[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Decyphering openldap ACL logs
At 11:54 PM 4/28/2004, rajkumars@asianetindia.com wrote:
>I am working on configuring qmail-ldap and facing some permission problems with my ldap configuration.
(Thank you for limited your questions on this list to those specific
to OpenLDAP Software. Questions specific to qmail-ldap, of course,
should go to the qmail-ldap list.)
You didn't bother to say which version of OpenLDAP Software. I'll
assume you are using latest release (2.2.11), but the answers should
be fine for latest stable release as well (2.1.30). If you using
some other release, I suggest you consider updating.
>My slapd.conf's acl section is some thing like
>
>access to attr=userPassword
> by anonymous auth
userPassword can be used for authentication, but cannot otherwise
be accessed (except, of course, by the rootdn).
>access to *
> by dn="cn=admin,dc=com" write
> by aci write
> by * read
The first clause likely should be dn.exact="cn=admin,dc=com".
>with aci's configured in my directory.
okay. And I see you've allow every (including anonymous to read)
everything (excepting userPassword).
>To debug the problem I enabled logging with level 128, and I am getting copious logs.
>I am some what able to make out what the logs mean, but in order to get the exact meaning I searched for some documentation about the logs entries. But could not find any.
>
>One of my logs fragment looks like this:
>=> access_allowed: write access to "dc=cse,dc
>=com" "entry" requested
Here it's checking for access to the entry itself (see the slap.access(5)
and the admin guide discussion regarding "entry" (and "children")).
>=> acl_get: [1] check attr entry
The first access statement didn't apply to "entry". Moving on.
>=> acl_get: [2] check attr entry
The second does.
><= acl_get: [2] acl dc=cse,dc=com attr: entry
>=> acl_mask: access to entry "dc=cse,dc=com", attr "entry" requested
>=> acl_mask: to all values by "uid=mailadmin, dc=com", (=n)
><= check a_dn_pat: cn=admin,dc=com
><= check a_dn_pat: *
This is from the first clause of the second access statement.
It doesn't match.
><= acl_mask: [3] applying read(=rscx) (stop)
><= acl_mask: [3] mask: read(=rscx)
Here it's saying that the third clause of (second) access access
statement applied.
>=> access_allowed: write access denied by read(=rscx)
This says that write access to entry was denied as subject
(uid=mailadmin,dc=com) was only authorized to read.
>(I have removed date/time etc)
>
>Can some one tell me (or point to some documentation) from where I can understand what these logs mean?
Well, understanding the access control model, as documented in slap.access(5),
the admin guide, and the FAQ, is key to understanding the access control logs.
Kurt