[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Challenge With Access Control

To: "Michal Dobroczynski" <michal.dobroczynski@gmail.com>
Subject: RE: Challenge With Access Control
From: "Brian Gaber" <Brian.Gaber@PWGSC.GC.CA>
Date: Thu, 5 Jul 2007 11:32:56 -0400
Cc: openldap-software@openldap.org
Content-class: urn:content-classes:message
In-reply-to: <e13d05840707050824r3d29e578sc8d2e351a1af0e18@mail.gmail.com>
Thread-index: Ace/GKME27ZlSI69Toaz8quhwNCtggAARVuA
Thread-topic: Challenge With Access Control

Michal,

	Thanks, that worked.

Brian 

-----Original Message-----
From: Michal Dobroczynski [mailto:michal.dobroczynski@gmail.com] 
Sent: Thursday, July 05, 2007 11:25 AM
To: Brian Gaber
Cc: openldap-software@openldap.org
Subject: Re: Challenge With Access Control

Add -h 10.16.13.84 or whatever the LDAP listens on to ldapsearch and try
again.

Regards,
Michal

On 05/07/07, Brian Gaber <Brian.Gaber@pwgsc.gc.ca> wrote:
> Michal,
>
>         Tried your suggestion, ldapsearch still fails.  Here is the
log:
>
> Jul  5 11:09:31 ias2 slapd[11565]: entry_decode:
> "SFTid=0002-00000000,ou=servers,o=sft"
> Jul  5 11:09:31 ias2 slapd[11565]: <=
> entry_decode(SFTid=0002-00000000,ou=servers,o=sft)
> Jul  5 11:09:31 ias2 slapd[11565]: =>
> bdb_dn2id("SFTid=0002-00000000,ou=servers,o=sft")
> Jul  5 11:09:31 ias2 slapd[11565]: <= bdb_dn2id: got id=0x00000030 Jul

> 5 11:09:31 ias2 slapd[11565]: => test_filter
> Jul  5 11:09:31 ias2 slapd[11565]:     EQUALITY
> Jul  5 11:09:31 ias2 slapd[11565]: => access_allowed: search access to

> "SFTid=0002-00000000,ou=servers,o=sft" "SFTid" requested Jul  5 
> 11:09:31 ias2 slapd[11565]: => acl_get: [1] attr SFTid Jul  5 11:09:31

> ias2 slapd[11565]: => acl_mask: access to entry 
> "SFTid=0002-00000000,ou=servers,o=sft", attr "SFTid" requested Jul  5 
> 11:09:31 ias2 slapd[11565]: => acl_mask: to value by "", (=0) Jul  5 
> 11:09:31 ias2 slapd[11565]: <= check a_dn_pat: self Jul  5 11:09:31 
> ias2 slapd[11565]: <= check a_peername_path: 10.16.13.84 Jul  5 
> 11:09:31 ias2 slapd[11565]: <= check a_peername_path:
> IP=10.16.13.8[1-6]*
> Jul  5 11:09:31 ias2 slapd[11565]: => acl_string_expand: pattern:
> IP=10.16.13.8[1-6]*
> Jul  5 11:09:31 ias2 slapd[11565]: => acl_string_expand: expanded:
> IP=10.16.13.8[1-6]*
> Jul  5 11:09:31 ias2 slapd[11565]: => regex_matches: string:^I
> IP=127.0.0.1:46749
> Jul  5 11:09:31 ias2 slapd[11565]: => regex_matches: rc: 1 no matches 
> Jul  5 11:09:31 ias2 slapd[11565]: <= acl_mask: no more <who> clauses,

