[Date Prev][Date Next] [Chronological] [Thread] [Top]
ACLs problem

To: <openldap-software@OpenLDAP.org>
Subject: ACLs problem
From: David Berard <David.Berard@univ-savoie.fr>
Date: Wed, 5 Jun 2002 18:43:14 +0200 (CEST)
	Hi everybody,

I have an ACL problem with OpenLDAP 2.0.23, and I don't understand where
is the error.

All my users are at the same level (ou=personne,dc=univ-savoie,dc=fr), and
I want to authorize someone (uid=xxx,ou=people,dc=univ-savoie,dc=fr) to
access at the attribute aglnPassword of all the user who have the attribut
mailGroup=dut-geii.

I include the data of interest below. If you need more information, I will
be glad to give them.

Sorry for my english, but it-s not my primary langage. Any help will be
much appreciated.

I use these ACls :

#----------------------------------------
# ACLs
defaultaccess	none
access to attr=userPassword
		by self write
		by anonymous auth
		by * none

access to dn="uid=.*,ou=personne,dc=univ-savoie,dc=fr" filter=(mailGroup=dut-geii) attr=aglnPassword
		by self write
		by dn="uid=xxx,ou=personne,dc=univ-savoie,dc=fr" read
		by * none

access to attr=aglnPassword
		by self write
		by dn="uid=yyy,ou=personne,dc=univ-savoie,dc=fr" read
		by * none

access to *
		by * read
#----------------------------------------


I can't read the aglnPassword attribut as the uid=xxx user, why ?


You will find below le logfile of slapd (slapd -d 128) resulting from this
query : ldapsearch -D "uid=xxx,ou=personne,dc=univ-savoie,dc=fr" -W uid=zzz aglnPassword

Global ACL: access to attrs=userPassword
	by self write (=wrscx)
	by anonymous auth (=x)
	by * none (=n)

Global ACL: access to dn.regex=uid=.*,ou=personne,dc=univ-savoie,dc=fr
 filter=(mailGroup=dut-geii)
 attrs=aglnPassword
	by self write (=wrscx)
	by dn.regex=uid=xxx,ou=personne,dc=univ-savoie,dc=fr read
(=rscx)
	by * none (=n)

Global ACL: access to attrs=aglnPassword
	by self write (=wrscx)
	by dn.regex=uid=yyy, ou=personne, dc=univ-savoie, dc=fr read
(=rscx)
	by * none (=n)

Global ACL: access to *
	by * read (=rscx)

slapd starting
=> access_allowed: auth access to "uid=xxx, ou=personne, dc=univ-savoie,
dc=fr" "userPassword" requested
=> acl_get: [1] check attr userPassword
<= acl_get: [1] acl uid=xxx, ou=personne, dc=univ-savoie, dc=fr attr:
userPassword
=> acl_mask: access to entry "uid=xxx, ou=personne, dc=univ-savoie,
dc=fr", attr "userPassword" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: anonymous
<= acl_mask: [2] applying auth (=x) (stop)
<= acl_mask: [2] mask: auth (=x)
=> access_allowed: auth access granted by auth (=x)
ber_flush: 14 bytes to sd 9
=> access_allowed: search access to
"uid=zzz,ou=personne,dc=univ-savoie,dc=fr" "uid" requested
=> acl_get: [1] check attr uid
=> dnpat: [2] uid=.*,ou=personne,dc=univ-savoie,dc=fr nsub: 0
=> acl_get: [2] matched
=> access_allowed: search access to
"uid=zzz,ou=personne,dc=univ-savoie,dc=fr" "mailGroup" requested
=> acl_get: [2] check attr uid
=> acl_get: [3] check attr uid
=> acl_get: [4] check attr uid
=> acl_get: [5] check attr uid
=> acl_get: [6] check attr uid
=> acl_get: [7] check attr uid
=> acl_get: [8] check attr uid
=> acl_get: [9] check attr uid
<= acl_get: [9] acl uid=zzz,ou=personne,dc=univ-savoie,dc=fr attr: uid
=> acl_mask: access to entry "uid=zzz,ou=personne,dc=univ-savoie,dc=fr",
attr "uid" requested
=> acl_mask: to value by "UID=XXX,OU=PERSONNE,DC=UNIV-SAVOIE,DC=FR",
(=n)
<= check a_dn_pat: *
<= acl_mask: [1] applying read (=rscx) (stop)
<= acl_mask: [1] mask: read (=rscx)
=> access_allowed: search access granted by read (=rscx)
=> access_allowed: read access to
"uid=zzz,ou=personne,dc=univ-savoie,dc=fr" "entry" requested
=> acl_get: [1] check attr entry
=> dnpat: [2] uid=.*,ou=personne,dc=univ-savoie,dc=fr nsub: 0
=> acl_get: [2] matched
=> access_allowed: search access to
"uid=zzz,ou=personne,dc=univ-savoie,dc=fr" "mailGroup" requested
=> acl_get: [2] check attr entry
=> acl_get: [3] check attr entry
=> acl_get: [4] check attr entry
=> acl_get: [5] check attr entry
=> acl_get: [6] check attr entry
=> acl_get: [7] check attr entry
=> acl_get: [8] check attr entry
=> acl_get: [9] check attr entry
<= acl_get: [9] acl uid=zzz,ou=personne,dc=univ-savoie,dc=fr attr: entry
=> acl_mask: access to entry "uid=zzz,ou=personne,dc=univ-savoie,dc=fr",
attr "entry" requested
=> acl_mask: to all values by
"UID=XXX,OU=PERSONNE,DC=UNIV-SAVOIE,DC=FR", (=n)
<= check a_dn_pat: *
<= acl_mask: [1] applying read (=rscx) (stop)
<= acl_mask: [1] mask: read (=rscx)
=> access_allowed: read access granted by read (=rscx)
=> access_allowed: read access to
"uid=zzz,ou=personne,dc=univ-savoie,dc=fr" "aglnPassword" requested
=> acl_get: [1] check attr aglnPassword
<= acl_get: [1] acl uid=zzz,ou=personne,dc=univ-savoie,dc=fr attr:
aglnPassword
=> acl_mask: access to entry "uid=zzz,ou=personne,dc=univ-savoie,dc=fr",
attr "aglnPassword" requested
=> acl_mask: to all values by
"UID=XXX,OU=PERSONNE,DC=UNIV-SAVOIE,DC=FR", (=n)
<= check a_dn_pat: self
<= check a_dn_pat: anonymous
<= check a_dn_pat: *
<= acl_mask: [3] applying none (=n) (stop)
<= acl_mask: [3] mask: none (=n)
=> access_allowed: read access denied by none (=n)
acl: access to attribute aglnPassword not allowed
ber_flush: 53 bytes to sd 9
ber_flush: 14 bytes to sd 9



-- 

David Berard                                          |  Tel : 04.79.75.81.26
CRIR (Centre de Ressources Informatiques et Reseaux)  |  Fax : 04.79.75.87.23
Universite de Savoie                                  |
Follow-Ups:
- Re: ACLs problem
  - From: David Berard <David.Berard@univ-savoie.fr>
Prev by Date: certificate addition (was: hi)
Next by Date: Performance with indexes
Index(es):
- Chronological
- Thread