[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Troubleshoot ACLs

To: <openldap-technical@openldap.org>
Subject: Re: Troubleshoot ACLs
From: "Torsten Schlabach (Tascel eG)" <tschlabach@tascel.net>
Date: Wed, 15 Sep 2010 15:55:12 +0000
In-reply-to: <4C90C303.4040405@van-dorp.nl>
Organization: Tascel eG
References: <4C907786.10703@van-dorp.nl> <678b9e74a200caf72d4a5f9889f66ad5@imap.tascel.net> <4C90C303.4040405@van-dorp.nl>
User-agent: Roundcube Webmail/RCMAIL_VERSION

Hi again!

In the concrete case you explain, maybe the group thing doesn't work as
expected.

Here is our (anonymized) entry for that:

{3}to dn.regex="o=([^,]+),o=planet"
by self write
by group.expand="cn=admins2,o=$1,o=planet" write
by dn.base="cn=admin,o=planet" write
by dn.base="uid=someoneelse,ou=user,o=anyorg,o=planet" write
by * search

What that does is:

In each o=something,o=planet subtree we have a group called
cn=admins2,o=something,o=planet. Each member of that group has write access
to o=something,o=planet.

The lines 

by dn.base="cn=admin,o=planet" write
by dn.base="uid=someoneelse,ou=user,o=anyorg,o=planet" write

are needed to make sure that our two superusers cn=admin,o=planet and
uid=someoneelse,ou=user,o=anyorg,o=planet also keep having access.

One nasty thing about how ACLs work is:

As soon as the "to" portion machtes, no further entries are scanned.

So if we would say 

{4}to *
by dn.base="cn=admin,o=planet" write
by dn.base="uid=someoneelse,ou=user,o=anyorg,o=planet" write

later, the entry {3} would still result in cn=admin and uid=someoneelse
not having *any* access to o=...,o=planet if they would not be explicitely
mentioned in entry {3}.

This is what many people stumble on.