> returning =0 (stop) Jul  5 11:09:31 ias2 slapd[11565]: => 
> access_allowed: search access denied by =0 Jul  5 11:09:31 ias2 
> slapd[11565]: <= test_filter 50 Jul  5 11:09:31 ias2 slapd[11565]: 
> bdb_search: 48 does not match filter
>
> -----Original Message-----
> From: Michal Dobroczynski [mailto:michal.dobroczynski@gmail.com]
> Sent: Thursday, July 05, 2007 11:01 AM
> To: Brian Gaber
> Cc: openldap-software@openldap.org
> Subject: Re: Challenge With Access Control
>
> As far as I understand the log - you need to include the port. This 
> should help then:
>
> by peername.regex="IP=10\.16\.13\.8[1-6]:[0-9]*" read
>
> Regards,
> Michal
>
> On 05/07/07, Brian Gaber <Brian.Gaber@pwgsc.gc.ca> wrote:
> > Tried your suggestion and still have a problem.
> >
> > Here is the new slapd.conf:
> >
> > access to *
> >   by self write
> >   by peername.ip=10.16.13.84 write
> >   by peername.regex="IP=10\.16\.13\.8[1-6]" read
> >
> > Here is the log:
> >
> > entry_decode: "SFTid=0001-00000000,ou=servers,o=sft"
> > Jul  5 10:46:35 ias2 slapd[11401]: <=
> > entry_decode(SFTid=0001-00000000,ou=servers,o=sft)
> > Jul  5 10:46:35 ias2 slapd[11401]: =>
> > bdb_dn2id("SFTid=0001-00000000,ou=servers,o=sft")
> > Jul  5 10:46:35 ias2 slapd[11401]: <= bdb_dn2id: got id=0x0000002f 
> > Jul
>
> > 5 10:46:35 ias2 slapd[11401]: => test_filter
> > Jul  5 10:46:35 ias2 slapd[11401]:     EQUALITY
> > Jul  5 10:46:35 ias2 slapd[11401]: => access_allowed: search access 
> > to
>
> > "SFTid=0001-00000000,ou=servers,o=sft" "SFTid" requested Jul  5
> > 10:46:35 ias2 slapd[11401]: => acl_get: [1] attr SFTid Jul  5 
> > 10:46:35
>
> > ias2 slapd[11401]: => acl_mask: access to entry 
> > "SFTid=0001-00000000,ou=servers,o=sft", attr "SFTid" requested Jul  
> > 5
> > 10:46:35 ias2 slapd[11401]: => acl_mask: to value by "", (=0) Jul  5
> > 10:46:35 ias2 slapd[11401]: <= check a_dn_pat: self Jul  5 10:46:35
> > ias2 slapd[11401]: <= check a_peername_path: 10.16.13.84 Jul  5
> > 10:46:35 ias2 slapd[11401]: <= check a_peername_path:
> > IP=10.16.13.8[1-6]
> > Jul  5 10:46:35 ias2 slapd[11401]: => acl_string_expand: pattern:
> > IP=10.16.13.8[1-6]
> > Jul  5 10:46:35 ias2 slapd[11401]: => acl_string_expand: expanded:
> > IP=10.16.13.8[1-6]
> > Jul  5 10:46:35 ias2 slapd[11401]: => regex_matches: string:^I
> > IP=127.0.0.1:46504
> > Jul  5 10:46:35 ias2 slapd[11401]: => regex_matches: rc: 1 no 
> > matches Jul  5 10:46:35 ias2 slapd[11401]: <= acl_mask: no more 
> > <who> clauses,
>
> > returning =0 (stop) Jul  5 10:46:35 ias2 slapd[11401]: =>
> > access_allowed: search access denied by =0 Jul  5 10:46:35 ias2
> > slapd[11401]: <= test_filter 50
> >
> > -----Original Message-----
> > From: Michal Dobroczynski [mailto:michal.dobroczynski@gmail.com]
> > Sent: Thursday, July 05, 2007 10:36 AM
> > To: Brian Gaber
> > Cc: openldap-software@openldap.org
> > Subject: Re: Challenge With Access Control
> >
> > On 05/07/07, Brian Gaber <Brian.Gaber@pwgsc.gc.ca> wrote:
> > >
> > >
> > >
> > > Hope someone can explain this to me.  I am sure it is very
trivial.
>
> > > I
> >
> > > have a primary LDAP server (10.16.13.84), a replica LDAP server
> > > (10.16.13.85) and a few clients all with a 10.16.13.x address.
> > >
> > > Here is the access control I thought would work:
> > >
> > > access  to *
> > >   by self write
> > >   by peername=10.16.13.84 write
> > >   by peername=10.16.13.81 read
> > >   by peername=10.16.13.82 read
> > >   by peername=10.16.13.83 read
> > >   by peername=10.16.13.85 read
> > >   by peername=10.16.13.86 read
> > >
> > > Here is what does work:
> > >
> > > access to *
> > >   by self write
> > >   by peername.ip=10.16.13.84 write
> > >   by * read
> > >
> > >         By work I mean that when I am on the replica (10.16.13.85)

> > > and
> >
> > > issue an ldapsearch to itself I get a 32 no such object with the 
> > > top
>
> > > access, but I get the expected result with the bottom access.
> >
> > I am not 100% sure, but maybe this will help you (I am using similar

> > ACL). AFAIR in the peername you need to add the "IP=" - but I don't 
> > really remember, please correct me. The regex matching directive 
> > that works for me looks like this:
> >
> >  by peername.regex="IP=10\.10\.120\..+" read
> >
> > Then you could try:
> >
> > by peername.regex="IP=10\.16\.13\.8[1-6]" read
> >
> > And please double check if you need to supply the "IP=10.10.10.10" 
> > for
>
> > the "by peername" without regex.
> > The regex solution will not conflict with the first entry as write 
> > permission includes reading (and ACL parsing stops on the first 
> > matched rule).
> >
> > Hope this helps.
> >
> > Regards,
> > Michal
> >
> > >
> > > Brian Gaber
> >
>

References:
- Re: Challenge With Access Control
  - From: "Michal Dobroczynski" <michal.dobroczynski@gmail.com>

Prev by Date: Re: error after OS upgrade
Next by Date: Re: Challenge With Access Control
Index(es):
- Chronological
- Thread