[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL processing: additive privs (using control continue)
- To: openldap-technical@openldap.org
- Subject: ACL processing: additive privs (using control continue)
- From: Dora Paula <deepee@gmx.net>
- Date: Sat, 04 Aug 2012 10:24:53 +0200
- User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
Hi list,
just a short question about "continue" and additive privileges, given
the following acl statement:
access to dn.subtree="o=test" attrs=sn
by users =s continue
by group/groupOfNames/member="cn=readers,ou=groups,o=test" +r
If the current user's bindDn isn't a member of the group
"cn=readers,..." or the group's entry does not exist, the previously set
privilege "=s" will be reset to "none"?
As the slapd.access man page just gives a "silly" and an "even more
silly" example regarding "continue" I'm not sure this is the intended
behavior.
Attached you'll find my minimalistic testbed:
slapd.conf
sample ldif data
two ldapsearch commands (including their slapd.log level 128)
I'm using openldap MASTER.
Thank you very much.
Cheers
Dora
------8<--------- slapd.conf --------8<---------
include /opt/openldap-HEAD/etc/openldap/schema/core.schema
pidfile /opt/openldap-HEAD/var/run/slapd.pid
argsfile /opt/openldap-HEAD/var/run/slapd.args
access to *
by self write
by users read
by anonymous auth
database mdb
suffix "o=test"
rootdn "cn=Manager,o=test"
rootpw secret
directory /opt/openldap-HEAD/var/openldap-data/test
index objectClass eq
access to dn.subtree="o=test" attrs=sn
by users =s continue
by group/groupOfNames/member="cn=readers,ou=groups,o=test" +r
------8<--------- sample data --------8<---------
version: 1
dn: o=test
objectClass: organization
objectClass: top
o: test
dn: ou=groups,o=test
objectClass: organizationalUnit
objectClass: top
ou: groups
dn: ou=persons,o=test
objectClass: organizationalUnit
objectClass: top
ou: persons
dn: cn=PersonA,ou=persons,o=test
objectClass: person
objectClass: top
cn: PersonA
sn: PersonA
userPassword:: UGVyc29uQQ==
dn: cn=PersonB,ou=persons,o=test
objectClass: person
objectClass: top
cn: PersonB
sn: PersonB
userPassword:: UGVyc29uQg==
dn: cn=readers,ou=groups,o=test
objectClass: groupOfNames
objectClass: top
cn: readers
member: cn=PersonA,ou=persons,o=test
------8<---------Tests using ldapsearch--------8<---------
#Test 1 seem to work as intended:
# bindDn "cn=PersonA,..." is member of group "cn=readers,..."
# filter: sn=*
# search succeeds (that's ok)
# read succeeds (that's ok, too)
deepee@test:~$ ldapsearch -x -H "ldap://localhost:1389/" -D "cn=PersonA,ou=persons,o=test" -w PersonA -b "ou=persons,o=test" '(sn=*)' sn cn
# extended LDIF
#
# LDAPv3
# base <ou=persons,o=test> with scope subtree
# filter: (sn=*)
# requesting: sn cn
#
# PersonA, persons, test
dn: cn=PersonA,ou=persons,o=test
sn: PersonA
cn: PersonA
# PersonB, persons, test
dn: cn=PersonB,ou=persons,o=test
cn: PersonB
sn: PersonB
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
#slapd's log (level 128):
501be157 => access_allowed: result not in cache (userPassword)
501be157 => access_allowed: auth access to "cn=PersonA,ou=persons,o=test" "userPassword" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [2] attr userPassword
501be157 => acl_mask: access to entry "cn=PersonA,ou=persons,o=test", attr "userPassword" requested
501be157 => acl_mask: to value by "", (=0)
501be157 <= check a_dn_pat: self
501be157 <= check a_dn_pat: users
501be157 <= check a_dn_pat: anonymous
501be157 <= acl_mask: [3] applying auth(=xd) (stop)
501be157 <= acl_mask: [3] mask: auth(=xd)
501be157 => slap_access_allowed: auth access granted by auth(=xd)
501be157 => access_allowed: auth access granted by auth(=xd)
501be157 => access_allowed: search access to "ou=persons,o=test" "entry" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [2] attr entry
501be157 => acl_mask: access to entry "ou=persons,o=test", attr "entry" requested
501be157 => acl_mask: to all values by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: self
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [2] applying read(=rscxd) (stop)
501be157 <= acl_mask: [2] mask: read(=rscxd)
501be157 => slap_access_allowed: search access granted by read(=rscxd)
501be157 => access_allowed: search access granted by read(=rscxd)
501be157 => access_allowed: search access to "ou=persons,o=test" "sn" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [1] attr sn
501be157 => acl_mask: access to entry "ou=persons,o=test", attr "sn" requested
501be157 => acl_mask: to all values by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [1] applying =s (continue)
501be157 <= acl_mask: [1] mask: =s
501be157 <= check a_group_pat: cn=readers,ou=groups,o=test
501be157 => mdb_entry_get: found entry: "cn=readers,ou=groups,o=test"
501be157 <= acl_mask: [2] applying +r (stop)
501be157 <= acl_mask: [2] mask: =rs
501be157 => slap_access_allowed: search access granted by =rs
501be157 => access_allowed: search access granted by =rs
501be157 => access_allowed: search access to "cn=PersonA,ou=persons,o=test" "sn" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [1] attr sn
