Hello,I've been trying to get using groups working in ACLs, but no matter what I do the group ACL isn't applied. It seems it might be a LMDB bug, and I'm planning on switching to hdb to see if it works there when I get the time.
I've attached the olcAccess.ldif that doesn't work and the output of slapacl -D uid=kyrias,ou=users,dc=kyriasis,dc=com \ -b ou=users,dc=kyriasis,dc=com -daclwhich shows that the group ACL isn't applied to the user uid=kyrias,ou=users,dc=kyriasis,dc=com even tho it is a member of the cn=admins,ou=security,dc=kyriasis,dc=com group and that the 'to *' ACL is above the other ones.
-- Sincerely, Johannes Löthberg PGP Key ID: 3A9D0BB5
53df9d87 => access_allowed: search access to "cn=config" "objectClass" requested 53df9d87 <= root access granted 53df9d87 => access_allowed: search access granted by manage(=mwrscxd) 53df9d87 => access_allowed: search access to "cn=schema,cn=config" "objectClass" requested 53df9d87 <= root access granted 53df9d87 => access_allowed: search access granted by manage(=mwrscxd) 53df9d87 => access_allowed: search access to "cn={0}core,cn=schema,cn=config" "objectClass" requested 53df9d87 <= root access granted 53df9d87 => access_allowed: search access granted by manage(=mwrscxd) 53df9d87 => access_allowed: search access to "cn={1}cosine,cn=schema,cn=config" "objectClass" requested 53df9d87 <= root access granted 53df9d87 => access_allowed: search access granted by manage(=mwrscxd) 53df9d87 => access_allowed: search access to "cn={2}inetorgperson,cn=schema,cn=config" "objectClass" requested 53df9d87 <= root access granted 53df9d87 => access_allowed: search access granted by manage(=mwrscxd) 53df9d87 => access_allowed: search access to "cn={3}nis,cn=schema,cn=config" "objectClass" requested 53df9d87 <= root access granted 53df9d87 => access_allowed: search access granted by manage(=mwrscxd) 53df9d87 => access_allowed: search access to "cn={4}kerberos,cn=schema,cn=config" "objectClass" requested 53df9d87 <= root access granted 53df9d87 => access_allowed: search access granted by manage(=mwrscxd) 53df9d87 => access_allowed: search access to "cn={5}ldapns,cn=schema,cn=config" "objectClass" requested 53df9d87 <= root access granted 53df9d87 => access_allowed: search access granted by manage(=mwrscxd) 53df9d87 => access_allowed: search access to "cn={6}kyriasis,cn=schema,cn=config" "objectClass" requested 53df9d87 <= root access granted 53df9d87 => access_allowed: search access granted by manage(=mwrscxd) 53df9d87 => access_allowed: search access to "olcDatabase={-1}frontend,cn=config" "objectClass" requested 53df9d87 <= root access granted 53df9d87 => access_allowed: search access granted by manage(=mwrscxd) Backend ACL: access to dn.base="" by self write by * read Backend ACL: access to dn.base="cn=subschema" by * read 53df9d87 => access_allowed: search access to "olcDatabase={0}config,cn=config" "objectClass" requested 53df9d87 <= root access granted 53df9d87 => access_allowed: search access granted by manage(=mwrscxd) Backend ACL: access to * by * none 53df9d87 /etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context 53df9d87 => access_allowed: search access to "olcDatabase={1}mdb,cn=config" "objectClass" requested 53df9d87 <= root access granted 53df9d87 => access_allowed: search access granted by manage(=mwrscxd) Backend ACL: access to * by group/groupOfNames/member.exact="cn=admins,ou=security,dc=kyriasis,dc=com" manage by * read 53df9d87 /etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context Backend ACL: access to attrs=uid,uidNumber,gidNumber,homeDirectory,krbPrincipalName,objectClass,structuralObjectClass,entryUUID,entryCSN,creatorsName,createTimestamp,modifiersName,modifyTimestamp by * read 53df9d87 /etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context Backend ACL: access to attrs=userPassword,userPKCS12,shadowLastChange by self write by * auth 53df9d87 /etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context Backend ACL: access to dn.subtree="cn=krbcontainer,ou=security,dc=kyriasis,dc=com" by dn.base="cn=kdc,ou=security,dc=kyriasis,dc=com" read by dn.base="cn=kadmin,ou=security,dc=kyriasis,dc=com" write by * none Backend ACL: access to dn.regex="^uid=([^,]+),ou=users,dc=kyriasis,dc=com$" by dn.base,expand="uid=$1,ou=users,dc=kyriasis,dc=com" write by