[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL Question 'write stop' 'write break'
- To: openldap-software@openldap.org
- Subject: Re: ACL Question 'write stop' 'write break'
- From: Edward Capriolo <edlinuxguru@gmail.com>
- Date: Mon, 19 Oct 2009 12:30:37 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=k9hkuu4KEuW4kAXUFJ5KJ6iXiJ8F1Nis+OXeTPHLJrA=; b=PqH/3srvbTu/kwtRId+3GT/x1yLtTJh2vbcZeykAvr0wz/D8Cr+NWywlgu4Eynyw73 7psmBZnT+B2e/eNu7YhIDR9cZg+xd5KPrkuZUbKaSHglQqdt7Kx9wQ6lrYHlzXVs/Lyi /m2+jSMoJ6LMvV22Mfo5wvnqDzdCMgjG4nZ+0=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=jGcWmSYAeLnYi4/O+Ecklzcl5cnVt7nmgQNcDu0AiobQB8xoiT7A9R+I7pJ2fuK27k DB1TSU9tlDsmPeWovSdRthwRoLm6WI1uk+KfTfMRPH75cyJlKBUC/gBrfDa2ckhbICXQ r0DwIP5c2USPhVuBWl2ZB3n41linVuVPISHxA=
- In-reply-to: <cbbf4b570910150822i8688c5ao377869116f860ab4@mail.gmail.com>
- References: <cbbf4b570910150822i8688c5ao377869116f860ab4@mail.gmail.com>
On Thu, Oct 15, 2009 at 11:22 AM, Edward Capriolo <edlinuxguru@gmail.com> wrote:
> Hello all,
>
> We are currently migrating from a master-slave, to a multi-master
> setup. All went well except for the fact that the access on the old
> master node was more liberal then the access on the slave node. As a
> result some applications were able to use this to their advantage and
> now are not working quite correctly when each node is a read write
> master.
>
> here is my configuration:
>
> #access to dn.regex="mail=.*.managed@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
> # attrs=userPassword,accountstatus
> # by dn="mail=john@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
> write break
> # by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US"
> write break
> access to attr=userPassword
> by self write
> by anonymous auth
> by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
> read
> by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US"
> read
> by * none
> access to attrs=sambaLMPassword,sambaNTPassword
> by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
> read
> by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US"
> read
> by self write
> by * none
> access to *
> by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
> write
> by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US"
> write
> by dnattr=manager write
> by self write
> by users read
> by * none
>
> My problem is the top commented lines, these rules are to allow sara
> and john to administer all
> "mail=.*.managed" users. This worked fine in the past because no read
> queries hit the master, but now with multi-master
> "mail=.*.managed" users have no access to the directory. The old rule was
>
> # by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US"
> write stop
>
> I also tried
>
> # by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US"
> write break
>
> Which I was under the impression that "write break" would continue
> evaluation, but I do not understand how this is working. Can anyone
> help me with a suggestion for fixing this?
>
> Thank you!
>
Hey all,
I know this is somewhat of an RTFM question, but I did RTFM and I dont
understand
why how BREAK is interpreted.
man slapd.access
....
The other two forms are used to keep on processing access clauses. In
detail, the continue form allows for other <who> clauses in the same
<access> clause to be considered, so that they may result in incremen-
tally altering the privileges, while the break form allows for other
<access> clauses that match the same target to be processed. Consider
the (silly) example
access to dn.subtree="dc=example,dc=com" attrs=cn
by * =cs break
access to dn.subtree="ou=People,dc=example,dc=com"
by * +r
do I need?
access to dn.regex="mail=.*.managed@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
attrs=userPassword,accountstatus
by dn="mail=john@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
write break
by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US"
write break
by * break
?
We have a pretty large LDAP deployment with lots of application using
it. Every time I get this rule wrong I manage to block someones
access. I know its not your problem, but please throw me a bone here
:)