[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL processing: additive privs (using control continue)



Hi list,

just a short question about "continue" and additive privileges, given the following acl statement:

access to dn.subtree="o=test" attrs=sn
 by users =s continue
 by group/groupOfNames/member="cn=readers,ou=groups,o=test" +r

If the current user's bindDn isn't a member of the group "cn=readers,..." or the group's entry does not exist, the previously set privilege "=s" will be reset to "none"?

As the slapd.access man page just gives a "silly" and an "even more silly" example regarding "continue" I'm not sure this is the intended behavior.

Attached you'll find my minimalistic testbed:
  slapd.conf
  sample ldif data
  two ldapsearch commands (including their slapd.log level 128)

I'm using openldap MASTER.

Thank you very much.

Cheers
Dora

------8<---------    slapd.conf    --------8<---------


include         /opt/openldap-HEAD/etc/openldap/schema/core.schema

pidfile         /opt/openldap-HEAD/var/run/slapd.pid
argsfile        /opt/openldap-HEAD/var/run/slapd.args

access to *
 by self write
 by users read
 by anonymous auth

database        mdb
suffix          "o=test"
rootdn          "cn=Manager,o=test"
rootpw          secret
directory       /opt/openldap-HEAD/var/openldap-data/test
index   objectClass     eq

access to dn.subtree="o=test" attrs=sn
 by users =s continue
 by group/groupOfNames/member="cn=readers,ou=groups,o=test" +r


------8<---------      sample data     --------8<---------


version: 1

dn: o=test
objectClass: organization
objectClass: top
o: test

dn: ou=groups,o=test
objectClass: organizationalUnit
objectClass: top
ou: groups

dn: ou=persons,o=test
objectClass: organizationalUnit
objectClass: top
ou: persons

dn: cn=PersonA,ou=persons,o=test
objectClass: person
objectClass: top
cn: PersonA
sn: PersonA
userPassword:: UGVyc29uQQ==

dn: cn=PersonB,ou=persons,o=test
objectClass: person
objectClass: top
cn: PersonB
sn: PersonB
userPassword:: UGVyc29uQg==

dn: cn=readers,ou=groups,o=test
objectClass: groupOfNames
objectClass: top
cn: readers
member: cn=PersonA,ou=persons,o=test


------8<---------Tests using ldapsearch--------8<---------


#Test 1 seem to work as intended:
#  bindDn "cn=PersonA,..." is member of group "cn=readers,..."
#  filter: sn=*
#  search succeeds (that's ok)
#  read succeeds (that's ok, too)

deepee@test:~$ ldapsearch -x -H "ldap://localhost:1389/"; -D "cn=PersonA,ou=persons,o=test" -w PersonA -b "ou=persons,o=test" '(sn=*)' sn cn
# extended LDIF
#
# LDAPv3
# base <ou=persons,o=test> with scope subtree
# filter: (sn=*)
# requesting: sn cn
#

# PersonA, persons, test
dn: cn=PersonA,ou=persons,o=test
sn: PersonA
cn: PersonA

# PersonB, persons, test
dn: cn=PersonB,ou=persons,o=test
cn: PersonB
sn: PersonB

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2


#slapd's log (level 128):

