[Date Prev][Date Next] [Chronological] [Thread] [Top]

Groups in ACLs on MDB



Hello,

I've been trying to get using groups working in ACLs, but no matter what I do the group ACL isn't applied. It seems it might be a LMDB bug, and I'm planning on switching to hdb to see if it works there when I get the time.

I've attached the olcAccess.ldif that doesn't work and the output of

	slapacl -D uid=kyrias,ou=users,dc=kyriasis,dc=com \
	-b ou=users,dc=kyriasis,dc=com -dacl

which shows that the group ACL isn't applied to the user uid=kyrias,ou=users,dc=kyriasis,dc=com even tho it is a member of the cn=admins,ou=security,dc=kyriasis,dc=com group and that the 'to *' ACL is above the other ones.

--
Sincerely,
 Johannes Löthberg
 PGP Key ID: 3A9D0BB5
53df9d87 => access_allowed: search access to "cn=config" "objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
53df9d87 => access_allowed: search access to "cn=schema,cn=config" "objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
53df9d87 => access_allowed: search access to "cn={0}core,cn=schema,cn=config" "objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
53df9d87 => access_allowed: search access to "cn={1}cosine,cn=schema,cn=config" "objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
53df9d87 => access_allowed: search access to "cn={2}inetorgperson,cn=schema,cn=config" "objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
53df9d87 => access_allowed: search access to "cn={3}nis,cn=schema,cn=config" "objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
53df9d87 => access_allowed: search access to "cn={4}kerberos,cn=schema,cn=config" "objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
53df9d87 => access_allowed: search access to "cn={5}ldapns,cn=schema,cn=config" "objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
53df9d87 => access_allowed: search access to "cn={6}kyriasis,cn=schema,cn=config" "objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
53df9d87 => access_allowed: search access to "olcDatabase={-1}frontend,cn=config" "objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
Backend ACL: access to dn.base=""
	by self write
	by * read

Backend ACL: access to dn.base="cn=subschema"
	by * read

53df9d87 => access_allowed: search access to "olcDatabase={0}config,cn=config" "objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
Backend ACL: access to *
	by * none

53df9d87 /etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context
53df9d87 => access_allowed: search access to "olcDatabase={1}mdb,cn=config" "objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
Backend ACL: access to *
	by group/groupOfNames/member.exact="cn=admins,ou=security,dc=kyriasis,dc=com" manage
	by * read

53df9d87 /etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context
Backend ACL: access to attrs=uid,uidNumber,gidNumber,homeDirectory,krbPrincipalName,objectClass,structuralObjectClass,entryUUID,entryCSN,creatorsName,createTimestamp,modifiersName,modifyTimestamp
	by * read

53df9d87 /etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context
Backend ACL: access to attrs=userPassword,userPKCS12,shadowLastChange
	by self write
	by * auth

53df9d87 /etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context
Backend ACL: access to dn.subtree="cn=krbcontainer,ou=security,dc=kyriasis,dc=com"
	by dn.base="cn=kdc,ou=security,dc=kyriasis,dc=com" read
	by dn.base="cn=kadmin,ou=security,dc=kyriasis,dc=com" write
	by * none

Backend ACL: access to dn.regex="^uid=([^,]+),ou=users,dc=kyriasis,dc=com$"
	by dn.base,expand="uid=$1,ou=users,dc=kyriasis,dc=com" write
	by dn.base="cn=kadmin,ou=security,dc=kyriasis,dc=com" write
	by * read

Backend ACL: access to dn.subtree="ou=hosts,dc=kyriasis,dc=com"
	by dn.base="cn=kadmin,ou=security,dc=kyriasis,dc=com" write
	by * read

53df9d87 mdb_monitor_db_open: monitoring disabled; configure monitor database to enable
Backend ACL: access to *
	by * none

53df9d87 config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context
authcDN: "uid=kyrias,ou=users,dc=kyriasis,dc=com"
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "entry" requested
53df9d87 => acl_get: [1] attr entry
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "entry" requested
53df9d87 => acl_mask: to all values by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 mdb_opinfo_get: err MDB_BAD_RSLOT: Invalid reuse of reader locktable slot(-30783)
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
entry: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "children" requested
53df9d87 => acl_get: [1] attr children
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "children" requested
53df9d87 => acl_mask: to all values by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
children: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "ou" requested
53df9d87 => acl_get: [1] attr ou
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "ou" requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
ou=users: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "objectClass" requested
53df9d87 => acl_get: [1] attr objectClass
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "objectClass" requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
objectClass=top: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "objectClass" requested
53df9d87 => acl_get: [1] attr objectClass
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "objectClass" requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
objectClass=organizationalUnit: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "structuralObjectClass" requested
53df9d87 => acl_get: [1] attr structuralObjectClass
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "structuralObjectClass" requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
structuralObjectClass=organizationalUnit: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "entryUUID" requested
53df9d87 => acl_get: [1] attr entryUUID
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "entryUUID" requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
entryUUID=02cdf845-c212-41a7-8984-948c1ccb3e50: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "creatorsName" requested
53df9d87 => acl_get: [1] attr creatorsName
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "creatorsName" requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
creatorsName=cn=Manager,dc=kyriasis,dc=com: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "createTimestamp" requested
53df9d87 => acl_get: [1] attr createTimestamp
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "createTimestamp" requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
createTimestamp=20140507152708Z: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "entryCSN" requested
53df9d87 => acl_get: [1] attr entryCSN
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "entryCSN" requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
entryCSN=20140507152708.194854Z#000000#000#000000: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "modifiersName" requested
53df9d87 => acl_get: [1] attr modifiersName
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "modifiersName" requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
modifiersName=cn=Manager,dc=kyriasis,dc=com: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "modifyTimestamp" requested
53df9d87 => acl_get: [1] attr modifyTimestamp
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "modifyTimestamp" requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
modifyTimestamp=20140507152708Z: read(=rscxd)

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to *
  by group.exact="cn=admins,ou=security,dc=kyriasis,dc=com" manage
  by * read
olcAccess: to attrs=uid,uidNumber,gidNumber,homeDirectory,
 krbPrincipalName,objectClass,structuralObjectClass,entryUUID,
 entryCSN,creatorsName,createTimestamp,modifiersName,modifyTimestamp
  by * read
olcAccess: to attrs=userPassword,userPKCS12,shadowLastChange
  by self write
  by * auth
olcAccess: to dn.subtree="cn=krbcontainer,ou=security,dc=kyriasis,dc=com"
  by dn.exact="cn=kdc,ou=security,dc=kyriasis,dc=com" read
  by dn.exact="cn=kadmin,ou=security,dc=kyriasis,dc=com" write
  by * none
olcAccess: to dn.regex="^uid=([^,]+),ou=users,dc=kyriasis,dc=com$"
  by dn.exact,expand="uid=$1,ou=users,dc=kyriasis,dc=com" write
  by dn.exact="cn=kadmin,ou=security,dc=kyriasis,dc=com" write
  by * read
olcAccess: to dn.subtree="ou=hosts,dc=kyriasis,dc=com"
  by dn.exact="cn=kadmin,ou=security,dc=kyriasis,dc=com" write
  by * read
#olcAccess: to *
  by self write
  by * read
-

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcAccess
olcAccess: to dn.base=""
  by self write
  by * read
olcAccess: to dn.base="cn=Subschema"
  by * read

Attachment: pgp9uvRj9bIt8.pgp
Description: PGP signature