[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACLs problem
Hello,
I reply to my message.
The problem was not the ACL, but the attribut aglnPassword.
This attribut inherit from the userPassword object including its right.
If I apply the ACLs on the userPassword attribut, the access on
aglnPassword atribut is modify.
Best regards.
--
On Wed, 5 Jun 2002, David Berard wrote:
>
> Hi everybody,
>
> I have an ACL problem with OpenLDAP 2.0.23, and I don't understand where
> is the error.
>
> All my users are at the same level (ou=personne,dc=univ-savoie,dc=fr), and
> I want to authorize someone (uid=xxx,ou=people,dc=univ-savoie,dc=fr) to
> access at the attribute aglnPassword of all the user who have the attribut
> mailGroup=dut-geii.
>
> I include the data of interest below. If you need more information, I will
> be glad to give them.
>
> Sorry for my english, but it-s not my primary langage. Any help will be
> much appreciated.
>
> I use these ACls :
>
> #----------------------------------------
> # ACLs
> defaultaccess none
> access to attr=userPassword
> by self write
> by anonymous auth
> by * none
>
> access to dn="uid=.*,ou=personne,dc=univ-savoie,dc=fr" filter=(mailGroup=dut-geii) attr=aglnPassword
> by self write
> by dn="uid=xxx,ou=personne,dc=univ-savoie,dc=fr" read
> by * none
>
> access to attr=aglnPassword
> by self write
> by dn="uid=yyy,ou=personne,dc=univ-savoie,dc=fr" read
> by * none
>
> access to *
> by * read
> #----------------------------------------
>
>
> I can't read the aglnPassword attribut as the uid=xxx user, why ?
>
>
> You will find below le logfile of slapd (slapd -d 128) resulting from this
> query : ldapsearch -D "uid=xxx,ou=personne,dc=univ-savoie,dc=fr" -W uid=zzz aglnPassword
>
> Global ACL: access to attrs=userPassword
> by self write (=wrscx)
> by anonymous auth (=x)
> by * none (=n)
>
> Global ACL: access to dn.regex=uid=.*,ou=personne,dc=univ-savoie,dc=fr
> filter=(mailGroup=dut-geii)
> attrs=aglnPassword
> by self write (=wrscx)
> by dn.regex=uid=xxx,ou=personne,dc=univ-savoie,dc=fr read
> (=rscx)
> by * none (=n)
>
> Global ACL: access to attrs=aglnPassword
> by self write (=wrscx)
> by dn.regex=uid=yyy, ou=personne, dc=univ-savoie, dc=fr read
> (=rscx)
> by * none (=n)
>
> Global ACL: access to *
> by * read (=rscx)
>
> slapd starting
> => access_allowed: auth access to "uid=xxx, ou=personne, dc=univ-savoie,
> dc=fr" "userPassword" requested
> => acl_get: [1] check attr userPassword
> <= acl_get: [1] acl uid=xxx, ou=personne, dc=univ-savoie, dc=fr attr:
> userPassword
> => acl_mask: access to entry "uid=xxx, ou=personne, dc=univ-savoie,
> dc=fr", attr "userPassword" requested
> => acl_mask: to all values by "", (=n)
> <= check a_dn_pat: self
> <= check a_dn_pat: anonymous
> <= acl_mask: [2] applying auth (=x) (stop)
> <= acl_mask: [2] mask: auth (=x)
> => access_allowed: auth access granted by auth (=x)
> ber_flush: 14 bytes to sd 9
> => access_allowed: search access to
> "uid=zzz,ou=personne,dc=univ-savoie,dc=fr" "uid" requested
> => acl_get: [1] check attr uid
> => dnpat: [2] uid=.*,ou=personne,dc=univ-savoie,dc=fr nsub: 0
> => acl_get: [2] matched
> => access_allowed: search access to
> "uid=zzz,ou=personne,dc=univ-savoie,dc=fr" "mailGroup" requested
> => acl_get: [2] check attr uid
> => acl_get: [3] check attr uid
> => acl_get: [4] check attr uid
> => acl_get: [5] check attr uid
> => acl_get: [6] check attr uid
> => acl_get: [7] check attr uid
> => acl_get: [8] check attr uid
> => acl_get: [9] check attr uid
> <= acl_get: [9] acl uid=zzz,ou=personne,dc=univ-savoie,dc=fr attr: uid
> => acl_mask: access to entry "uid=zzz,ou=personne,dc=univ-savoie,dc=fr",
> attr "uid" requested
> => acl_mask: to value by "UID=XXX,OU=PERSONNE,DC=UNIV-SAVOIE,DC=FR",
> (=n)
> <= check a_dn_pat: *
> <= acl_mask: [1] applying read (=rscx) (stop)
> <= acl_mask: [1] mask: read (=rscx)
> => access_allowed: search access granted by read (=rscx)
> => access_allowed: read access to
> "uid=zzz,ou=personne,dc=univ-savoie,dc=fr" "entry" requested
> => acl_get: [1] check attr entry
> => dnpat: [2] uid=.*,ou=personne,dc=univ-savoie,dc=fr nsub: 0
> => acl_get: [2] matched
> => access_allowed: search access to
> "uid=zzz,ou=personne,dc=univ-savoie,dc=fr" "mailGroup" requested
> => acl_get: [2] check attr entry
> => acl_get: [3] check attr entry
> => acl_get: [4] check attr entry
> => acl_get: [5] check attr entry
> => acl_get: [6] check attr entry
> => acl_get: [7] check attr entry
> => acl_get: [8] check attr entry
> => acl_get: [9] check attr entry
> <= acl_get: [9] acl uid=zzz,ou=personne,dc=univ-savoie,dc=fr attr: entry
> => acl_mask: access to entry "uid=zzz,ou=personne,dc=univ-savoie,dc=fr",
> attr "entry" requested
> => acl_mask: to all values by
> "UID=XXX,OU=PERSONNE,DC=UNIV-SAVOIE,DC=FR", (=n)
> <= check a_dn_pat: *
> <= acl_mask: [1] applying read (=rscx) (stop)
> <= acl_mask: [1] mask: read (=rscx)
> => access_allowed: read access granted by read (=rscx)
> => access_allowed: read access to
> "uid=zzz,ou=personne,dc=univ-savoie,dc=fr" "aglnPassword" requested
> => acl_get: [1] check attr aglnPassword
> <= acl_get: [1] acl uid=zzz,ou=personne,dc=univ-savoie,dc=fr attr:
> aglnPassword
> => acl_mask: access to entry "uid=zzz,ou=personne,dc=univ-savoie,dc=fr",
> attr "aglnPassword" requested
> => acl_mask: to all values by
> "UID=XXX,OU=PERSONNE,DC=UNIV-SAVOIE,DC=FR", (=n)
> <= check a_dn_pat: self
> <= check a_dn_pat: anonymous
> <= check a_dn_pat: *
> <= acl_mask: [3] applying none (=n) (stop)
> <= acl_mask: [3] mask: none (=n)
> => access_allowed: read access denied by none (=n)
> acl: access to attribute aglnPassword not allowed
> ber_flush: 53 bytes to sd 9
> ber_flush: 14 bytes to sd 9
>
>
>
>
--
David Berard | Tel : 04.79.75.81.26
CRIR (Centre de Ressources Informatiques et Reseaux) | Fax : 04.79.75.87.23
Universite de Savoie |
- References:
- ACLs problem
- From: David Berard <David.Berard@univ-savoie.fr>