[Date Prev][Date Next] [Chronological] [Thread] [Top]

Troubleshoot ACLs

To: openldap-technical@openldap.org
Subject: Troubleshoot ACLs
From: Marcel van Dorp <marcel@van-dorp.nl>
Date: Wed, 15 Sep 2010 09:36:38 +0200
User-agent: Mozilla-Thunderbird 2.0.0.24 (X11/20100328)

Hi,

I try to implement certain ACLs, but apparently something goes wrong. I
read a lot about ACLs, and I do not understand what I do wrong. Maybe
someone on this list can help.

I use the Debian (lenny) version of openLDAP (version 2.4.11-1), with
phpldapadmin as frontend. I use cn=config

I try to achieve the following:

*) No anonymous access
*) Users can change their own attributes/children
*) LDAP managers are listed in a groupOfNames
*) Customers should have READ access to their parent entry, and all
children of their parent (siblings)
*) Specific users below a customer should have WRITE access to their
parent, and all siblings (users are member of a specific groupOfNames)

I have the following ACLs in olcAccess (sanitized, on multiple lines for
readability, with group/groupOfNames/member abbt. to g/gON/m below):

{0}to attrs=userPassword,shadowLastChange
	by dn.base="cn=admin,ou=roles,dc=exm,dc=com" write
	by g/gON/m.exact="cn=ldapadm,ou=groups,dc=exm,dc=com" write
	by g/gON/m.exact="cn=repl,ou=roles,dc=exm,dc=com" read
	by anonymous auth
	by self write
	by * none

{1}to dn.base="" by * read

{2}to dn.regex="ou=([^,]+),ou=cust,ou=people,dc=exm,dc=com"
	by dn.exact,expand="cn=[^,]+,ou=$1,ou=cust,ou=people,dc=exm,dc=com" read
	by g/gON/m.exact,expand="cn=$1,ou=cust,ou=people,dc=exm,dc=com" write
	by * none

{3}to attrs=mail,entry
	by dn.exact="cn=admin,ou=roles,dc=exm,dc=com" write
	by g/gON/m.exact="cn=ldapadm,ou=groups,dc=exm,dc=com" write
	by self write
	by * read

{4}to *
	by dn.exact="cn=admin,ou=roles,dc=exm,dc=com" write
	by g/gON/m.exact="cn=ldapadm,ou=groups,dc=exm,dc=com" write
	by anonymous search
	by self write
	by * none


Explanation:

{0} superuser, admins and self can change passwords. Replicators can
read, anonymous can authenticate, and others have no access.

{1} Is added to get some result, gives read access to the top level of
the directory. It shows 'cn=config', and 'dc=exm,dc=com'

{2} Is the ACL which I expected to work.
	The 'to' clause matches any customer in that branch
	The first 'by' matches any member in a group with the same name
	The second 'by' matches any entry below this customer
	The last 'by' denies other access

{3} Is there, because the email address is used for login (matching dn
is looked up, and then used to bind. See documentation of phpldapadmin).

{4} Is there, so I can actually do something (My dn is in the mentioned
group)

I played with a different order and the like, but I do not get what I
want. When I enable logging (olcLogLevel = ACL), I get some info, but it
is hard to determine where it goes wrong.

Regarding {2}:
*) I also prepended the 'to' with '.+,' to match everything below, but
to no avail.
*) I also tried the 'by' clauses with 'dn=regex' instead of 'dn.exact'

Questions:

1) What is it I do wrong?
2) How can I troubleshoot these issues (ACL validator available?)


If more info is needed, please let me know.

Marcel

Prev by Date: Re: Can't get TLS working.
Next by Date: Re: syncrepl: contextCSN less than entryCSN
Index(es):
- Chronological
- Thread