[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Decyphering openldap ACL logs
----- Original Message -----
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thursday, April 29, 2004 8:30 pm
Subject: Re: Decyphering openldap ACL logs
> (Thank you for limited your questions on this list to those specific
> to OpenLDAP Software. Questions specific to qmail-ldap, of course,
> should go to the qmail-ldap list.)
Thanks every one for answering my questions...
> You didn't bother to say which version of OpenLDAP Software. I'll
> assume you are using latest release (2.2.11), but the answers should
> be fine for latest stable release as well (2.1.30). If you using
> some other release, I suggest you consider updating.
I am using openldap-2.1.30,
> userPassword can be used for authentication, but cannot otherwise
> be accessed (except, of course, by the rootdn).
Understood.
>
> >access to *
> > by dn="cn=admin,dc=com" write
> > by aci write
> > by * read
>
> The first clause likely should be dn.exact="cn=admin,dc=com".
Ok.
>
> >with aci's configured in my directory.
>
> okay. And I see you've allow every (including anonymous to read)
> everything (excepting userPassword).
Ideally I want all my access control using ACI. That way Complete access control will be via my web interface. The ACL based directory I am replacing is available at http://phpqladmin.bayour.com/demo/slapd.conf.demo.txt
> >=> access_allowed: write access to "dc=cse,dc
> >=com" "entry" requested
What is the meaning of "=>" and "<=" ?
> Here it's checking for access to the entry itself (see the
> slap.access(5)and the admin guide discussion regarding "entry" (and
> "children")).
Understood.
> >=> acl_get: [1] check attr entry
>
> The first access statement didn't apply to "entry". Moving on.
>
> >=> acl_get: [2] check attr entry
>
> The second does.
How did you find that? both log([1] and [2]) entries are similar!
> ><= acl_get: [2] acl dc=cse,dc=com attr: entry
> >=> acl_mask: access to entry "dc=cse,dc=com", attr "entry"
> requested
> >=> acl_mask: to all values by "uid=mailadmin, dc=com", (=n)
> ><= check a_dn_pat: cn=admin,dc=com
> ><= check a_dn_pat: *
What is the meaning of acl_get, acl_mask, a_dn_pat?
> This is from the first clause of the second access statement.
> It doesn't match.
>
> ><= acl_mask: [3] applying read(=rscx) (stop)
> ><= acl_mask: [3] mask: read(=rscx)
>
> Here it's saying that the third clause of (second) access access
> statement applied.
What is the meaning of "applying read(=rscx) (stop)" and "mask: read(=rscx)" ?
> >=> access_allowed: write access denied by read(=rscx)
>
> This says that write access to entry was denied as subject
> (uid=mailadmin,dc=com) was only authorized to read.
Ok. My ldif file is given below, I am wondering why the aci entries were not applied. Sorry for asking too many questions, I am just trying to learn and understand this :)
thanks for your time,
raj
dn: dc=com
o: linuxense.com
dc: com
administrator: uid=mailadmin,dc=com
OpenLDAPaci: 1.2.3#entry#grant;r;[entry]#public#
OpenLDAPaci: 1.2.3#entry#grant;r,s,c;objectClass,[entry]#public#
OpenLDAPaci: 1.2.3#entry#grant;r,s,c;dc,userReference,branchReference,administ
rator#public#
OpenLDAPaci: 1.2.3#entry#grant;w,r,s,c;[children]#access-id#uid=mailadmin,dc=c
om
OpenLDAPaci: 1.2.3#entry#grant;w,r,s,c,x;[entry]#access-id#uid=mailadmin,dc=co
m
OpenLDAPaci: 1.2.3#entry#grant;w,r,s,c,x;[all]#access-id#uid=mailadmin,dc=com
branchReference: dc
branchObjectClass: organization
branchObjectClass: dcobject
userObjectClass: person
userObjectClass: posixaccount
userObjectClass: qmailuser
hostMaster: raj@linuxense.com
minimumUIDNumber: 5000
