[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL confusion
At 11:43 AM -0700 6/24/99, "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:
Thanks very much for the help.
That's not a valid DN (per RFC1779) and will likely cause problems.
Namely, the "," in o='Invantage, Inc.' must be quoted using an
approved mechanism. "'" character is NOT a quote character.
I tried quoting by following the example at the end of chapter 5 of
the SLAPD and SLURPD Administrators Guide: "o=\"Invantage,
Inc.\",c=US". This did not work - it yielded error messages
everywhere. Using single quotes looked distinctly bad to me, but it
had worked everywhere so far. I see from RFC 1779 that "o=Invantage\,
Inc.,c=US" should be permitted. I'll try that later.
>>access to *
>> by dn="uid=root,ou=Staff,o='Invantage, Inc.',c=US" write
>> by dn="cn=Netscape Server ,o='Invantage, Inc.',c=US" write
^
typo: s/cn=Netscape Server /cn=Netscape Server Admin/
Sorry, that was an accidental deletion from the email - it was
specified correctly in the config file.
I rebuilt the database with o=Invantage, to make sure that the comma
in the DN does not contribute to the problem, and tried again. The
same problem still occurs, as best I can tell. Here is the LDIF file
I imported to begin with:
dn: o=Invantage,c=US
objectclass: organization
dn: ou=Staff,o=Invantage,c=US
objectclass: organizationalUnit
dn: cn=Nicholas Riley,ou=Staff,o=Invantage,c=US
cn: Nicholas Riley
sn: Riley
uid: nicholas
ou: Staff
mail: nicholas@invantage.com
objectclass: person
userpassword: {crypt}<stuff>
dn: uid=root,ou=Staff,o=Invantage,c=US
uid: root
ou: Staff
description: System Administrator account
seeAlso: cn=Nicholas Riley,ou=Staff,o=Invantage,c=US
objectclass: account
dn: Netscape Server Admin,o=Invantage,c=US
cn: Netscape Server Admin
o: Invantage
uid: admin
description: Netscape server administrator
objectclass: person
userpassword: {crypt}<other stuff>
and portions of slapd.conf again:
rootdn "uid=root,ou=Staff,o=Invantage,c=US"
defaultaccess read
access to attr=userpassword
by self write
by dn="uid=root,ou=Staff,o=Invantage,c=US" write
by dn="cn=Netscape Server Admin,o=Invantage,c=US" write
by * compare
access to *
by dn="uid=root,ou=Staff,o=Invantage,c=US" write
by dn="cn=Netscape Server Admin,o=Invantage,c=US" write
by * read
If you have further problems,
be sure to provide a log details with TRACE and ARGS enabled
in addition to ACLS, ie: -d 1 -d 4 -d 128 OR -d 133.
OK, this is huge...
{nicholas#pts/0@hannibal:51} 3:15pm ~>sudo /usr/local/libexec/slapd -d 133
slapd 1.2.1-Release (Wed Jun 23 11:59:45 EDT 1999)
nicholas@hannibal:/home/nicholas/ldap/servers/slapd
ACL: access to
attrs=userpassword
by dn=self
by dn=UID=ROOT,OU=STAFF,O=INVANTAGE,C=US
by dn=CN=NETSCAPE SERVER ADMIN,O=INVANTAGE,C=US
by dn=.*
ACL: access to dn=.*
by dn=UID=ROOT,OU=STAFF,O=INVANTAGE,C=US
by dn=CN=NETSCAPE SERVER ADMIN,O=INVANTAGE,C=US
by dn=.*
slapd starting
do_bind
do_bind: version 2 dn (uid=root,ou=Staff,o=Invantage,c=US) method 128
==> ldbm_back_bind: dn: UID=ROOT,OU=STAFF,O=INVANTAGE,C=US
dn2entry_r: dn: "UID=ROOT,OU=STAFF,O=INVANTAGE,C=US"
=> dn2id( "UID=ROOT,OU=STAFF,O=INVANTAGE,C=US" )
=> ldbm_cache_open( "/var/ldap/ldbm-invantage/dn2id.gdbm", 2, 600 )
ldbm_cache_open (blksize 8192) (maxids 2046) (maxindirect 2)
<= ldbm_cache_open (opened 0)
<= dn2id 4
=> id2entry_r( 4 )
=> ldbm_cache_open( "/var/ldap/ldbm-invantage/id2entry.gdbm", 2, 600 )
ldbm_cache_open (blksize 8192) (maxids 2046) (maxindirect 2)
<= ldbm_cache_open (opened 1)
=> str2entry
<= str2entry 0x62138