501be157 => acl_mask: access to entry "cn=PersonA,ou=persons,o=test", attr "sn" requested
501be157 => acl_mask: to all values by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [1] applying =s (continue)
501be157 <= acl_mask: [1] mask: =s
501be157 <= check a_group_pat: cn=readers,ou=groups,o=test
501be157 <= acl_mask: [2] applying +r (stop)
501be157 <= acl_mask: [2] mask: =rs
501be157 => slap_access_allowed: search access granted by =rs
501be157 => access_allowed: search access granted by =rs
501be157 => access_allowed: read access to "cn=PersonA,ou=persons,o=test" "entry" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [2] attr entry
501be157 => acl_mask: access to entry "cn=PersonA,ou=persons,o=test", attr "entry" requested
501be157 => acl_mask: to all values by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: self
501be157 <= acl_mask: [1] applying write(=wrscxd) (stop)
501be157 <= acl_mask: [1] mask: write(=wrscxd)
501be157 => slap_access_allowed: read access granted by write(=wrscxd)
501be157 => access_allowed: read access granted by write(=wrscxd)
501be157 => access_allowed: result not in cache (sn)
501be157 => access_allowed: read access to "cn=PersonA,ou=persons,o=test" "sn" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [1] attr sn
501be157 => acl_mask: access to entry "cn=PersonA,ou=persons,o=test", attr "sn" requested
501be157 => acl_mask: to value by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [1] applying =s (continue)
501be157 <= acl_mask: [1] mask: =s
501be157 <= check a_group_pat: cn=readers,ou=groups,o=test
501be157 <= acl_mask: [2] applying +r (stop)
501be157 <= acl_mask: [2] mask: =rs
501be157 => slap_access_allowed: read access granted by =rs
501be157 => access_allowed: read access granted by =rs
501be157 => access_allowed: result not in cache (cn)
501be157 => access_allowed: read access to "cn=PersonA,ou=persons,o=test" "cn" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [2] attr cn
501be157 => acl_mask: access to entry "cn=PersonA,ou=persons,o=test", attr "cn" requested
501be157 => acl_mask: to value by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: self
501be157 <= acl_mask: [1] applying write(=wrscxd) (stop)
501be157 <= acl_mask: [1] mask: write(=wrscxd)
501be157 => slap_access_allowed: read access granted by write(=wrscxd)
501be157 => access_allowed: read access granted by write(=wrscxd)
501be157 => access_allowed: search access to "cn=PersonB,ou=persons,o=test" "sn" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [1] attr sn
501be157 => acl_mask: access to entry "cn=PersonB,ou=persons,o=test", attr "sn" requested
501be157 => acl_mask: to all values by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [1] applying =s (continue)
501be157 <= acl_mask: [1] mask: =s
501be157 <= check a_group_pat: cn=readers,ou=groups,o=test
501be157 <= acl_mask: [2] applying +r (stop)
501be157 <= acl_mask: [2] mask: =rs
501be157 => slap_access_allowed: search access granted by =rs
501be157 => access_allowed: search access granted by =rs
501be157 => access_allowed: read access to "cn=PersonB,ou=persons,o=test" "entry" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [2] attr entry
501be157 => acl_mask: access to entry "cn=PersonB,ou=persons,o=test", attr "entry" requested
501be157 => acl_mask: to all values by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: self
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [2] applying read(=rscxd) (stop)
501be157 <= acl_mask: [2] mask: read(=rscxd)
501be157 => slap_access_allowed: read access granted by read(=rscxd)
501be157 => access_allowed: read access granted by read(=rscxd)
501be157 => access_allowed: result not in cache (cn)
501be157 => access_allowed: read access to "cn=PersonB,ou=persons,o=test" "cn" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [2] attr cn
501be157 => acl_mask: access to entry "cn=PersonB,ou=persons,o=test", attr "cn" requested
501be157 => acl_mask: to value by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: self
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [2] applying read(=rscxd) (stop)
501be157 <= acl_mask: [2] mask: read(=rscxd)
501be157 => slap_access_allowed: read access granted by read(=rscxd)
501be157 => access_allowed: read access granted by read(=rscxd)
501be157 => access_allowed: result not in cache (sn)
501be157 => access_allowed: read access to "cn=PersonB,ou=persons,o=test" "sn" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [1] attr sn
501be157 => acl_mask: access to entry "cn=PersonB,ou=persons,o=test", attr "sn" requested
501be157 => acl_mask: to value by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [1] applying =s (continue)
501be157 <= acl_mask: [1] mask: =s
501be157 <= check a_group_pat: cn=readers,ou=groups,o=test
501be157 <= acl_mask: [2] applying +r (stop)
501be157 <= acl_mask: [2] mask: =rs
501be157 => slap_access_allowed: read access granted by =rs
501be157 => access_allowed: read access granted by =rs
#Test 2 does not seem to work as intended (at least to me):
