[Date Prev][Date Next] [Chronological] [Thread] [Top]

Procedure going from search query to an acl

To: openldap-technical <openldap-technical@openldap.org>
Subject: Procedure going from search query to an acl
From: "Marc Roos" <M.Roos@f1-outsourcing.eu>
Date: Tue, 27 Aug 2019 17:35:57 +0200
Content-disposition: inline

I have client that coredumps with these acl's. When I remove them, the 
client is getting data from the ldap server and I can see the queries it 
is doing on the server. I thougt the lines below would give access to 
ou=Services and below by test, but I guess not. 

dn: olcDatabase={-1}frontend,cn=config
olcAccess: {0} to dn.exact="" by * read
olcAccess: {1} to dn.exact="cn=Subschema" by * read
olcAccess: {2} to attrs=userPassword,shadowLastChange by ssf=256 self 
read by ssf=256 anonymous auth by * none
olcAccess: {3} to dn.exact="ou=Services,dc=example,dc=local" 
attrs="children" by dn.exact="cn=test,ou=Hosts,dc=example,dc=local" 
ssf=64 read by * break
olcAccess: {4} to dn.children="ou=Services,dc=example,dc=local" by 
dn.exact="cn=test,ou=Hosts,dc=example,dc=local" ssf=64 read
olcAccess: {5} to * by * none

acl_mask: access to entry "name=asdf,ou=Services,dc=example,dc=local", 
attr "bla" requested
acl_mask: access to entry "ou=Services,dc=example,dc=local", attr 
"entry" requested

I guess I should grep the log for the acl_mask entries not? What would 
be an adviced procedure to do this? I also do not want to get a huge 
list of acls for just one client type. Everything below 
"ou=Services,dc=example,dc=local" is test to read. (No password 
attributes stored there)

Follow-Ups:
- Re: Procedure going from search query to an acl
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: Re: Antw: Re: Q: Multiple accesslog overlays?
Next by Date: Re: Procedure going from search query to an acl
Index(es):
- Chronological
- Thread