[Date Prev][Date Next] [Chronological] [Thread] [Top]

sets and groupOfNames groups

To: openldap-software@openldap.org
Subject: sets and groupOfNames groups
From: Andreas Hasenack <ahasenack@terra.com.br>
Date: Fri, 14 Sep 2007 14:07:19 -0300

openldap-2.3.38

I have this ACL:
access to dn.regex="^([^,]+,)?ou=sudoers,dc=example,dc=com$"
 attrs=children,entry,@sudoRole
 by group.exact="cn=Sudo Admins,ou=System Groups,dc=example,dc=com"
write
 by * read

The group is:
dn: cn=Sudo Admins,ou=System Groups,dc=example,dc=com
cn: Sudo Admins
objectClass: groupOfNames
description: Members can administer ou=sudoers entries and attributes
owner: uid=Sudo Admin,ou=System Accounts,dc=example,dc=com
member: uid=Sudo Admin,ou=System Accounts,dc=example,dc=com

It works as expected if I place some user in the sudo admins group and
add an entry under ou=sudoers. If the user is not a member of this
group, the add operation fails.

Now I want to be able to use nested groups, so I follow the FAQ and do a
test with sets:

access to dn.regex="^([^,]+,)?ou=sudoers,dc=example,dc=com$"
 attrs=children,entry,@sudoRole
 by set="[cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member*"
write
 by * read

Without changing anything in the sudo admins group entry, suddenly I can
create new entries under ou=sudoers as any authenticated user. That is,
the group still only has the "uid=sudo admin" member, but I can add a
new sudo entry as another user:

$ ldapadd -x -D uid=jsmith,ou=people,dc=example,dc=com -w jsmith < foo.ldif 
adding new entry "cn=iurt,ou=sudoers,dc=example,dc=com"

The ACL logs show:
=> dnpat: [18] ^([^,]+,)?ou=sudoers,dc=example,dc=com$ nsub: 1 
=> acl_get: [18] matched 
=> acl_get: [18] attr children 
=> acl_mask: access to entry "ou=sudoers,dc=example,dc=com", attr "children" requested 
=> acl_mask: to all values by "uid=jsmith,ou=people,dc=example,dc=com", (=0)  
<= check a_set_pat: [cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member* 
=> bdb_entry_get: found entry: "cn=sudo admins,ou=system groups,dc=example,dc=com" 
=> bdb_entry_get: found entry: "uid=sudo admin,ou=system accounts,dc=example,dc=com" 
<= acl_mask: [1] applying write(=wrscxd) (stop) 
<= acl_mask: [1] mask: write(=wrscxd) 
=> access_allowed: add access granted by write(=wrscxd) 
(...)
=> acl_mask: access to entry "cn=iurt,ou=sudoers,dc=example,dc=com", attr "entry" requested 
=> acl_mask: to all values by "uid=jsmith,ou=people,dc=example,dc=com", (=0)  
<= check a_set_pat: [cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member* 
=> bdb_entry_get: found entry: "cn=sudo admins,ou=system groups,dc=example,dc=com" 
=> bdb_entry_get: found entry: "uid=sudo admin,ou=system accounts,dc=example,dc=com" 
<= acl_mask: [1] applying write(=wrscxd) (stop) 
<= acl_mask: [1] mask: write(=wrscxd) 
=> access_allowed: add access granted by write(=wrscxd) 

So why was "jsmith" allowed to create a new entry under ou=sudoers? He
is not a member of any of the special groups, and I only changed the ACL
line from "by group" to "by set".

$ ldapsearch -x -LLL -h localhost member=uid=jsmith,ou=people,dc=example,dc=com cn
$

Follow-Ups:
- Re: sets and groupOfNames groups
  - From: Andreas Hasenack <ahasenack@terra.com.br>
- Re: sets and groupOfNames groups
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: sets and groupOfNames groups
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: Can't start with DB_BUFFER_SMALL error
Next by Date: Re: sets and groupOfNames groups
Index(es):
- Chronological
- Thread