[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL (dnattr) usage



> I'm trying to rewrite some ACL's to be more generic, so I've created an
> attribute called 'administrator' (I _could_ have used 'owner', but I've
> forgot about that).
>
> My Base DN is 'dc=com'. Under that I have 'dc=bayour' (=>
> dc=bayour,dc=com).
>
> In the 'dc=bayour' object I have
>
>         dn: dc=bayour,dc=com
>         administrator: uid=frans,ou=People,dc=bayour,dc=com
>
> Trying to add a user object (with the DN
> uid=test,ou=People,dc=bayour,dc=com) doing a simple bind as
> 'uid=frans,ou=People,dc=bayour,dc=com' fails (see below)!
>
> The ACL looks like:
>         access to dn="ou=People,dc=bayour,dc=com"
>                 by dnattr=administrator write
>                 by * read
>
> The attribute looks like:
>         attributetype ( 1.3.6.1.4.1.8767.3.2.4.4 NAME 'administrator'
>                 DESC 'Administrator for branch'
>                 SUP owner)
>
> Running slapd in debug mode shows this:
>
> ------ s n i p -----
> => access_allowed: write access to "ou=People,dc=bayour,dc=com"
> "children" requested => dnpat: [1] ou=People,dc=bayour,dc=com nsub: 0
> => acl_get: [1] matched
> => acl_get: [1] check attr children
> <= acl_get: [1] acl ou=People,dc=bayour,dc=com attr: children
> => acl_mask: access to entry "ou=People,dc=bayour,dc=com", attr
> "children" requested => acl_mask: to all values by
> "UID=FRANS,OU=PEOPLE,DC=BAYOUR,DC=COM", (=n)  <= check a_dn_at:
> administrator
> <= check a_dn_pat: *
> <= acl_mask: [2] applying read (=rscx) (stop)
> <= acl_mask: [2] mask: read (=rscx)
> => access_allowed: write access denied by read (=rscx)
> ====> cache_return_entry_w( 248 ): returned (0)
> no write access to parent
> ------ s n i p -----
>
> What does '"children" requested' actually mean?

to add an entry you need write access to the meta-attr "children"
of the parent entry.

you have

access to dn="ou=People,dc=bayour,dc=com"
                 by dnattr=administrator write
                 by * read

so this should imply access to the "children" meta-attr
as well.  Try making it esplicit, e.g.

access to dn.exact="ou=People,dc=bayour,dc=com" attrs=children
                 by dnattr=administrator write
                 by * read

access to dn.subtree="ou=People,dc=bayour,dc=com"
                 by dnattr=administrator write
                 by * read

Otherwise I need to dig into the code.
P.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it