[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#7673) rwm and bad ACL evaluation
Full_Name: Russell Mosemann
Version: 2.4.36
OS: Debian 6 and 7
URL:
Submission from: (NULL) (192.160.64.50)
Including rwm directives causes ACL evaluation to be incorrectly performed. rwm
plays no role in rewriting any part of the incoming query or outgoing results.
Simply commenting the rwm lines without making any other configuration changes
permits the query to succeed. The query is coming from an authenticated entry
that is allowed to search the subtree.
# rwm configuration - Commenting the follow lines allows the query to succeed.
overlay rwm
rwm-rewriteEngine on
rwm-rewriteMap slapd flt2dn "ldap:///ou=accounts,o=cune?dn?sub"
rwm-rewriteContext bindDN
rwm-rewriteRule "^(mail=[a-z0-9-]+\\.[a-z0-9-]+@cune\\.org),ou=People,o=cune$"
"${flt2dn((\&($1)(accountStatus=active)(userClass=stu)))}"
":@I"
# There are only 4 ACLs.
# Allow authentication
access to dn.subtree="ou=accounts,o=cune" attrs=userPassword
by self write
by peername.ip=127.0.0.0%255.255.255.0 search
by peername.ip=10.0.0.0%255.255.192.0 search
by anonymous auth
# Allow reading of certain attributes.
access to dn.subtree="ou=accounts,o=cune"
filter=(&(userClass=stu)(accountStatus=active))
attrs=cn,entry,mail,objectClass,sn,uid,userClass,accountStatus
by dn="qmailGID=306,ou=accounts,o=cune" read
by peername.ip=127.0.0.0%255.255.255.0 read
by peername.ip=10.0.0.0%255.255.192.0 read
by * none
# Search access to the base is required to search children.
access to dn.base="ou=accounts,o=cune"
by dn="qmailGID=306,ou=accounts,o=cune" search
by peername.ip=127.0.0.0%255.255.255.0 read
by peername.ip=10.0.0.0%255.255.192.0 read
by * none
# No access to other parts.
access to dn.subtree="o=cune"
by dn="qmailGID=306,ou=accounts,o=cune" none
by peername.ip=127.0.0.0%255.255.255.0 read
by peername.ip=10.0.0.0%255.255.192.0 read
by * none
The query is from the authenticated entry "qmailGID=306,ou=accounts,o=cune"
searching the base "ou=accounts,o=cune" with the filter "(uid=Test.Entry)". This
is the debugging output when the rwm lines above are commented. The query
succeeds.
521cdb75 => send_search_entry: conn 1001 dn="qmailUID=2,ou=accounts,o=cune"
521cdb75 => access_allowed: read access to "qmailUID=2,ou=accounts,o=cune"
"entry" requested
521cdb75 => dn: [1] ou=accounts,o=cune
521cdb75 => acl_get: [1] matched
521cdb75 => dn: [2] ou=accounts,o=cune
521cdb75 => acl_get: [2] matched
521cdb75 => test_filter
521cdb75 AND
521cdb75 => test_filter_and
521cdb75 => test_filter
521cdb75 EQUALITY
521cdb75 => access_allowed: search access to "qmailUID=2,ou=accounts,o=cune"
"userClass" requested
521cdb75 <= test_filter 6
521cdb75 => test_filter
521cdb75 EQUALITY
521cdb75 => access_allowed: search access to "qmailUID=2,ou=accounts,o=cune"
"accountStatus" requested
521cdb75 <= test_filter 6
521cdb75 <= test_filter_and 6
521cdb75 <= test_filter 6
521cdb75 => acl_get: [2] attr entry
521cdb75 => acl_mask: access to entry "qmailUID=2,ou=accounts,o=cune", attr
"entry" requested
521cdb75 => acl_mask: to all values by "qmailGID=306,ou=accounts,o=cune", (=0)
521cdb75 <= check a_dn_pat: qmailGID=306,ou=accounts,o=cune
521cdb75 <= acl_mask: [1] applying read(=rscxd) (stop)
521cdb75 <= acl_mask: [1] mask: read(=rscxd)
521cdb75 => slap_access_allowed: read access granted by read(=rscxd)
521cdb75 => access_allowed: read access granted by read(=rscxd)
ber_flush2: 40 bytes to sd 22
0000: 30 26 02 01 02 64 21 04 1d 71 6d 61 69 6c 55 49 0&...d!..qmailUI
0010: 44 3d 32 2c 6f 75 3d 61 63 63 6f 75 6e 74 73 2c D=2,ou=accounts,
0020: 6f 3d 63 75 6e 65 30 00 o=cune0.
