[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL - user not able to modify self

To: Mo Mahmoud <proguru2@yahoo.com>
Subject: Re: ACL - user not able to modify self
From: Pierangelo Masarati <ando@sys-net.it>
Date: Wed, 20 Jul 2005 12:09:32 +0200
Cc: OpenLDAP-software@OpenLDAP.org
In-reply-to: <20050719190652.95232.qmail@web51103.mail.yahoo.com>
References: <20050719190652.95232.qmail@web51103.mail.yahoo.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 CentOS/1.7.8-1.1.3.1.centos3

Mo Mahmoud wrote:

Hi. Quick problem summary: Almost all acl's rules are working fine except 'self' rules - eg. any person cannot modify his/her directory information.
Detailed explanation:
I have setup an openldap instance and tree in the
following fashion:
Root node: suffix
underneath this there is a ou=people node
underneath this there are the ou's: admins, managers,
devels, priv users, reg users
My ACL list is as follows:
# Access rights
# Allow admins to modify managers, devels, priv.
users, users (continued below)
access to
dn.children="ou=managers,ou=people,dc=suffix"
       by dn.children="ou=admins,ou=people,dc=suffix"
write
       by self write
access to dn.children="ou=devels,ou=people,dc=suffix"
       by dn.children="ou=admins,ou=people,dc=suffix"
write
       by self write
# Allow managers to modify priv users and users # Allow devels to read priv users and regular users access to dn.children="ou=priv users,ou=people,dc=suffix" by dn.children="ou=admins,ou=people,dc=suffix" write by dn.children="ou=managers,ou=people,dc=suffix" write by dn.children="ou=devels,ou=people,dc=suffix" read by self write access to dn.children="ou=reg users,ou=people,dc=suffix" by dn.children="ou=admins,ou=people,dc=suffix" write by dn.children="ou=managers,ou=people,dc=suffix" write by dn.children="ou=devels,ou=people,dc=suffix" read by self write
# Allow all users to authenticate,
#  else if no other conditions are met, deny access
access to *
       by anonymous auth
       by self write
       by none
As of right now I am simply using the tools that came
with ldap to do everything (eg. ldapadd, ldapmodify,
ldapsearch, etc)
For the most part this works as described in the
comments.
The problem occurs when a person (no matter what ou
they fall under) tries to modify their own information
(such as password, telephone, etc.) If a user tries to
do so they get the error: "ldap_bind: Insufficient
access (50)" and slapd generates the following output
(running with debug level of 384) (for this example i
tried to change a priv user's info as the user, the
same output will be generated regardless of the
person, so long as they are trying to modify their
information):
conn=0 fd=12 ACCEPT from IP=127.0.0.1:57120 (IP=0.0.0.0:389) conn=0 op=0 BIND dn="cn=blahUserName,ou=priv users,ou=people,dc=suffix" method=128 => access_allowed: auth access to "cn=blahUserName,ou=priv users,ou=people,dc=suffix" "authAuthority" requested

It appears you're using something like back-netinfo, a custom backend that is not part of OpenLDAP software <http://www.opensource.apple.com/darwinsource/10.3/OpenLDAP-37/OpenLDAP/servers/slapd/back-netinfo/bind.c>

=> acl_get: [1] check attr authAuthority
=> dn: [2] ou=managers,ou=people,dc=suffix
=> dn: [3] ou=devels,ou=people,dc=suffix
=> dn: [4] ou=priv users,ou=people,dc=suffix
=> acl_get: [4] matched
=> acl_get: [4] check attr authAuthority
<= acl_get: [4] acl cn=blahUserName,ou=priv
users,ou=people,dc=suffix attr: authAuthority
=> acl_mask: access to entry "cn=blahUserName,ou=priv
users,ou=people,dc=suffix", attr "authAuthority"
requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: ou=admins,ou=people,dc=suffix
<= check a_dn_pat: ou=managers,ou=people,dc=suffix
<= check a_dn_pat: ou=devels,ou=people,dc=suffix
<= check a_dn_pat: self
<= acl_mask: no more <who> clauses, returning =n
(stop)
=> access_allowed: auth access denied by =n
conn=0 op=0 RESULT tag=97 err=50 text=
conn=0 fd=12 closed

Likely you need to give auth access to this attribute.  I guess a line like

access to attrs=authAuthority
   by * auth

should come before all access directives; or, you could add "by * auth" in

# Allow managers to modify priv users and users # Allow devels to read priv users and regular users access to dn.children="ou=priv users,ou=people,dc=suffix" by dn.children="ou=admins,ou=people,dc=suffix" write by dn.children="ou=managers,ou=people,dc=suffix" write by dn.children="ou=devels,ou=people,dc=suffix" read by self write by * auth

if all you need is that "priv users" can bind; or a mix of the two for any other purpose (i.e. you need to deny auth access to some requested DNs, so the former example, which virtully grants auth access to all entries is inappropriate for your case).

p.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

References:
- ACL - user not able to modify self
  - From: Mo Mahmoud <proguru2@yahoo.com>

Prev by Date: How do I get a good gdb trave of slapd?
Next by Date: Re: Rename attribute before return
Index(es):
- Chronological
- Thread