Re: access 'sets'

[Pierangelo Masarati <ando@sys-net.it>]

Boris Stobbe wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> I'm trying to implement an ACL based on sets, but it doesn't work. I
> defined the ACL as:
> access to dn.children="ou=Jobs,ou=PyKota,o=test"
> ~~        by dn="cn=pykota,ou=Admin,o=test" write
> ~~        by set="user/uid & this/pykotaUserName" read
> ~~        by * search
>
> If I search for an object (the object hast pykotaUserName=testuser) with
> 'ldapsearch -x -D uid=testuser,ou=People,o=test -W 
> pykotaUserName=testuser'
> , I get the following debug output on the server:
>
> => dn: [26] ou=jobs,ou=pykota,o=test
> => acl_get: [26] matched
> => acl_get: [26] attr entry
> => acl_mask: access to entry "cn=123,ou=Jobs,ou=PyKota,o=test", attr
> "entry" requested
> => acl_mask: to all values by "uid=testuser,ou=people,o=test", (=n)
> <= check a_dn_pat: cn=pykota,ou=admin,o=test
> <= check a_dn_pat: *
> <= acl_mask: [3] applying search(=scx) (stop)
> <= acl_mask: [3] mask: search(=scx)
> => access_allowed: read access denied by search(=scx)
>
> It seem like the server doesn't recognize the set-rule, because the 
> server
> only tries 'check a_dn_pat: cn=pykota,ou=admin,o=test' and 'check 
> a_dn_pat: *'

No, it doesn't shouw up because there's no corresponding logging for the 
set rule; I'll fix this in a moment.  I suspect this should be 
backported to 2.2; please file an ITS <http://www.openldap.org/its/>.

> I'm using openLDAP 2.2.13-2 running on a RHEL 4 server

Sets (and your specific rule) seem to work as expected in the latest 2.2 
(and in 2.3, of course); I note that in 2.2's CHANGES:

OpenLDAP 2.2.16 Release
       ...
       Fixed slapd ACL sets bug (ITS#3140)
       ...

In any case, current stable is 2.2.26, so I suspect you'd better upgrade.

p.


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497