[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapo-dynlist desgin question(s)

To: Pierangelo Masarati <ando@sys-net.it>
Subject: Re: slapo-dynlist desgin question(s)
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Fri, 12 Jan 2007 13:15:52 -0800
Cc: openldap-devel@openldap.org
Content-disposition: inline
In-reply-to: <45A7E662.9030205@sys-net.it>
References: <3A8D9F01DE3A005FA31F6791@deus-ex.stanford.edu> <45A664E2.8010808@sys-net.it> <F9A1673CA8CD7096E6925C66@deus-ex.stanford.edu> <0E61081C9DB7BD9EC50B1E33@deus-ex.stanford.edu> <45A7E662.9030205@sys-net.it>

--On Friday, January 12, 2007 8:49 PM +0100 Pierangelo Masarati <ando@sys-net.it> wrote:

Quanah Gibson-Mount wrote:
My intention is to be able to do something like:
access to dn.exact="cn=groupa,cn=groups,dc=stanford,dc=edu"
This should read:
access to dn.exact="cn=groupa,cn=groups,dc=stanford,dc=edu" attrs=member
Try this patch (to HEAD as of now).


No go... I have:

access to dn.exact="cn=registry-consult,cn=groups,cn=applications,dc=stanford,dc=edu" attrs=member by dn.base="uid=cadabra,cn=accounts,dc=stanford,dc=edu" read by * none


(cadabra is my test account)


I get nothing back.

If I change it to:

access to dn.exact="cn=registry-consult,cn=groups,cn=applications,dc=stanford,dc=edu" by dn.base="uid=cadabra,cn=accounts,dc=stanford,dc=edu" sasl_ssf=56 read by * none

I can see:

dn: cn=registry-consult,cn=groups,cn=applications,dc=stanford,dc=edu objectClass: groupOfURLs cn: registry-consult memberURL: ldap:///cn=people,dc=stanford,dc=edu??sub?(suprivilegegroup=registr y:consult)


(notice no membership)

If I search this with my normal id (quanah) which has full access, I get the listing + members.

debug level -1 shows:

[snip]

<==slap_sasl2dn: Converted SASL name to uid=cadabra,cn=accounts,dc=stanford,dc=edu slap_sasl_getdn: dn:id converted to uid=cadabra,cn=accounts,dc=stanford,dc=edu SASL Canonicalize [conn=0]: slapAuthcDN="uid=cadabra,cn=accounts,dc=stanford,dc=edu" SASL proxy authorize [conn=0]: authcid="cadabra@stanford.edu" authzid="cadabra@stanford.edu" conn=0 op=3 BIND authcid="cadabra@stanford.edu" authzid="cadabra@stanford.edu" SASL Authorize [conn=0]: proxy authorization allowed authzDN="" send_ldap_sasl: err=0 len=-1 conn=0 op=3 BIND dn="uid=cadabra,cn=accounts,dc=stanford,dc=edu" mech=GSSAPI ssf=56

conn=0 op=4 SRCH base="cn=groups,cn=applications,dc=stanford,dc=edu" scope=2 deref=0 filter="(cn=registry-consult)"

=> access_allowed: search access to "cn=registry-consult,cn=groups,cn=applications,dc=stanford,dc=edu" "cn" requested

=> acl_mask: access to entry "cn=registry-consult,cn=groups,cn=applications,dc=stanford,dc=edu", attr "cn" requested => acl_mask: to value by "uid=cadabra,cn=accounts,dc=stanford,dc=edu", (=0) <= check a_dn_pat: uid=cadabra,cn=accounts,dc=stanford,dc=edu <= check a_authz.sai_sasl_ssf: ACL 56 > OP 56 <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: search access granted by read(=rscxd) => access_allowed: search access granted by read(=rscxd) <= test_filter 6 ldap_url_parse_ext(ldap:///cn=people,dc=stanford,dc=edu??sub?(suprivilegegroup=registry:consult))

dnPrettyNormal: <cn=people,dc=stanford,dc=edu>

=> ldap_bv2dn(cn=people,dc=stanford,dc=edu,0) <= ldap_bv2dn(cn=people,dc=stanford,dc=edu)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=people,dc=stanford,dc=edu)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=people,dc=stanford,dc=edu)=0 <<< dnPrettyNormal: <cn=people,dc=stanford,dc=edu>, <cn=people,dc=stanford,dc=edu> str2filter "(&(!(objectClass=groupOfURLs))(suprivilegegroup=registry:consult))" put_filter: "(&(!(objectClass=groupOfURLs))(suprivilegegroup=registry:consult))" put_filter: AND put_filter_list "(!(objectClass=groupOfURLs))(suprivilegegroup=registry:consult)" put_filter: "(!(objectClass=groupOfURLs))" put_filter: NOT put_filter_list "(objectClass=groupOfURLs)" put_filter: "(objectClass=groupOfURLs)" put_filter: simple put_simple_filter: "objectClass=groupOfURLs" put_filter: "(suprivilegegroup=registry:consult)" put_filter: simple put_simple_filter: "suprivilegegroup=registry:consult" begin get_filter AND begin get_filter_list begin get_filter NOT begin get_filter EQUALITY

search_candidates: base="cn=people,dc=stanford,dc=edu" (0x00000006) scope=2


Most importantly, as you can see here:

=> acl_mask: access to entry "suRegID=000648cb784048849a1573566ffe0ef8,cn=people,dc=stanford,dc=edu", attr "objectClass" requested => acl_mask: to value by "uid=cadabra,cn=accounts,dc=stanford,dc=edu", (=0)

[snip]

<= acl_mask: no more <who> clauses, returning =0 (stop)
=> slap_access_allowed: search access denied by =0
=> access_allowed: no more rules

It is still using the "cadabra" credentials to find membership in the group, and not the internal rootdn.


--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

Follow-Ups:
- Re: slapo-dynlist desgin question(s)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: slapo-dynlist desgin question(s)
  - From: Pierangelo Masarati <ando@sys-net.it>

References:
- slapo-dynlist desgin question(s)
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: slapo-dynlist desgin question(s)
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: slapo-dynlist desgin question(s)
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: slapo-dynlist desgin question(s)
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: slapo-dynlist desgin question(s)
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: slapo-dynlist desgin question(s)
Next by Date: Re: slapo-dynlist desgin question(s)
Index(es):
- Chronological
- Thread