[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL question: is the topmost entry different ?
> I suggest you enable ACL logging. It will tell you exactly
> which to and by clauses are being applied (or not).
>
> Kurt
That's (in slapd.conf)
loglevel 128
isn't it ?
Here's an example:
Feb 23 17:46:27 curacao slapd[1056]: => acl_get: [4] check attr objectClass
Feb 23 17:46:27 curacao slapd[1056]: <= acl_get: [4] acl app=qwido attr:
objectClass
Feb 23 17:46:27 curacao slapd[1056]: => acl_mask: access to entry "app=qwido",
attr "objectClass" requested
Feb 23 17:46:27 curacao slapd[1056]: => acl_mask: to all values by
"MANAGER=MANAGER001,OC=ISP001,APP=QWIDO", (=n)
Feb 23 17:46:27 curacao slapd[1056]: <= check a_dn_pat: APP=QWIDO
Feb 23 17:46:27 curacao slapd[1056]: <= acl_mask: no more <who> clauses,
returning =n (stop)
Feb 23 17:46:27 curacao slapd[1056]: => access_allowed: search access denied
by =n
Feb 23 17:53:01 curacao /USR/SBIN/CRON[1060]: (mail) CMD ( if [ -x
/usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi)
Feb 23 18:06:22 curacao -- MARK --
Feb 23 18:08:01 curacao /USR/SBIN/CRON[1062]: (mail) CMD ( if [ -x
/usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi)
Feb 23 18:13:16 curacao slapd[1056]: => access_allowed: auth access to
"manager=manager001,oc=isp001,app=qwido" "userPassword" requested
Feb 23 18:13:16 curacao slapd[1056]: => acl_get: [1] check attr userPassword
Feb 23 18:13:16 curacao slapd[1056]: <= acl_get: [1] acl
manager=manager001,oc=isp001,app=qwido attr: userPassword
Feb 23 18:13:16 curacao slapd[1056]: => acl_mask: access to entry
"manager=manager001,oc=isp001,app=qwido", attr "userPassword" requested
Feb 23 18:13:16 curacao slapd[1056]: => acl_mask: to all values by "", (=n)
Feb 23 18:13:16 curacao slapd[1056]: <= check a_dn_pat: self
Feb 23 18:13:16 curacao slapd[1056]: => ldbm_back_group: cannot find group:
"GROUP=MANAGERS,APP=QWIDO"
Feb 23 18:13:16 curacao slapd[1056]: <= check a_dn_pat: anonymous
Feb 23 18:13:16 curacao slapd[1056]: <= acl_mask: [3] applying auth (=x)
(stop)
Feb 23 18:13:16 curacao slapd[1056]: <= acl_mask: [3] mask: auth (=x)
Feb 23 18:13:16 curacao slapd[1056]: => access_allowed: auth access granted by
auth (=x)
Feb 23 18:13:16 curacao slapd[1057]: => access_allowed: search access to ""
"objectClass" requested
Feb 23 18:13:16 curacao slapd[1057]: => acl_get: [1] check attr objectClass
Feb 23 18:13:16 curacao slapd[1057]: => dnpat: [2] oc=(.*),app=qwido nsub: 1
Feb 23 18:13:16 curacao slapd[1057]: => dnpat: [3] app=qwido nsub: 0
Feb 23 18:13:16 curacao slapd[1057]: => dnpat: [4] app=qwido nsub: 0
Feb 23 18:13:16 curacao slapd[1057]: <= acl_get: done.
Feb 23 18:13:16 curacao slapd[1057]: => access_allowed: no more rules
Feb 23 18:13:16 curacao slapd[1057]: => access_allowed: search access denied
by =n
Feb 23 18:13:17 curacao slapd[1056]: => access_allowed: auth access to
"manager=manager001,oc=isp001,app=qwido" "userPassword" requested
Feb 23 18:13:17 curacao slapd[1056]: => acl_get: [1] check attr userPassword
Feb 23 18:13:17 curacao slapd[1056]: <= acl_get: [1] acl
manager=manager001,oc=isp001,app=qwido attr: userPassword
Feb 23 18:13:17 curacao slapd[1056]: => acl_mask: access to entry
"manager=manager001,oc=isp001,app=qwido", attr "userPassword" requested
Feb 23 18:13:17 curacao slapd[1056]: => acl_mask: to all values by "", (=n)
Feb 23 18:13:17 curacao slapd[1056]: <= check a_dn_pat: self
Feb 23 18:13:17 curacao slapd[1056]: => ldbm_back_group: cannot find group:
"GROUP=MANAGERS,APP=QWIDO"
Feb 23 18:13:17 curacao slapd[1056]: <= check a_dn_pat: anonymous
Feb 23 18:13:17 curacao slapd[1056]: <= acl_mask: [3] applying auth (=x)
(stop)