ldap_write: want=40, written=40
0000: 30 26 02 01 02 64 21 04 1d 71 6d 61 69 6c 55 49 0&...d!..qmailUI
0010: 44 3d 32 2c 6f 75 3d 61 63 63 6f 75 6e 74 73 2c D=2,ou=accounts,
0020: 6f 3d 63 75 6e 65 30 00 o=cune0.
521cdb75 <= send_search_entry: conn 1001 exit.
521cdb75 send_ldap_result: conn=1001 op=1 p=3
521cdb75 send_ldap_result: err=0 matched="" text=""
521cdb75 send_ldap_response: msgid=2 tag=101 err=0
This is the debugging output after uncommenting the rwm lines and making no
other configuration changes. Search access allowed in the second ACL is not
found, and it proceeds to the fourth ACL where all access is denied.
521cdd96 => send_search_entry: conn 1004 dn="qmailUID=2,ou=accounts,o=cune"
521cdd96 => access_allowed: read access to "qmailUID=2,ou=accounts,o=cune"
"entry" requested
521cdd96 => dn: [1] ou=accounts,o=cune
521cdd96 => acl_get: [1] matched
521cdd96 => dn: [2] ou=accounts,o=cune
521cdd96 => acl_get: [2] matched
521cdd96 => test_filter
521cdd96 AND
521cdd96 => test_filter_and
521cdd96 => test_filter
521cdd96 EQUALITY
521cdd96 => access_allowed: search access to "qmailUID=2,ou=accounts,o=cune"
"userClass" requested
521cdd96 <= test_filter 5
521cdd96 <= test_filter_and 5
521cdd96 <= test_filter 5
521cdd96 => dn: [3] ou=accounts,o=cune
521cdd96 => dn: [4] o=cune
521cdd96 => acl_get: [4] matched
521cdd96 => acl_get: [4] attr entry
521cdd96 => acl_mask: access to entry "qmailUID=2,ou=accounts,o=cune", attr
"entry" requested
521cdd96 => acl_mask: to all values by "qmailGID=306,ou=accounts,o=cune", (=0)
521cdd96 <= check a_dn_pat: qmailGID=306,ou=accounts,o=cune
521cdd96 <= acl_mask: [1] applying none(=0) (stop)
521cdd96 <= acl_mask: [1] mask: none(=0)
521cdd96 => slap_access_allowed: read access denied by none(=0)
521cdd96 => access_allowed: no more rules
521cdd96 send_search_entry: conn 1004 access to entry
(qmailUID=2,ou=accounts,o=cune) not allowed
521cdd96 send_ldap_result: conn=1004 op=1 p=3
521cdd96 send_ldap_result: err=0 matched="" text=""
521cdd96 send_ldap_response: msgid=2 tag=101 err=0
There is nothing special about the LDAP entry for Test.Entry.
dn: qmailUID=2,ou=accounts,o=cune
objectClass: pilotPerson
objectClass: qmailUser
objectClass: PureFTPdUser
cn: Test Entry
sn: Entry
uid: Test.Entry
qmailUID: 2
accountStatus: active
mail: test.entry@cune.org
userClass: stu
Please let me know if you require any other information. Thank you.
Russell Mosemann