[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Re: attribute search help
So,
If I understand what you are telling me correctly, then I should not have to do
anything to get the server to read the attributes for the filtering to occur.
Perhaps, then, there is a flaw in my filtering? Here is what I have:
access to attr=userPassword
by * auth
access to attr=cn
by * read
# testing2...
access to attr=Security
by * read
access to filter=Security=PRIVATE attrs=*
by users read
by * search
access to filter=Security=PUBLIC attrs=*
by * read
(Note: I have also tried reversing the filter and attrs for the access lines:
access to * filter=blah as was shown in my original e-mail.)
I have slapd -d -160 running....
I do a basic search and notice the logs. Here is a sampling from an entry that
does not match my search:
=> test_filter
SUBSTRINGS
begin test_substrings_filter
=> access_allowed: search access to "cn=rogersrr" "cn" requested
=> acl_get: [1] check attr cn
=> acl_get: [2] check attr cn
<= acl_get: [2] acl cn=rogersrr attr: cn
=> acl_mask: access to entry "cn=rogersrr", attr "cn" requested
=> acl_mask: to all values by "CN=PITTSDS", (=n)
<= check a_dn_pat: *
<= acl_mask: [1] applying read (=rscx) (stop)
<= acl_mask: [1] mask: read (=rscx)
=> access_allowed: search access granted by read (=rscx)
end test_substrings_filter 1
<= test_filter 5
As I understand it, this tells me that I have access search the cn for this
record. It then finds that the entry does not pass the search string.
Here is a sampling from an entry that does match my search and the Security is
set to "Public":
=> test_filter
SUBSTRINGS
begin test_substrings_filter
=> access_allowed: search access to "cn=pittsdsp" "cn" requested
=> acl_get: [1] check attr cn
=> acl_get: [2] check attr cn
<= acl_get: [2] acl cn=pittsdsp attr: cn
=> acl_mask: access to entry "cn=pittsdsp", attr "cn" requested
=> acl_mask: to all values by "CN=PITTSDS", (=n)
<= check a_dn_pat: *
<= acl_mask: [1] applying read (=rscx) (stop)
<= acl_mask: [1] mask: read (=rscx)
=> access_allowed: search access granted by read (=rscx)
<= test_filter 6
=> access_allowed: read access to "cn=pittsdsp" "entry" requested
=> acl_get: [1] check attr entry
=> acl_get: [2] check attr entry
=> acl_get: [3] check attr entry
=> test_filter
EQUALITY
=> access_allowed: search access to "cn=pittsdsp" "Security" requested
<= test_filter 5
=> test_filter
EQUALITY
=> access_allowed: search access to "cn=pittsdsp" "Security" requested
<= test_filter 5
<= acl_get: done.
=> access_allowed: no more rules
=> access_allowed: read access denied by =n
acl: access to entry not allowed
Finally, here is an entry which matches my search criteria and has security set
to "Private""
=> test_filter
SUBSTRINGS
begin test_substrings_filter
=> access_allowed: search access to "cn=pittsde" "cn" requested
=> acl_get: [1] check attr cn
=> acl_get: [2] check attr cn
<= acl_get: [2] acl cn=pittsde attr: cn
=> acl_mask: access to entry "cn=pittsde", attr "cn" requested
=> acl_mask: to all values by "CN=PITTSDS", (=n)
<= check a_dn_pat: *
<= acl_mask: [1] applying read (=rscx) (stop)
<= acl_mask: [1] mask: read (=rscx)
=> access_allowed: search access granted by read (=rscx)
<= test_filter 6
=> access_allowed: read access to "cn=pittsde" "entry" requested
=> acl_get: [1] check attr entry
=> acl_get: [2] check attr entry
=> acl_get: [3] check attr entry
=> test_filter
EQUALITY
=> access_allowed: search access to "cn=pittsde" "Security" requested
<= test_filter 5
=> test_filter
EQUALITY
=> access_allowed: search access to "cn=pittsde" "Security" requested
<= test_filter 5
<= acl_get: done.
=> access_allowed: no more rules
=> access_allowed: read access denied by =n
acl: access to entry not allowed
>
> From: Julio Sanchez Fernandez <j_sanchez@stl.es>
> Date: 2001/11/14 Wed PM 07:26:49 EST
> To: "Pitts, David S" <dsp6855@qx.net>
> CC: openldap-software@OpenLDAP.org
> Subject: Re: attribute search help
>
> "Pitts, David S" <dsp6855@qx.net> writes:
>
> > access to * filter="(Security=PRIVATE)"
> > by users read
> > access to * filter="(Security=PUBLIC)"
> > by * read
> >
> > of course, this won't work if the client does not request the "security"
> > attribute. The question becomes (assuming everything I have said above is
> > true), "How do I force the attribute "security" to be returned (and, thus,
> > filtered upon) every time the server is accessed?
>
> Uhmmmm...
>
> Does not work like that? It should. I think your understanding of
> access control in slapd is wrong, I don't think this case is
> influenced by what filter was used in the search.
>
> Slapd retrieves the complete entry from disk or cache and has it at
> hand as a whole while evaluating the access control lists to decide
> what data, if any, to return to the client.
>
> I'd be surprised if it the filter used in the search would make any
> difference.
>
> Julio
>