Regards,
Torsten


On Wed, 15 Sep 2010 14:58:43 +0200, Marcel van Dorp <marcel@van-dorp.nl>
wrote:
> Torsten Schlabach (Tascel eG) wrote:
>> Hi Marcel!
>> 
>> Your setup is exactly what we also do.
>> 
>> My question:
>> 
>> What works and what doesn't?
> 
> It is quite a lot now, and I did not document properly what did and did
> not work; sorry! I am working with a copy of a real configuration
> (thanks to virtualization!), so basically I can start from scratch with
> the ACLs.
> 
>> 
>> How do you test it? Manually?
>> 
> 
> With PHPldapadmin (PLA). I have a linux workplace, with 2 screens
> (X-windows). On each screen I have a browser open. In the left browser I
> log on as cn=admin,cn=config, and there I do the tweaking. On the right
> browser I login as a user. This way the session cookies remain separate,
> and do not conflict with each other (which happens if you use 2 tabs
> within the same browser). I did some (obvious) abbreviation in my
> original post. As a normal user I use something like:
> 
> cn=testuser,ou=cust1,ou=customers,ou=people,dc=example,dc=com
> 
> In this example I would like to have read rights to anything from:
> 
> ou=cust1,ou=customers,ou=people,dc=example,dc=com
> 
> this DN included, and all children (my own entry is there as well).
> 
> If I am also a member of the group
> 
> cn=cust1,ou=groups,dc=example,dc=com
> 
> then I would like to have write rights as well in beformentioned parts
> of the directory.
> 
> I tried a zillion combinations, but all I get, is access to my own entry
> (in many cases, I can login, but cannot read the directory, not even my
> own entry).
> 
> 
> When I log in in PLA, I get the two toplevel DNs:
> cn=config
> dc=example,dc=com
> 
> Which I cannot expand. Just above this my own DN is displayed, and when
> I click on the left-most field, I get my entry, and I then can expand
> the tree (number of children between parenthesis):
> 
> dc=example,dc=com (1)
> 	ou=people (1)
> 		ou=customers (1)
> 			ou=cust1 (1)
> 				cn=testuser
> 
> When I open the parent (ou=cust1), I do not see any content (there is an
> objectclass definition, the ou attribute (obviously) and an extra
> 'description' attribute (for testing only). In my own entry
> (cn=testuser), I can see all attributes.
> 
> The debug output says a few things about matching and masking, but it is
> not very clear which ACL-line is processed, and if this is about the
> 'to' or the 'by' part.
> 
> Hope this clearifies things a bit. Any suggestions?
> 
> Marcel
> 
>> Regards,
>> Torsten
>> 
>> On Wed, 15 Sep 2010 09:36:38 +0200, Marcel van Dorp
<marcel@van-dorp.nl>
>> wrote:
>>> Hi,
>>>
>>> I try to implement certain ACLs, but apparently something goes wrong.
I
>>> read a lot about ACLs, and I do not understand what I do wrong. Maybe
>>> someone on this list can help.
>>>
>>> I use the Debian (lenny) version of openLDAP (version 2.4.11-1), with
>>> phpldapadmin as frontend. I use cn=config
>>>
>>> I try to achieve the following:
>>>
>>> *) No anonymous access
>>> *) Users can change their own attributes/children
>>> *) LDAP managers are listed in a groupOfNames
>>> *) Customers should have READ access to their parent entry, and all
>>> children of their parent (siblings)
>>> *) Specific users below a customer should have WRITE access to their
>>> parent, and all siblings (users are member of a specific groupOfNames)
>>>
>>> I have the following ACLs in olcAccess (sanitized, on multiple lines
for
>>> readability, with group/groupOfNames/member abbt. to g/gON/m below):
>>>
>>> {0}to attrs=userPassword,shadowLastChange
>>> 	by dn.base="cn=admin,ou=roles,dc=exm,dc=com" write
>>> 	by g/gON/m.exact="cn=ldapadm,ou=groups,dc=exm,dc=com" write
>>> 	by g/gON/m.exact="cn=repl,ou=roles,dc=exm,dc=com" read
>>> 	by anonymous auth
>>> 	by self write
>>> 	by * none
>>>
>>> {1}to dn.base="" by * read
>>>
>>> {2}to dn.regex="ou=([^,]+),ou=cust,ou=people,dc=exm,dc=com"
>>> 	by dn.exact,expand="cn=[^,]+,ou=$1,ou=cust,ou=people,dc=exm,dc=com"
>> read
>>> 	by g/gON/m.exact,expand="cn=$1,ou=cust,ou=people,dc=exm,dc=com" write
>>> 	by * none
>>>
>>> {3}to attrs=mail,entry
>>> 	by dn.exact="cn=admin,ou=roles,dc=exm,dc=com" write
>>> 	by g/gON/m.exact="cn=ldapadm,ou=groups,dc=exm,dc=com" write
>>> 	by self write
>>> 	by * read
>>>
>>> {4}to *
>>> 	by dn.exact="cn=admin,ou=roles,dc=exm,dc=com" write
>>> 	by g/gON/m.exact="cn=ldapadm,ou=groups,dc=exm,dc=com" write
>>> 	by anonymous search
>>> 	by self write
>>> 	by * none
>>>
>>>
>>> Explanation:
>>>
>>> {0} superuser, admins and self can change passwords. Replicators can
>>> read, anonymous can authenticate, and others have no access.
>>>
>>> {1} Is added to get some result, gives read access to the top level of
>>> the directory. It shows 'cn=config', and 'dc=exm,dc=com'
>>>
>>> {2} Is the ACL which I expected to work.
>>> 	The 'to' clause matches any customer in that branch
>>> 	The first 'by' matches any member in a group with the same name
>>> 	The second 'by' matches any entry below this customer
>>> 	The last 'by' denies other access
>>>
>>> {3} Is there, because the email address is used for login (matching dn
>>> is looked up, and then used to bind. See documentation of
phpldapadmin).
>>>
>>> {4} Is there, so I can actually do something (My dn is in the
mentioned
>>> group)
>>>
>>> I played with a different order and the like, but I do not get what I
>>> want. When I enable logging (olcLogLevel = ACL), I get some info, but
it
>>> is hard to determine where it goes wrong.
>>>
>>> Regarding {2}:
>>> *) I also prepended the 'to' with '.+,' to match everything below, but
>>> to no avail.
>>> *) I also tried the 'by' clauses with 'dn=regex' instead of 'dn.exact'
>>>
>>> Questions:
>>>
>>> 1) What is it I do wrong?
>>> 2) How can I troubleshoot these issues (ACL validator available?)
>>>
>>>
>>> If more info is needed, please let me know.
>>>
>>> Marcel

Follow-Ups:
- Re: Troubleshoot ACLs
  - From: Marcel van Dorp <marcel@van-dorp.nl>

References:
- Troubleshoot ACLs
  - From: Marcel van Dorp <marcel@van-dorp.nl>

Prev by Date: Re: Troubleshoot ACLs
Next by Date: Re: Changing serverID considered harmful
Index(es):
- Chronological
- Thread