Feb 23 18:13:17 curacao slapd[1056]: <= acl_mask: [3] mask: auth (=x)
Feb 23 18:13:17 curacao slapd[1056]: => access_allowed: auth access granted by
auth (=x)
Feb 23 18:13:17 curacao slapd[1057]: => access_allowed: search access to
"oc=isp001,app=qwido" "objectClass" requested
Feb 23 18:13:17 curacao slapd[1057]: => acl_get: [1] check attr objectClass
Feb 23 18:13:17 curacao slapd[1057]: => dnpat: [2] oc=(.*),app=qwido nsub: 1
Feb 23 18:13:17 curacao slapd[1057]: => acl_get: [2] matched
Feb 23 18:13:17 curacao slapd[1057]: => acl_get: [2] check attr objectClass
Feb 23 18:13:17 curacao slapd[1057]: <= acl_get: [2] acl oc=isp001,app=qwido
attr: objectClass
Feb 23 18:13:17 curacao slapd[1057]: => acl_mask: access to entry
"oc=isp001,app=qwido", attr "objectClass" requested
Feb 23 18:13:17 curacao slapd[1057]: => acl_mask: to all values by
"MANAGER=MANAGER001,OC=ISP001,APP=QWIDO", (=n)
Feb 23 18:13:17 curacao slapd[1057]: <= check a_dn_pat: OC=$1,APP=QWIDO
Feb 23 18:13:17 curacao slapd[1057]: <= check a_dn_pat: APP=QWIDO
Feb 23 18:13:17 curacao slapd[1057]: <= acl_mask: no more <who> clauses,
returning =n (stop)
Feb 23 18:13:17 curacao slapd[1057]: => access_allowed: search access denied
by =n
Feb 23 18:13:18 curacao slapd[1056]: => access_allowed: search access to
"app=qwido" "objectClass" requested
Feb 23 18:13:18 curacao slapd[1056]: => acl_get: [1] check attr objectClass
Feb 23 18:13:18 curacao slapd[1056]: => dnpat: [2] oc=(.*),app=qwido nsub: 1
Feb 23 18:13:18 curacao slapd[1056]: => dnpat: [3] app=qwido nsub: 0
Feb 23 18:13:18 curacao slapd[1056]: => acl_get: [3] matched
Feb 23 18:13:18 curacao slapd[1056]: => acl_get: [3] check attr objectClass
Feb 23 18:13:18 curacao slapd[1056]: => dnpat: [4] app=qwido nsub: 0
Feb 23 18:13:18 curacao slapd[1056]: => acl_get: [4] matched
Feb 23 18:13:18 curacao slapd[1056]: => acl_get: [4] check attr objectClass
Feb 23 18:13:18 curacao slapd[1056]: <= acl_get: [4] acl app=qwido attr:
objectClass
Feb 23 18:13:18 curacao slapd[1056]: => acl_mask: access to entry "app=qwido",
attr "objectClass" requested
Feb 23 18:13:18 curacao slapd[1056]: => acl_mask: to all values by
"MANAGER=MANAGER001,OC=ISP001,APP=QWIDO", (=n)
Feb 23 18:13:18 curacao slapd[1056]: <= check a_dn_pat: APP=QWIDO
Feb 23 18:13:18 curacao slapd[1056]: <= acl_mask: no more <who> clauses,
returning =n (stop)
Feb 23 18:13:18 curacao slapd[1056]: => access_allowed: search access denied
by =n
Feb 23 18:13:22 curacao slapd[1056]: => access_allowed: search access to
"app=qwido" "objectClass" requested
Feb 23 18:13:22 curacao slapd[1056]: => acl_get: [1] check attr objectClass
Feb 23 18:13:22 curacao slapd[1056]: => dnpat: [2] oc=(.*),app=qwido nsub: 1
Feb 23 18:13:22 curacao slapd[1056]: => dnpat: [3] app=qwido nsub: 0
Feb 23 18:13:22 curacao slapd[1056]: => acl_get: [3] matched
Feb 23 18:13:22 curacao slapd[1056]: => acl_get: [3] check attr objectClass
Feb 23 18:13:22 curacao slapd[1056]: => dnpat: [4] app=qwido nsub: 0
Feb 23 18:13:22 curacao slapd[1056]: => acl_get: [4] matched
Feb 23 18:13:22 curacao slapd[1056]: => acl_get: [4] check attr objectClass
Feb 23 18:13:22 curacao slapd[1056]: <= acl_get: [4] acl app=qwido attr:
objectClass
Feb 23 18:13:22 curacao slapd[1056]: => acl_mask: access to entry "app=qwido",
attr "objectClass" requested
Feb 23 18:13:22 curacao slapd[1056]: => acl_mask: to all values by
"OC=ISP001,APP=QWIDO", (=n)
Feb 23 18:13:22 curacao slapd[1056]: <= check a_dn_pat: APP=QWIDO
Feb 23 18:13:22 curacao slapd[1056]: <= acl_mask: no more <who> clauses,
returning =n (stop)
Feb 23 18:13:22 curacao slapd[1056]: => access_allowed: search access denied
by =n
Honestly, I can't make much of it.
_Ace