dn.base="cn=kadmin,ou=security,dc=kyriasis,dc=com" write by * read Backend ACL: access to dn.subtree="ou=hosts,dc=kyriasis,dc=com" by dn.base="cn=kadmin,ou=security,dc=kyriasis,dc=com" write by * read 53df9d87 mdb_monitor_db_open: monitoring disabled; configure monitor database to enable Backend ACL: access to * by * none 53df9d87 config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context authcDN: "uid=kyrias,ou=users,dc=kyriasis,dc=com" 53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "entry" requested 53df9d87 => acl_get: [1] attr entry 53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "entry" requested 53df9d87 => acl_mask: to all values by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com 53df9d87 mdb_opinfo_get: err MDB_BAD_RSLOT: Invalid reuse of reader locktable slot(-30783) 53df9d87 <= check a_dn_pat: * 53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop) 53df9d87 <= acl_mask: [2] mask: read(=rscxd) 53df9d87 => slap_access_allowed: auth access granted by read(=rscxd) 53df9d87 => access_allowed: auth access granted by read(=rscxd) entry: read(=rscxd) 53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "children" requested 53df9d87 => acl_get: [1] attr children 53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "children" requested 53df9d87 => acl_mask: to all values by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com 53df9d87 <= check a_dn_pat: * 53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop) 53df9d87 <= acl_mask: [2] mask: read(=rscxd) 53df9d87 => slap_access_allowed: auth access granted by read(=rscxd) 53df9d87 => access_allowed: auth access granted by read(=rscxd) children: read(=rscxd) 53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "ou" requested 53df9d87 => acl_get: [1] attr ou 53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "ou" requested 53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com 53df9d87 <= check a_dn_pat: * 53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop) 53df9d87 <= acl_mask: [2] mask: read(=rscxd) 53df9d87 => slap_access_allowed: auth access granted by read(=rscxd) 53df9d87 => access_allowed: auth access granted by read(=rscxd) ou=users: read(=rscxd) 53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "objectClass" requested 53df9d87 => acl_get: [1] attr objectClass 53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "objectClass" requested 53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com 53df9d87 <= check a_dn_pat: * 53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop) 53df9d87 <= acl_mask: [2] mask: read(=rscxd) 53df9d87 => slap_access_allowed: auth access granted by read(=rscxd) 53df9d87 => access_allowed: auth access granted by read(=rscxd) objectClass=top: read(=rscxd) 53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "objectClass" requested 53df9d87 => acl_get: [1] attr objectClass 53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "objectClass" requested 53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com 53df9d87 <= check a_dn_pat: * 53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop) 53df9d87 <= acl_mask: [2] mask: read(=rscxd) 53df9d87 => slap_access_allowed: auth access granted by read(=rscxd) 53df9d87 => access_allowed: auth access granted by read(=rscxd) objectClass=organizationalUnit: read(=rscxd) 53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "structuralObjectClass" requested 53df9d87 => acl_get: [1] attr structuralObjectClass 53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "structuralObjectClass" requested 53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com 53df9d87 <= check a_dn_pat: * 53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop) 53df9d87 <= acl_mask: [2] mask: read(=rscxd) 53df9d87 => slap_access_allowed: auth access granted by read(=rscxd) 53df9d87 => access_allowed: auth access granted by read(=rscxd) structuralObjectClass=organizationalUnit: read(=rscxd) 53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "entryUUID" requested 53df9d87 => acl_get: [1] attr entryUUID 53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "entryUUID" requested 53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com 53df9d87 <= check a_dn_pat: * 53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop) 53df9d87 <= acl_mask: [2] mask: read(=rscxd) 53df9d87 => slap_access_allowed: