[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: untoward change to ACL behavior (ITS#1921)
On Wed, Jul 10, 2002 at 03:52:28AM +0000, Kurt@OpenLDAP.org wrote:
>
> From the limited information in your report, I cannot possible
> conclude your report is indicative of a software bug. It is
> more likely a simple configuration issue. If you believe
> there is a software (or documentation) bug, you should provide
> enough information (configuration details, logs, etc.) to
> convince developers that such does exist.
I think there is a valid problem here. I have tested 2.1.2 with the
ACL given in the example config file:
# Sample access control policy:
# Allow read access of root DSE
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
access to dn="" by * read
access to *
by self write
by users read
by anonymous auth
#
With slapd 2.1.2 this seems to allow anonymous users to read all entries,
which it should not.
Reading slapd.access(5) I think the first directive should be:
access to dn.base="" by * read
but even with that in place, anon users can read all entries.
I append a copy of my slapd.conf and a log extract showing what
happens. The search command used was:
ldapsearch -C -x -H ldap://localhost:389/ -b dc=example,dc=org 'cn=*pathan*'
Clearly the example ACL is not implementing the policy that is
described for it.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| Andrew.Findlay@skills-1st.co.uk +44 1628 782565 |
-----------------------------------------------------------------------
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23 2002/02/02 05:23:12 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/openldap.schema
include /usr/local/etc/openldap/schema/nis.schema
# loglevel 96
loglevel 992
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
########################################################################
# SASL mapping
########################################################################
saslRegexp
uid=(.*),cn=brick.skills-1st.co.uk,cn=.*,cn=auth
ldap://localhost/dc=example,dc=org??sub?uid=$1
########################################################################
# Access Control
########################################################################
#
# Sample access control policy:
# Allow read access of root DSE
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
access to dn.base="" by * read
access to *
by self write
by users read
by anonymous auth
#
# if no access controls are present, the default policy is:
# Allow read by all
#
# rootdn can always write!
#######################################################################
# ldbm database definitions
#######################################################################
database bdb
suffix "dc=example,dc=org"
rootdn "cn=DSAmgr,dc=example,dc=org"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index default pres,eq,sub
index objectClass eq
index cn
index sn
index uid
-----------------------------------------------------------------------
Log extract showing SLAPD startup, anon bind, and search for cn=*pathan*
Startup:
Jul 10 12:32:21 brick slapd[10490]: daemon: socket() failed errno=97 (Address family not supported by protocol)
Jul 10 12:32:21 brick slapd[10490]: bdb_open: Sleepycat Software: Berkeley DB 4.0.14: (November 18, 2001)
Jul 10 12:32:21 brick slapd[10490]: line 21 (pidfile ^I/usr/local/var/slapd.pid)
Jul 10 12:32:21 brick slapd[10490]: line 22 (argsfile /usr/local/var/slapd.args)
Jul 10 12:32:21 brick slapd[10490]: line 37 (saslRegexp uid=(.*),cn=brick.skills-1st.co.uk,cn=.*,cn=auth ldap://localhost/dc=example,dc=org??sub?uid=$1)
Jul 10 12:32:21 brick slapd[10490]: str2filter "uid=$1"
Jul 10 12:32:21 brick slapd[10490]: begin get_filter
Jul 10 12:32:21 brick slapd[10490]: EQUALITY
Jul 10 12:32:21 brick slapd[10490]: end get_filter 0
Jul 10 12:32:21 brick slapd[10490]: line 49 (access to dn.base="" by * read)
Jul 10 12:32:21 brick slapd[10490]: line 53 (access to * by self write by users read by anonymous auth)
Jul 10 12:32:21 brick slapd[10490]: line 64 (database bdb)
Jul 10 12:32:21 brick slapd[10490]: bdb_db_init: Initializing BDB database
Jul 10 12:32:21 brick slapd[10490]: line 65 (suffix ^I"dc=example,dc=org")
Jul 10 12:32:21 brick slapd[10490]: line 66 (rootdn ^I"cn=DSAmgr,dc=example,dc=org")
Jul 10 12:32:21 brick slapd[10490]: line 71 (rootpw ***)
Jul 10 12:32:21 brick slapd[10490]: line 74 (directory /usr/local/var/openldap-data)
Jul 10 12:32:21 brick slapd[10490]: line 76 (index default^I^Ipres,eq,sub)
Jul 10 12:32:21 brick slapd[10490]: line 77 (index objectClass^Ieq)
Jul 10 12:32:21 brick slapd[10490]: index objectClass 0x0004
Jul 10 12:32:21 brick slapd[10490]: line 78 (index cn)
Jul 10 12:32:21 brick slapd[10490]: index cn 0x0716
Jul 10 12:32:21 brick slapd[10490]: line 79 (index sn)
Jul 10 12:32:21 brick slapd[10490]: index sn 0x0716
Jul 10 12:32:21 brick slapd[10490]: line 80 (index uid)
Jul 10 12:32:21 brick slapd[10490]: index uid 0x0716
Jul 10 12:32:23 brick slapd[10492]: slapd starting
Anon bind:
Jul 10 12:32:30 brick slapd[10495]: daemon: conn=0 fd=12 connection from IP=127.0.0.1:42800 (IP=0.0.0.0:389) accepted.