501be157 => access_allowed: result not in cache (userPassword)
501be157 => access_allowed: auth access to "cn=PersonA,ou=persons,o=test" "userPassword" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [2] attr userPassword
501be157 => acl_mask: access to entry "cn=PersonA,ou=persons,o=test", attr "userPassword" requested
501be157 => acl_mask: to value by "", (=0)
501be157 <= check a_dn_pat: self
501be157 <= check a_dn_pat: users
501be157 <= check a_dn_pat: anonymous
501be157 <= acl_mask: [3] applying auth(=xd) (stop)
501be157 <= acl_mask: [3] mask: auth(=xd)
501be157 => slap_access_allowed: auth access granted by auth(=xd)
501be157 => access_allowed: auth access granted by auth(=xd)
501be157 => access_allowed: search access to "ou=persons,o=test" "entry" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [2] attr entry
501be157 => acl_mask: access to entry "ou=persons,o=test", attr "entry" requested
501be157 => acl_mask: to all values by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: self
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [2] applying read(=rscxd) (stop)
501be157 <= acl_mask: [2] mask: read(=rscxd)
501be157 => slap_access_allowed: search access granted by read(=rscxd)
501be157 => access_allowed: search access granted by read(=rscxd)
501be157 => access_allowed: search access to "ou=persons,o=test" "sn" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [1] attr sn
501be157 => acl_mask: access to entry "ou=persons,o=test", attr "sn" requested
501be157 => acl_mask: to all values by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [1] applying =s (continue)
501be157 <= acl_mask: [1] mask: =s
501be157 <= check a_group_pat: cn=readers,ou=groups,o=test
501be157 => mdb_entry_get: found entry: "cn=readers,ou=groups,o=test"
501be157 <= acl_mask: [2] applying +r (stop)
501be157 <= acl_mask: [2] mask: =rs
501be157 => slap_access_allowed: search access granted by =rs
501be157 => access_allowed: search access granted by =rs
501be157 => access_allowed: search access to "cn=PersonA,ou=persons,o=test" "sn" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [1] attr sn
501be157 => acl_mask: access to entry "cn=PersonA,ou=persons,o=test", attr "sn" requested
501be157 => acl_mask: to all values by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [1] applying =s (continue)
501be157 <= acl_mask: [1] mask: =s
501be157 <= check a_group_pat: cn=readers,ou=groups,o=test
501be157 <= acl_mask: [2] applying +r (stop)
501be157 <= acl_mask: [2] mask: =rs
501be157 => slap_access_allowed: search access granted by =rs
501be157 => access_allowed: search access granted by =rs
501be157 => access_allowed: read access to "cn=PersonA,ou=persons,o=test" "entry" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [2] attr entry
501be157 => acl_mask: access to entry "cn=PersonA,ou=persons,o=test", attr "entry" requested
501be157 => acl_mask: to all values by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: self
501be157 <= acl_mask: [1] applying write(=wrscxd) (stop)
501be157 <= acl_mask: [1] mask: write(=wrscxd)
501be157 => slap_access_allowed: read access granted by write(=wrscxd)
501be157 => access_allowed: read access granted by write(=wrscxd)
501be157 => access_allowed: result not in cache (sn)
501be157 => access_allowed: read access to "cn=PersonA,ou=persons,o=test" "sn" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [1] attr sn
501be157 => acl_mask: access to entry "cn=PersonA,ou=persons,o=test", attr "sn" requested
501be157 => acl_mask: to value by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [1] applying =s (continue)
501be157 <= acl_mask: [1] mask: =s
501be157 <= check a_group_pat: cn=readers,ou=groups,o=test
501be157 <= acl_mask: [2] applying +r (stop)
501be157 <= acl_mask: [2] mask: =rs
501be157 => slap_access_allowed: read access granted by =rs
501be157 => access_allowed: read access granted by =rs
501be157 => access_allowed: result not in cache (cn)
501be157 => access_allowed: read access to "cn=PersonA,ou=persons,o=test" "cn" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [2] attr cn
501be157 => acl_mask: access to entry "cn=PersonA,ou=persons,o=test", attr "cn" requested
501be157 => acl_mask: to value by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: self
501be157 <= acl_mask: [1] applying write(=wrscxd) (stop)
501be157 <= acl_mask: [1] mask: write(=wrscxd)
501be157 => slap_access_allowed: read access granted by write(=wrscxd)
501be157 => access_allowed: read access granted by write(=wrscxd)
501be157 => access_allowed: search access to "cn=PersonB,ou=persons,o=test" "sn" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [1] attr sn
501be157 => acl_mask: access to entry "cn=PersonB,ou=persons,o=test", attr "sn" requested
501be157 => acl_mask: to all values by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [1] applying =s (continue)
501be157 <= acl_mask: [1] mask: =s
501be157 <= check a_group_pat: cn=readers,ou=groups,o=test
501be157 <= acl_mask: [2] applying +r (stop)
501be157 <= acl_mask: [2] mask: =rs
501be157 => slap_access_allowed: search access granted by =rs
501be157 => access_allowed: search access granted by =rs
501be157 => access_allowed: read access to "cn=PersonB,ou=persons,o=test" "entry" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [2] attr entry
501be157 => acl_mask: access to entry "cn=PersonB,ou=persons,o=test", attr "entry" requested
501be157 => acl_mask: to all values by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: self
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [2] applying read(=rscxd) (stop)
501be157 <= acl_mask: [2] mask: read(=rscxd)
501be157 => slap_access_allowed: read access granted by read(=rscxd)
501be157 => access_allowed: read access granted by read(=rscxd)
501be157 => access_allowed: result not in cache (cn)
501be157 => access_allowed: read access to "cn=PersonB,ou=persons,o=test" "cn" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [2] attr cn
501be157 => acl_mask: access to entry "cn=PersonB,ou=persons,o=test", attr "cn" requested
501be157 => acl_mask: to value by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: self
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [2] applying read(=rscxd) (stop)
501be157 <= acl_mask: [2] mask: read(=rscxd)
501be157 => slap_access_allowed: read access granted by read(=rscxd)
501be157 => access_allowed: read access granted by read(=rscxd)
501be157 => access_allowed: result not in cache (sn)
501be157 => access_allowed: read access to "cn=PersonB,ou=persons,o=test" "sn" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [1] attr sn
501be157 => acl_mask: access to entry "cn=PersonB,ou=persons,o=test", attr "sn" requested
501be157 => acl_mask: to value by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [1] applying =s (continue)
501be157 <= acl_mask: [1] mask: =s
501be157 <= check a_group_pat: cn=readers,ou=groups,o=test
501be157 <= acl_mask: [2] applying +r (stop)
501be157 <= acl_mask: [2] mask: =rs
501be157 => slap_access_allowed: read access granted by =rs
501be157 => access_allowed: read access granted by =rs







