[Date Prev][Date Next] [Chronological] [Thread] [Top]
RE: Simple - I hope -- ACL problem

To: Bruce Platt <Bruce@ei3.com>, openldap-software@OpenLDAP.org
Subject: RE: Simple - I hope -- ACL problem
From: Bruce Platt <Bruce@ei3.com>
Date: Thu, 3 Jun 2004 15:23:20 -0400
Well,  No joy 

Following your suggestion, here is the slapd debug output also showing the
acl entries:

/usr/local/libexec/slapd -d 168 -f /etc/openldap/slapd.conf
bdb_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December  3, 2003)
Backend ACL: access to dn.base=o=domain.com
        by * read(=rscx)

Backend ACL: access to attrs=userPassword
        by self read(=rscx)

Backend ACL: access to attrs=entry
        by * read(=rscx)

Backend ACL: access to *
        by dn.regex=cn=reader,o=domain.com write(=wrscx)

slapd starting
daemon: added 6r
daemon: added 7r
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL

And the result of an ldapsearch:

ldapsearch  -LLL -b "o=domain.com" -D "cn=reader,o=domain.com" -x -W
Enter LDAP Password: 
ldap_bind: Insufficient access (50)

And the resulting slapd debug output:

daemon: activity on 1 descriptors
daemon: new connection on 8
str2filter "(objectclass=*)"
begin get_filter
PRESENT
end get_filter 0
daemon: added 8r
daemon: activity on:
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 8r
daemon: read activity on 8
=> access_allowed: auth access to "cn=reader,o=domain.com" "userPassword"
requested
=> dn: [1] o=domain.com
=> acl_get: [2] check attr userPassword
<= acl_get: [2] acl cn=reader,o=domain.com attr: userPassword
=> acl_mask: access to entry "cn=reader,o=domain.com", attr "userPassword"
requested
=> acl_mask: to all values by "", (=n) 
<= check a_dn_pat: self
<= acl_mask: no more <who> clauses, returning =n (stop)
=> access_allowed: auth access denied by =n
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptors
daemon: activity on: 8r
daemon: read activity on 8
daemon: removing 8

So I think this says that with ldapsearch, I have no access to the
userPassword entry for "cn=reader, o=domain.com"

Regards

+---------------------------------------+
Bruce B. Platt, Ph.D.
Vice President Networks and Security
ei3 Corporation
136 Summit Avenue
Montvale, NJ 07645
201-802-9080


> -----Original Message-----
> From: Bruce Platt [mailto:Bruce@ei3.com]
> Sent: Thursday, June 03, 2004 2:26 PM
> To: openldap-software@OpenLDAP.org
> Subject: Simple - I hope -- ACL problem
> 
> 
> I have constructed an openldap 2.1.30 scheme (the system also 
> has db-4.2.52,
> both following Quanah's suggestions.)
> 
> The schema looks like so:
> 
> o=domain.com
> cn=reader
> ou=HQ
> cn=Manager HQ
> cn=Person1
> cn=Person2
> ou=OU1
> cn=Manager OU1
> cn=Person1
> cn=Person2
> ou=OU2
> cn=Manager OU2
> cn=Person1
> cn=Person2
> 	ou=OU2-SubOU1
> 	cn=Person1
> 	cn=Person2
> 
> etc.
> 
> I have an acl structure which works fine for allowing 
> Managers access to
> their OUs and the subordinate OUs within the OU of which that 
> manager is a
> part.  And, of course the "rootdn" can access any record.
> 
> But I think I am doing something insanely stupid in that I 
> have omitted
> something critical when trying to implement the following:
> 
> I wanted to add another cn record called "reader" which has read and
> therefore search access to all entries from the o=domain.com 
> on down.  For
> the life of me, I can not make this last work.
> 
> For all tests I am using Jarek Gawor's Ldap Browser/Editor v2.8.1
> 
> I have removed all acls from the slapd.conf and restarted 
> slapd with a debug
> value of -168, save for this:
> 
> access to *
> 
>        by * read 
> 
> This of course works just fine and enumerates every entry in 
> the db when
> querying as "cn=reader,o=domain.com".
> 
> However, when I try the following as the only acl entry in my 
> slapd.conf, I
> have no access to anything other then o=domain.com in the 
> browser left pane
> with no attributes listed in the right pane.
> 
> access to *
> 
>         by dn="cn=reader,o=domain.com" read
> 
> I have also tried dn.exact and dn.base to no avail. 
> 
> Looking at the slapd debug output, I see lines like:
> 
> => access_allowed: search access to "ou=OU1,o=domain.com" 
> "objectClass"
> requested
> => dnpat: [1] cn=reader,o=domain.com nsub: 0
> => acl_get: [2] check attr objectClass
> <= acl_get: [2] acl ou=OU1,o=domain.com attr: objectClass
> => acl_mask: access to entry "ou=OU1,o=domain.com", attr "objectClass"
> requested
> => acl_mask: to all values by "", (=n) 
> <= check a_dn_pat: cn=reader,o=domain.com
> <= acl_mask: no more <who> clauses, returning =n (stop)
> => access_allowed: search access denied by =n
> <= test_filter 50
> => test_filter
>     PRESENT
> => access_allowed: search access to "cn=reader,o=domain.com" 
> "objectClass"
> requested
> => dnpat: [1] cn=reader,o=domain.com nsub: 0
> => acl_get: [1] matched
> => acl_get: [1] check attr objectClass
> <= acl_get: [1] acl cn=reader,o=domain.com attr: objectClass
> => acl_mask: access to entry "cn=reader,o=domain.com", attr 
> "objectClass"
> requested
> => acl_mask: to all values by "", (=n) 
> <= check a_dn_pat: self
> <= acl_mask: no more <who> clauses, returning =n (stop)
> => access_allowed: search access denied by =n
> <= test_filter 50
> 
> So, someting is not allowing this acl to be effective.  Can 
> someone show me
> where I am going wrong?
> 
> Thanks and regards,
> 
> Bruce
>
Follow-Ups:
- RE: Simple - I hope -- ACL problem
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
Prev by Date: Re: Can't contact Ldap server
Next by Date: RE: Simple - I hope -- ACL problem
Index(es):
- Chronological
- Thread