Jul 10 12:32:30 brick slapd[10498]: conn=0 op=0 BIND dn="" method=128
Jul 10 12:32:30 brick slapd[10498]: conn=0 op=0 RESULT tag=97 err=0 text=
Search:
Jul 10 12:32:33 brick slapd[10498]: begin get_filter
Jul 10 12:32:33 brick slapd[10498]: SUBSTRINGS
Jul 10 12:32:33 brick slapd[10498]: begin get_substring_filter
Jul 10 12:32:33 brick slapd[10498]: ANY
Jul 10 12:32:33 brick slapd[10498]: end get_substring_filter
Jul 10 12:32:33 brick slapd[10498]: end get_filter 0
Jul 10 12:32:33 brick slapd[10498]: conn=0 op=1 SRCH base="dc=example,dc=org" scope=2 filter="(cn=*pathan*)"
Jul 10 12:32:33 brick slapd[10498]: => bdb_filter_candidates
Jul 10 12:32:33 brick slapd[10498]: ^IAND
Jul 10 12:32:33 brick slapd[10498]: => bdb_list_candidates 0xa0
Jul 10 12:32:33 brick slapd[10498]: => bdb_filter_candidates
Jul 10 12:32:33 brick slapd[10498]: ^IDN SUBTREE
Jul 10 12:32:33 brick slapd[10498]: <= bdb_filter_candidates: id=-1 first=1 last=1003
Jul 10 12:32:33 brick slapd[10498]: => bdb_filter_candidates
Jul 10 12:32:33 brick slapd[10498]: ^ISUBSTRINGS
Jul 10 12:32:33 brick slapd[10498]: <= bdb_filter_candidates: id=1 first=1001 last=1001
Jul 10 12:32:33 brick slapd[10498]: <= bdb_list_candidates: undefined rc=0
Jul 10 12:32:33 brick slapd[10498]: <= bdb_filter_candidates: id=1 first=1001 last=1001
Jul 10 12:32:33 brick slapd[10498]: => test_filter
Jul 10 12:32:33 brick slapd[10498]: SUBSTRINGS
Jul 10 12:32:33 brick slapd[10498]: begin test_substrings_filter
Jul 10 12:32:33 brick slapd[10498]: => access_allowed: search access to "cn=Andrew Pathan+uid=u000997,dc=example,dc=org" "cn" requested
Jul 10 12:32:33 brick slapd[10498]: => acl_get: [1] check attr cn
Jul 10 12:32:33 brick slapd[10498]: <= acl_get: [1] acl cn=Andrew Pathan+uid=u000997,dc=example,dc=org attr: cn
Jul 10 12:32:33 brick slapd[10498]: => acl_mask: access to entry "cn=Andrew Pathan+uid=u000997,dc=example,dc=org", attr "cn" requested
Jul 10 12:32:33 brick slapd[10498]: => acl_mask: to all values by "", (=n)
Jul 10 12:32:33 brick slapd[10498]: <= check a_dn_pat: *
Jul 10 12:32:33 brick slapd[10498]: <= acl_mask: [1] applying read(=rscx) (stop)
Jul 10 12:32:33 brick slapd[10498]: <= acl_mask: [1] mask: read(=rscx)
Jul 10 12:32:33 brick slapd[10498]: => access_allowed: search access granted by read(=rscx)
Jul 10 12:32:33 brick slapd[10498]: <= test_filter 6
Jul 10 12:32:33 brick slapd[10498]: => access_allowed: read access to "cn=Andrew Pathan+uid=u000997,dc=example,dc=org" "entry" requested
Jul 10 12:32:34 brick slapd[10498]: => acl_get: [1] check attr entry
Jul 10 12:32:34 brick slapd[10498]: <= acl_get: [1] acl cn=Andrew Pathan+uid=u000997,dc=example,dc=org attr: entry
Jul 10 12:32:34 brick slapd[10498]: => acl_mask: access to entry "cn=Andrew Pathan+uid=u000997,dc=example,dc=org", attr "entry" requested
Jul 10 12:32:34 brick slapd[10498]: => acl_mask: to all values by "", (=n)
Jul 10 12:32:34 brick slapd[10498]: <= check a_dn_pat: *
Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] applying read(=rscx) (stop)
Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] mask: read(=rscx)
Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access granted by read(=rscx)
Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access to "cn=Andrew Pathan+uid=u000997,dc=example,dc=org" "objectClass" requested
Jul 10 12:32:34 brick slapd[10498]: => acl_get: [1] check attr objectClass
Jul 10 12:32:34 brick slapd[10498]: <= acl_get: [1] acl cn=Andrew Pathan+uid=u000997,dc=example,dc=org attr: objectClass