objectClass: top
objectClass: organization
objectClass: phpQLAdminBranch
objectClass: phpQLAdminConfig
objectClass: phpQLAdminGlobal
structuralObjectClass: organization
entryUUID: 362d8998-2d57-1028-8249-8e332eee8fb9
creatorsName: cn=anonymous
createTimestamp: 20040428115913Z
entryCSN: 2004042817:34:21Z#0x0005#0#0000
modifiersName: uid=mailadmin,dc=com
modifyTimestamp: 20040428173421Z
dn: cn=admin,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: ZjAwcnUxeg==
OpenLDAPaci: 1.2.3#entry#grant;r;[entry]#public#
OpenLDAPaci: 1.2.3#entry#grant;r,s,c;objectClass,[entry]#public#
OpenLDAPaci: 1.2.3#entry#grant;x;userPassword,krb5PrincipalName#public#
OpenLDAPaci: 1.2.3#entry#grant;r,s,c;uid,cn,accountStatus,uidNumber,gidNumber,
gecos,homeDirectory,loginShell#public#
OpenLDAPaci: 1.2.3#entry#grant;r,s,c;sn,givenName,homePostalAddress,mobile,hom
ePhone,labeledURI,mailForwardingAddress,street,physicalDeliveryOfficeName,mai
lMessageStore,o,l,st,telephoneNumber,postalCode,title#users#
OpenLDAPaci: 1.2.3#entry#grant;r,s,c;sn,givenName,homePostalAddress,mobile,hom
ePhone,labeledURI,mailForwardingAddress,street,physicalDeliveryOfficeName,mai
lMessageStore,o,l,st,telephoneNumber,postalCode,title#self#
OpenLDAPaci: 1.2.3#entry#grant;w,r,s,c;[children]#access-id#uid=mailadmin,dc=c
om
OpenLDAPaci: 1.2.3#entry#grant;w,r,s,c,x;[entry]#access-id#uid=mailadmin,dc=co
m
OpenLDAPaci: 1.2.3#entry#grant;w,r,s,c,x;[all]#access-id#uid=mailadmin,dc=com
structuralObjectClass: organizationalRole
entryUUID: 362fd0ae-2d57-1028-824a-8e332eee8fb9
creatorsName: cn=anonymous
modifiersName: cn=anonymous
createTimestamp: 20040428115913Z
modifyTimestamp: 20040428115913Z
entryCSN: 2004042811:59:13Z#0x0002#0#0000
dn: uid=mailadmin,dc=com
cn: mailadministrator
sn: System
givenName: mailadministrator
uid: mailadmin
userPassword:: ZjAwcnUxeg==
objectClass: inetorgperson
objectClass: organizationalperson
OpenLDAPaci: 1.2.3#entry#grant;r;[entry]#public#
OpenLDAPaci: 1.2.3#entry#grant;r,s,c;objectClass,[entry]#public#
OpenLDAPaci: 1.2.3#entry#grant;x;userPassword,krb5PrincipalName#public#
OpenLDAPaci: 1.2.3#entry#grant;r,s,c;uid,cn,accountStatus,uidNumber,gidNumber,
gecos,homeDirectory,loginShell#public#
OpenLDAPaci: 1.2.3#entry#grant;r,s,c;sn,givenName,homePostalAddress,mobile,hom
ePhone,labeledURI,mailForwardingAddress,street,physicalDeliveryOfficeName,mai
lMessageStore,o,l,st,telephoneNumber,postalCode,title#users#
OpenLDAPaci: 1.2.3#entry#grant;r,s,c;sn,givenName,homePostalAddress,mobile,hom
ePhone,labeledURI,mailForwardingAddress,street,physicalDeliveryOfficeName,mai
lMessageStore,o,l,st,telephoneNumber,postalCode,title#self#
OpenLDAPaci: 1.2.3#entry#grant;w,r,s,c;[children]#access-id#uid=mailadmin,dc=c
om
OpenLDAPaci: 1.2.3#entry#grant;w,r,s,c,x;[entry]#access-id#uid=mailadmin,dc=co
m
OpenLDAPaci: 1.structuralObjectClass: inetorgperson
entryUUID: 36302dba-2d57-1028-824b-8e332eee8fb9
creatorsName: cn=anonymous
modifiersName: cn=anonymous
createTimestamp: 20040428115913Z
modifyTimestamp: 20040428115913Z
entryCSN: 2004042811:59:13Z#0x0003#0#0000
2.3#entry#grant;w,r,s,c,x;[all]#access-id#uid=mailadmin,dc=com
The log fragment again:
=> access_allowed: write access to "dc=cse.dynu.com,dc=com" "entry" requested
=> acl_get: [1] check attr entry
=> acl_get: [2] check attr entry
<= acl_get: [2] acl dc=cse.dynu.com,dc=com attr: entry
=> acl_mask: access to entry "dc=cse.dynu.com,dc=com", attr "entry" requested
=> acl_mask: to all values by "uid=mailadmin,dc=com", (=n)
<= check a_dn_pat: cn=admin,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read(=rscx) (stop)
<= acl_mask: [3] mask: read(=rscx)
=> access_allowed: write access denied by read(=rscx)