#Test 2 does not seem to work as intended (at least to me):
#  bindDn "cn=PersonB,..." not a member of group "cn=readers,..."
#  filter: sn=*
#  read fails (that's ok)
#  search fails (but why is the privilege "=s" reset?)

deepee@test:~$ ldapsearch -x -H "ldap://localhost:1389/"; -D "cn=PersonB,ou=persons,o=test" -w PersonB -b "ou=persons,o=test" '(sn=*)' sn cn
# extended LDIF
#
# LDAPv3
# base <ou=persons,o=test> with scope subtree
# filter: (sn=*)
# requesting: sn cn
#

# search result
search: 2
result: 0 Success

# numResponses: 1


#slapd's log (level 128):

501be196 => access_allowed: result not in cache (userPassword)
501be196 => access_allowed: auth access to "cn=PersonB,ou=persons,o=test" "userPassword" requested
501be196 => dn: [1] o=test
501be196 => acl_get: [1] matched
501be196 => acl_get: [2] attr userPassword
501be196 => acl_mask: access to entry "cn=PersonB,ou=persons,o=test", attr "userPassword" requested
501be196 => acl_mask: to value by "", (=0)
501be196 <= check a_dn_pat: self
501be196 <= check a_dn_pat: users
501be196 <= check a_dn_pat: anonymous
501be196 <= acl_mask: [3] applying auth(=xd) (stop)
501be196 <= acl_mask: [3] mask: auth(=xd)
501be196 => slap_access_allowed: auth access granted by auth(=xd)
501be196 => access_allowed: auth access granted by auth(=xd)
501be196 => access_allowed: search access to "ou=persons,o=test" "entry" requested
501be196 => dn: [1] o=test
501be196 => acl_get: [1] matched
501be196 => acl_get: [2] attr entry
501be196 => acl_mask: access to entry "ou=persons,o=test", attr "entry" requested
501be196 => acl_mask: to all values by "cn=personb,ou=persons,o=test", (=0)
501be196 <= check a_dn_pat: self
501be196 <= check a_dn_pat: users
501be196 <= acl_mask: [2] applying read(=rscxd) (stop)
501be196 <= acl_mask: [2] mask: read(=rscxd)
501be196 => slap_access_allowed: search access granted by read(=rscxd)
501be196 => access_allowed: search access granted by read(=rscxd)
501be196 => access_allowed: search access to "ou=persons,o=test" "sn" requested
501be196 => dn: [1] o=test
501be196 => acl_get: [1] matched
501be196 => acl_get: [1] attr sn
501be196 => acl_mask: access to entry "ou=persons,o=test", attr "sn" requested
501be196 => acl_mask: to all values by "cn=personb,ou=persons,o=test", (=0)
501be196 <= check a_dn_pat: users
501be196 <= acl_mask: [1] applying =s (continue)
501be196 <= acl_mask: [1] mask: =s
501be196 <= check a_group_pat: cn=readers,ou=groups,o=test
501be196 => mdb_entry_get: found entry: "cn=readers,ou=groups,o=test"
501be196 <= acl_mask: no more <who> clauses, returning =0 (stop)
501be196 => slap_access_allowed: search access denied by =0
501be196 => access_allowed: no more rules
501be196 => access_allowed: search access to "cn=PersonA,ou=persons,o=test" "sn" requested
501be196 => dn: [1] o=test
501be196 => acl_get: [1] matched
501be196 => acl_get: [1] attr sn
501be196 => acl_mask: access to entry "cn=PersonA,ou=persons,o=test", attr "sn" requested
501be196 => acl_mask: to all values by "cn=personb,ou=persons,o=test", (=0)
501be196 <= check a_dn_pat: users
501be196 <= acl_mask: [1] applying =s (continue)
501be196 <= acl_mask: [1] mask: =s
501be196 <= check a_group_pat: cn=readers,ou=groups,o=test
501be196 <= acl_mask: no more <who> clauses, returning =0 (stop)
501be196 => slap_access_allowed: search access denied by =0
501be196 => access_allowed: no more rules
501be196 => access_allowed: search access to "cn=PersonB,ou=persons,o=test" "sn" requested
501be196 => dn: [1] o=test
501be196 => acl_get: [1] matched
501be196 => acl_get: [1] attr sn
501be196 => acl_mask: access to entry "cn=PersonB,ou=persons,o=test", attr "sn" requested
501be196 => acl_mask: to all values by "cn=personb,ou=persons,o=test", (=0)
501be196 <= check a_dn_pat: users
501be196 <= acl_mask: [1] applying =s (continue)
501be196 <= acl_mask: [1] mask: =s
501be196 <= check a_group_pat: cn=readers,ou=groups,o=test
501be196 <= acl_mask: no more <who> clauses, returning =0 (stop)
501be196 => slap_access_allowed: search access denied by =0
501be196 => access_allowed: no more rules