entry_rdwr_rlock: ID: 4
<= id2entry_r( 4 ) (disk)
====> cache_return_entry_r
entry_rdwr_runlock: ID: 4
do_bind: bound "uid=root,ou=Staff,o=Invantage,c=US" to
"uid=root,ou=Staff,o=Invantage,c=US"
send_ldap_result 0::
do_search
SRCH "O=INVANTAGE,C=US" 2 0 0 0 -1
filter: (uid=ADMIN)
attrs: objectclass
=> ldbm_back_search
using base "O=INVANTAGE,C=US"
subtree_candidates: base: "O=INVANTAGE,C=US" lookupbase
dn2entry_r: dn: "O=INVANTAGE,C=US"
=> dn2id( "O=INVANTAGE,C=US" )
=> ldbm_cache_open( "/var/ldap/ldbm-invantage/dn2id.gdbm", 2, 600 )
<= ldbm_cache_open (cache 0)
<= dn2id 1
=> id2entry_r( 1 )
=> ldbm_cache_open( "/var/ldap/ldbm-invantage/id2entry.gdbm", 2, 600 )
<= ldbm_cache_open (cache 1)
=> str2entry
<= str2entry 0xa5778
entry_rdwr_rlock: ID: 1
<= id2entry_r( 1 ) (disk)
====> cache_return_entry_r
entry_rdwr_runlock: ID: 1
=> filter_candidates
=> list_candidates 0xa1
=> filter_candidates
=> ava_candidates 0xa3
=> index_read( "objectclass" "=" "REFERRAL" )
=> ldbm_cache_open( "/var/ldap/ldbm-invantage/objectclass.gdbm", 2, 600 )
ldbm_cache_open (blksize 8192) (maxids 2046) (maxindirect 2)
<= ldbm_cache_open (opened 2)
<= index_read 0 candidates
<= ava_candidates 0
<= filter_candidates 0
=> filter_candidates
=> ava_candidates 0xa3
=> index_read( "uid" "=" "ADMIN" )
=> ldbm_cache_open( "/var/ldap/ldbm-invantage/uid.gdbm", 2, 600 )
ldbm_cache_open (blksize 8192) (maxids 2046) (maxindirect 2)
<= ldbm_cache_open (opened 3)
<= index_read 1 candidates
<= ava_candidates 1
<= filter_candidates 1
<= list_candidates 1
<= filter_candidates 1
=> id2entry_r( 5 )
=> ldbm_cache_open( "/var/ldap/ldbm-invantage/id2entry.gdbm", 2, 600 )
<= ldbm_cache_open (cache 1)
=> str2entry
<= str2entry 0xde208
entry_rdwr_rlock: ID: 5
<= id2entry_r( 5 ) (disk)
=> access_allowed: entry (Netscape Server Admin,o=Invantage,c=US) attr (uid)
=> acl_get: entry (Netscape Server Admin,o=Invantage,c=US) attr (uid)
<= acl_get: no acl applicable to database root
=> acl_access_allowed: search access to entry "Netscape Server
Admin,o=Invantage,c=US"
=> acl_access_allowed: search access to value "ADMIN" by
"UID=ROOT,OU=STAFF,O=INVANTAGE,C=US"
<= acl_access_allowed: granted to database root
=> access_allowed: exit (Netscape Server Admin,o=Invantage,c=US) attr (uid)
=> send_search_entry (Netscape Server Admin,o=Invantage,c=US)
=> access_allowed: entry (Netscape Server Admin,o=Invantage,c=US) attr (entry)
=> acl_get: entry (Netscape Server Admin,o=Invantage,c=US) attr (entry)
<= acl_get: no acl applicable to database root
=> acl_access_allowed: read access to entry "Netscape Server
Admin,o=Invantage,c=US"
=> acl_access_allowed: read access to value "any" by
"UID=ROOT,OU=STAFF,O=INVANTAGE,C=US"
<= acl_access_allowed: granted to database root
=> access_allowed: exit (Netscape Server Admin,o=Invantage,c=US) attr (entry)
=> acl_get: entry (Netscape Server Admin,o=Invantage,c=US) attr (objectclass)
<= acl_get: no acl applicable to database root
=> acl_access_allowed: read access to entry "Netscape Server
Admin,o=Invantage,c=US"
=> acl_access_allowed: read access to value "any" by
"UID=ROOT,OU=STAFF,O=INVANTAGE,C=US"
<= acl_access_allowed: granted to database root
<= send_search_entry
====> cache_return_entry_r
entry_rdwr_runlock: ID: 5
send_ldap_result 0::
do_bind
do_bind: version 2 dn (Netscape Server Admin,o=Invantage,c=US) method 128
==> ldbm_back_bind: dn: NETSCAPESERVERADMIN,O=INVANTAGE,C=US
dn2entry_r: dn: "NETSCAPESERVERADMIN,O=INVANTAGE,C=US"
=> dn2id( "NETSCAPESERVERADMIN,O=INVANTAGE,C=US" )
====> cache_find_entry_dn2id: found dn: NETSCAPESERVERADMIN,O=INVANTAGE,C=US
