[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Dynamic ACL in OpenLDAP with set:expand not working
On Thu, Aug 22, 2019 at 09:10:24AM +0200, Martin W. wrote:
> Hi Ondřej,
> Hi Dieter,
>
> Thanks for your replies! The basic links I've had already found and
> read through carefully and didn't find a correct solution for my
> problem =(
>
> The olcAccess statements out of the trials were all placed in front of
> the asterisk * one. So the order should not be the problem =(
Hi Martin,
there are several olcAccess clauses (olcAccess attribute values) with
several directives each.
> With slapacl I don’t really get a clue – I’ll attach one result below,
> that I would interpret like that my l.dap user is not allowed to
> change the description of entity e1 … but if I use JXplorer to connect
> to the directory as l.dap, I can – even submit. Is it wrong how I’m
> using slapacl? Or isn’t it reliable since I’m using RegEx?
>
>> $ slapacl -v -U "uid=l.dap,ou=people,dc=example,dc=com" -b "o=e1,ou=entities,dc=example,dc=com" -d acl "description/write"
This is the relevant snippet from the output:
>> authcDN: "uid=uid\3Dl.dap\2Cou\3Dpeople\2Cdc\3dexample\2Cdc\3Dcom,cn=auth"
>> 5d5db13a => access_allowed: write access to "o=jpbay,ou=lve,dc=example,dc=com" "description" requested
>> 5d5db13a => acl_get: [2] attr description
>> 5d5db13a => acl_mask: access to entry "o=jpbay,ou=lve,dc=example,dc=com", attr "description" requested
>> 5d5db13a => acl_mask: to all values by "uid=uid\3Dl.dap\2Cou\3Dpeople\2Cdc\3dexample\2Cdc\3Dcom,cn=auth", (=0)
>> 5d5db13a <= check a_dn_pat: self
>> 5d5db13a <= check a_dn_pat: cn=admin,dc=example,dc=com
>> 5d5db13a <= check a_set_pat: [cn=ldapadmins,ou=groups,dc=example,dc=com]/member* & user
>> 5d5db13a => mdb_entry_get: found entry: "cn=ldapadmins,ou=groups,dc=example,dc=com"
>> 5d5db13a ACL set[0]=cn=globaladmins,ou=groups,dc=example,dc=com
>> 5d5db13a => mdb_entry_get: found entry: "cn=globaladmins,ou=groups,dc=example,dc=com"
>> 5d5db13a ACL set[0]=cn=globaladmins,ou=groups,dc=example,dc=com
>> 5d5db13a ACL set[1]=cn=admin,dc=example,dc=com
>> 5d5db13a ACL set[2]=uid=l.dap,ou=people,dc=example,dc=com
>> 5d5db13a => mdb_entry_get: found entry: "cn=admin,dc=example,dc=com"
>> 5d5db13a <= mdb_entry_get: failed to find attribute member
>> 5d5db13a => mdb_entry_get: found entry: "uid=l.dap,ou=people,dc=example,dc=com"
>> 5d5db13a <= mdb_entry_get: failed to find attribute member
>> 5d5db13a ACL set: empty
>> 5d5db13a <= check a_dn_pat: users
>> 5d5db13a <= acl_mask: [4] applying read(=rscxd) (stop)
>> 5d5db13a <= acl_mask: [4] mask: read(=rscxd)
>> 5d5db13a => slap_access_allowed: write access denied by read(=rscxd)
>> 5d5db13a => access_allowed: no more rules
>> write access to description: DENIED
Which seems to correspond to your first olcAccess clause only:
>>>>> olcAccess: to *
>>>>> by self write
>>>>> by dn="cn=admin,dc=example,dc=com" write
>>>>> by set="[cn=ldapadmins,ou=groups,dc=example,dc=com]/member* & user" write
>>>>> by users read
>>>>> by * none
It shows that "by users read" matches and processing stops. If you want
processing to continue past this clause, you will either have to
reorganise the structure and ordering of your rules or (to get you
started for now) use "break" at the end of certain directives (most
likely the last two: "by users read" and "by * none").
Hopefully with this and man slapd.access in mind, you should be able to
find a way to describe what you need.
With more complex ACLs, it is also useful to maintain a test suite using
slapacl or sample DBs so you can refactor them with confidence later.
Regards,
--
Ondřej Kuzník
Senior Software Engineer
Symas Corporation http://www.symas.com
Packaged, certified, and supported LDAP solutions powered by OpenLDAP