# bindDn "cn=PersonB,..." not a member of group "cn=readers,..."
# filter: sn=*
# read fails (that's ok)
# search fails (but why is the privilege "=s" reset?)
deepee@test:~$ ldapsearch -x -H "ldap://localhost:1389/" -D "cn=PersonB,ou=persons,o=test" -w PersonB -b "ou=persons,o=test" '(sn=*)' sn cn
# extended LDIF
#
# LDAPv3
# base <ou=persons,o=test> with scope subtree
# filter: (sn=*)
# requesting: sn cn
#
# search result
search: 2
result: 0 Success
# numResponses: 1
#slapd's log (level 128):
501be196 => access_allowed: result not in cache (userPassword)
501be196 => access_allowed: auth access to "cn=PersonB,ou=persons,o=test" "userPassword" requested
501be196 => dn: [1] o=test
501be196 => acl_get: [1] matched
501be196 => acl_get: [2] attr userPassword
501be196 => acl_mask: access to entry "cn=PersonB,ou=persons,o=test", attr "userPassword" requested
501be196 => acl_mask: to value by "", (=0)
501be196 <= check a_dn_pat: self
501be196 <= check a_dn_pat: users
501be196 <= check a_dn_pat: anonymous
501be196 <= acl_mask: [3] applying auth(=xd) (stop)
501be196 <= acl_mask: [3] mask: auth(=xd)
501be196 => slap_access_allowed: auth access granted by auth(=xd)
501be196 => access_allowed: auth access granted by auth(=xd)
501be196 => access_allowed: search access to "ou=persons,o=test" "entry" requested
501be196 => dn: [1] o=test
501be196 => acl_get: [1] matched
501be196 => acl_get: [2] attr entry
501be196 => acl_mask: access to entry "ou=persons,o=test", attr "entry" requested
501be196 => acl_mask: to all values by "cn=personb,ou=persons,o=test", (=0)
501be196 <= check a_dn_pat: self
501be196 <= check a_dn_pat: users
501be196 <= acl_mask: [2] applying read(=rscxd) (stop)
501be196 <= acl_mask: [2] mask: read(=rscxd)
501be196 => slap_access_allowed: search access granted by read(=rscxd)
501be196 => access_allowed: search access granted by read(=rscxd)
501be196 => access_allowed: search access to "ou=persons,o=test" "sn" requested
501be196 => dn: [1] o=test
501be196 => acl_get: [1] matched
501be196 => acl_get: [1] attr sn
501be196 => acl_mask: access to entry "ou=persons,o=test", attr "sn" requested
501be196 => acl_mask: to all values by "cn=personb,ou=persons,o=test", (=0)
501be196 <= check a_dn_pat: users
501be196 <= acl_mask: [1] applying =s (continue)
501be196 <= acl_mask: [1] mask: =s
501be196 <= check a_group_pat: cn=readers,ou=groups,o=test
501be196 => mdb_entry_get: found entry: "cn=readers,ou=groups,o=test"
501be196 <= acl_mask: no more <who> clauses, returning =0 (stop)
501be196 => slap_access_allowed: search access denied by =0
501be196 => access_allowed: no more rules
501be196 => access_allowed: search access to "cn=PersonA,ou=persons,o=test" "sn" requested
501be196 => dn: [1] o=test
501be196 => acl_get: [1] matched
501be196 => acl_get: [1] attr sn
501be196 => acl_mask: access to entry "cn=PersonA,ou=persons,o=test", attr "sn" requested
501be196 => acl_mask: to all values by "cn=personb,ou=persons,o=test", (=0)
501be196 <= check a_dn_pat: users
501be196 <= acl_mask: [1] applying =s (continue)
501be196 <= acl_mask: [1] mask: =s
501be196 <= check a_group_pat: cn=readers,ou=groups,o=test
501be196 <= acl_mask: no more <who> clauses, returning =0 (stop)
501be196 => slap_access_allowed: search access denied by =0
501be196 => access_allowed: no more rules
501be196 => access_allowed: search access to "cn=PersonB,ou=persons,o=test" "sn" requested
501be196 => dn: [1] o=test
501be196 => acl_get: [1] matched
501be196 => acl_get: [1] attr sn
501be196 => acl_mask: access to entry "cn=PersonB,ou=persons,o=test", attr "sn" requested
501be196 => acl_mask: to all values by "cn=personb,ou=persons,o=test", (=0)
501be196 <= check a_dn_pat: users
501be196 <= acl_mask: [1] applying =s (continue)
501be196 <= acl_mask: [1] mask: =s
501be196 <= check a_group_pat: cn=readers,ou=groups,o=test
501be196 <= acl_mask: no more <who> clauses, returning =0 (stop)
501be196 => slap_access_allowed: search access denied by =0
501be196 => access_allowed: no more rules