auth access granted by read(=rscxd) 53df9d87 => access_allowed: auth access granted by read(=rscxd) entryUUID=02cdf845-c212-41a7-8984-948c1ccb3e50: read(=rscxd) 53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "creatorsName" requested 53df9d87 => acl_get: [1] attr creatorsName 53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "creatorsName" requested 53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com 53df9d87 <= check a_dn_pat: * 53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop) 53df9d87 <= acl_mask: [2] mask: read(=rscxd) 53df9d87 => slap_access_allowed: auth access granted by read(=rscxd) 53df9d87 => access_allowed: auth access granted by read(=rscxd) creatorsName=cn=Manager,dc=kyriasis,dc=com: read(=rscxd) 53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "createTimestamp" requested 53df9d87 => acl_get: [1] attr createTimestamp 53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "createTimestamp" requested 53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com 53df9d87 <= check a_dn_pat: * 53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop) 53df9d87 <= acl_mask: [2] mask: read(=rscxd) 53df9d87 => slap_access_allowed: auth access granted by read(=rscxd) 53df9d87 => access_allowed: auth access granted by read(=rscxd) createTimestamp=20140507152708Z: read(=rscxd) 53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "entryCSN" requested 53df9d87 => acl_get: [1] attr entryCSN 53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "entryCSN" requested 53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com 53df9d87 <= check a_dn_pat: * 53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop) 53df9d87 <= acl_mask: [2] mask: read(=rscxd) 53df9d87 => slap_access_allowed: auth access granted by read(=rscxd) 53df9d87 => access_allowed: auth access granted by read(=rscxd) entryCSN=20140507152708.194854Z#000000#000#000000: read(=rscxd) 53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "modifiersName" requested 53df9d87 => acl_get: [1] attr modifiersName 53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "modifiersName" requested 53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com 53df9d87 <= check a_dn_pat: * 53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop) 53df9d87 <= acl_mask: [2] mask: read(=rscxd) 53df9d87 => slap_access_allowed: auth access granted by read(=rscxd) 53df9d87 => access_allowed: auth access granted by read(=rscxd) modifiersName=cn=Manager,dc=kyriasis,dc=com: read(=rscxd) 53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "modifyTimestamp" requested 53df9d87 => acl_get: [1] attr modifyTimestamp 53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "modifyTimestamp" requested 53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com 53df9d87 <= check a_dn_pat: * 53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop) 53df9d87 <= acl_mask: [2] mask: read(=rscxd) 53df9d87 => slap_access_allowed: auth access granted by read(=rscxd) 53df9d87 => access_allowed: auth access granted by read(=rscxd) modifyTimestamp=20140507152708Z: read(=rscxd)
dn: olcDatabase={1}mdb,cn=config changetype: modify replace: olcAccess olcAccess: to * by group.exact="cn=admins,ou=security,dc=kyriasis,dc=com" manage by * read olcAccess: to attrs=uid,uidNumber,gidNumber,homeDirectory, krbPrincipalName,objectClass,structuralObjectClass,entryUUID, entryCSN,creatorsName,createTimestamp,modifiersName,modifyTimestamp by * read olcAccess: to attrs=userPassword,userPKCS12,shadowLastChange by self write by * auth olcAccess: to dn.subtree="cn=krbcontainer,ou=security,dc=kyriasis,dc=com" by dn.exact="cn=kdc,ou=security,dc=kyriasis,dc=com" read by dn.exact="cn=kadmin,ou=security,dc=kyriasis,dc=com" write by * none olcAccess: to dn.regex="^uid=([^,]+),ou=users,dc=kyriasis,dc=com$" by dn.exact,expand="uid=$1,ou=users,dc=kyriasis,dc=com" write by dn.exact="cn=kadmin,ou=security,dc=kyriasis,dc=com" write by * read olcAccess: to dn.subtree="ou=hosts,dc=kyriasis,dc=com" by dn.exact="cn=kadmin,ou=security,dc=kyriasis,dc=com" write by * read #olcAccess: to * by self write by * read - dn: olcDatabase={-1}frontend,cn=config changetype: modify replace: olcAccess olcAccess: to dn.base="" by self write by * read olcAccess: to dn.base="cn=Subschema" by * read
Attachment:
pgp9uvRj9bIt8.pgp
Description: PGP signature