.

521cdd96 => send_search_entry: conn 1004 dn="qmailUID=2,ou=accounts,o=cune"
521cdd96 => access_allowed: read access to "qmailUID=2,ou=accounts,o=cune"
"entry" requested
521cdd96 => dn: [1] ou=accounts,o=cune
521cdd96 => acl_get: [1] matched
521cdd96 => dn: [2] ou=accounts,o=cune
521cdd96 => acl_get: [2] matched
521cdd96 => test_filter
521cdd96     AND
521cdd96 => test_filter_and
521cdd96 => test_filter
521cdd96     EQUALITY
521cdd96 => access_allowed: search access to "qmailUID=2,ou=accounts,o=cune"
"userClass" requested
521cdd96 <= test_filter 5
521cdd96 <= test_filter_and 5
521cdd96 <= test_filter 5
521cdd96 => dn: [3] ou=accounts,o=cune
521cdd96 => dn: [4] o=cune
521cdd96 => acl_get: [4] matched
521cdd96 => acl_get: [4] attr entry
521cdd96 => acl_mask: access to entry "qmailUID=2,ou=accounts,o=cune", attr
"entry" requested
521cdd96 => acl_mask: to all values by "qmailGID=306,ou=accounts,o=cune", (=0)
521cdd96 <= check a_dn_pat: qmailGID=306,ou=accounts,o=cune
521cdd96 <= acl_mask: [1] applying none(=0) (stop)
521cdd96 <= acl_mask: [1] mask: none(=0)
521cdd96 => slap_access_allowed: read access denied by none(=0)
521cdd96 => access_allowed: no more rules
521cdd96 send_search_entry: conn 1004 access to entry
(qmailUID=2,ou=accounts,o=cune) not allowed
521cdd96 send_ldap_result: conn=1004 op=1 p=3
521cdd96 send_ldap_result: err=0 matched="" text=""
521cdd96 send_ldap_response: msgid=2 tag=101 err=0


There is nothing special about the LDAP entry for Test.Entry.

dn: qmailUID=2,ou=accounts,o=cune
objectClass: pilotPerson
objectClass: qmailUser
objectClass: PureFTPdUser
cn: Test Entry
sn: Entry
uid: Test.Entry
qmailUID: 2
accountStatus: active
mail: test.entry@cune.org
userClass: stu


Please let me know if you require any other information. Thank you.

Russell Mosemann