<= dn2id 5 (in cache)
=> id2entry_r( 5 )
====> cache_find_entry_dn2id: found id: 5 rw: 0
entry_rdwr_rtrylock: ID: 5
<= id2entry_r 0xde208 (cache)
====> cache_return_entry_r
entry_rdwr_runlock: ID: 5
do_bind: bound "Netscape Server Admin,o=Invantage,c=US" to "Netscape
Server Admin,o=Invantage,c=US"
send_ldap_result 0::
do_search
SRCH "O=INVANTAGE,C=US" 2 0 0 0 -1
filter: (uid=WILL)
attrs: uid
=> ldbm_back_search
using base "O=INVANTAGE,C=US"
subtree_candidates: base: "O=INVANTAGE,C=US" lookupbase
dn2entry_r: dn: "O=INVANTAGE,C=US"
=> dn2id( "O=INVANTAGE,C=US" )
====> cache_find_entry_dn2id: found dn: O=INVANTAGE,C=US
<= dn2id 1 (in cache)
=> id2entry_r( 1 )
====> cache_find_entry_dn2id: found id: 1 rw: 0
entry_rdwr_rtrylock: ID: 1
<= id2entry_r 0xa5778 (cache)
====> cache_return_entry_r
entry_rdwr_runlock: ID: 1
=> filter_candidates
=> list_candidates 0xa1
=> filter_candidates
=> ava_candidates 0xa3
=> index_read( "objectclass" "=" "REFERRAL" )
=> ldbm_cache_open( "/var/ldap/ldbm-invantage/objectclass.gdbm", 2, 600 )
<= ldbm_cache_open (cache 2)
<= index_read 0 candidates
<= ava_candidates 0
<= filter_candidates 0
=> filter_candidates
=> ava_candidates 0xa3
=> index_read( "uid" "=" "WILL" )
=> ldbm_cache_open( "/var/ldap/ldbm-invantage/uid.gdbm", 2, 600 )
<= ldbm_cache_open (cache 3)
<= index_read 0 candidates
<= ava_candidates 0
<= filter_candidates 0
<= list_candidates 0
<= filter_candidates 0
send_ldap_result 0::
do_add
do_add: ndn (UID=WILL,O=INVANTAGE,C=US)
==> ldbm_back_add: uid=will,o=Invantage,c=US
=> dn2id( "UID=WILL,O=INVANTAGE,C=US" )
=> ldbm_cache_open( "/var/ldap/ldbm-invantage/dn2id.gdbm", 2, 600 )
<= ldbm_cache_open (cache 0)
<= dn2id NOID
dn2entry_w: dn: "O=INVANTAGE,C=US"
=> dn2id( "O=INVANTAGE,C=US" )
====> cache_find_entry_dn2id: found dn: O=INVANTAGE,C=US
<= dn2id 1 (in cache)
=> id2entry_w( 1 )
====> cache_find_entry_dn2id: found id: 1 rw: 1
entry_rdwr_wtrylock: ID: 1
<= id2entry_w 0xa5778 (cache)
=> access_allowed: entry (o=Invantage,c=US) attr (children)
=> acl_get: entry (o=Invantage,c=US) attr (children)
=> acl_get: edn O=INVANTAGE,C=US
=> acl_get: [1] check attr children
=> dnpat: [2] .* nsub: 0
=> acl_get:[2] backend ACL match
=> acl_get: [2] check attr children
<= acl_get: [2] backend acl o=Invantage,c=US attr: children
=> acl_access_allowed: write access to entry "o=Invantage,c=US"
=> acl_access_allowed: write access to value "any" by
"NETSCAPESERVERADMIN,O=INVANTAGE,C=US"
<= check a_dnpat: UID=ROOT,OU=STAFF,O=INVANTAGE,C=US
=> string_expand: pattern: UID=ROOT,OU=STAFF,O=INVANTAGE,C=US
=> string_expand: expanded: UID=ROOT,OU=STAFF,O=INVANTAGE,C=US
=> regex_matches: string: NETSCAPESERVERADMIN,O=INVANTAGE,C=US
=> regex_matches: rc: 1 no matches
<= check a_dnpat: CN=NETSCAPE SERVER ADMIN,O=INVANTAGE,C=US
=> string_expand: pattern: CN=NETSCAPE SERVER ADMIN,O=INVANTAGE,C=US
=> string_expand: expanded: CN=NETSCAPE SERVER ADMIN,O=INVANTAGE,C=US
=> regex_matches: string: NETSCAPESERVERADMIN,O=INVANTAGE,C=US
=> regex_matches: rc: 1 no matches
<= check a_dnpat: .*
=> string_expand: pattern: .*
=> string_expand: expanded: .*
=> regex_matches: string: NETSCAPESERVERADMIN,O=INVANTAGE,C=US
=> regex_matches: rc: 0 matches
<= acl_access_allowed: matched by clause #3 access denied
=> access_allowed: exit (o=Invantage,c=US) attr (children)
no access to parent
send_ldap_result 50::
====> cache_return_entry_w
entry_rdwr_wunlock: ID: 1
do_unbind
--
Nicholas Riley <nicholas@invantage.com>
Invantage, Inc. / 149 Sidney St. / Cambridge MA 02139 / +1 617 577 7844