Jul 10 12:32:34 brick slapd[10498]: => acl_mask: access to entry "cn=Andrew Pathan+uid=u000997,dc=example,dc=org", attr "objectClass" requested
Jul 10 12:32:34 brick slapd[10498]: => acl_mask: to all values by "", (=n)
Jul 10 12:32:34 brick slapd[10498]: <= check a_dn_pat: *
Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] applying read(=rscx) (stop)
Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] mask: read(=rscx)
Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access granted by read(=rscx)
Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access to "cn=Andrew Pathan+uid=u000997,dc=example,dc=org" "displayName" requested
Jul 10 12:32:34 brick slapd[10498]: => acl_get: [1] check attr displayName
Jul 10 12:32:34 brick slapd[10498]: <= acl_get: [1] acl cn=Andrew Pathan+uid=u000997,dc=example,dc=org attr: displayName
Jul 10 12:32:34 brick slapd[10498]: => acl_mask: access to entry "cn=Andrew Pathan+uid=u000997,dc=example,dc=org", attr "displayName" requested
Jul 10 12:32:34 brick slapd[10498]: => acl_mask: to all values by "", (=n)
Jul 10 12:32:34 brick slapd[10498]: <= check a_dn_pat: *
Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] applying read(=rscx) (stop)
Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] mask: read(=rscx)
Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access granted by read(=rscx)
Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access to "cn=Andrew Pathan+uid=u000997,dc=example,dc=org" "cn" requested
Jul 10 12:32:34 brick slapd[10498]: => acl_get: [1] check attr cn
Jul 10 12:32:34 brick slapd[10498]: <= acl_get: [1] acl cn=Andrew Pathan+uid=u000997,dc=example,dc=org attr: cn
Jul 10 12:32:34 brick slapd[10498]: => acl_mask: access to entry "cn=Andrew Pathan+uid=u000997,dc=example,dc=org", attr "cn" requested
Jul 10 12:32:34 brick slapd[10498]: => acl_mask: to all values by "", (=n)
Jul 10 12:32:34 brick slapd[10498]: <= check a_dn_pat: *
Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] applying read(=rscx) (stop)
Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] mask: read(=rscx)
Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access granted by read(=rscx)
Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access to "cn=Andrew Pathan+uid=u000997,dc=example,dc=org" "sn" requested
Jul 10 12:32:34 brick slapd[10498]: => acl_get: [1] check attr sn
Jul 10 12:32:34 brick slapd[10498]: <= acl_get: [1] acl cn=Andrew Pathan+uid=u000997,dc=example,dc=org attr: sn
Jul 10 12:32:34 brick slapd[10498]: => acl_mask: access to entry "cn=Andrew Pathan+uid=u000997,dc=example,dc=org", attr "sn" requested
Jul 10 12:32:34 brick slapd[10498]: => acl_mask: to all values by "", (=n)
Jul 10 12:32:34 brick slapd[10498]: <= check a_dn_pat: *
Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] applying read(=rscx) (stop)
Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] mask: read(=rscx)
Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access granted by read(=rscx)
Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access to "cn=Andrew Pathan+uid=u000997,dc=example,dc=org" "uid" requested
Jul 10 12:32:34 brick slapd[10498]: => acl_get: [1] check attr uid
Jul 10 12:32:34 brick slapd[10498]: <= acl_get: [1] acl cn=Andrew Pathan+uid=u000997,dc=example,dc=org attr: uid
Jul 10 12:32:34 brick slapd[10498]: => acl_mask: access to entry "cn=Andrew Pathan+uid=u000997,dc=example,dc=org", attr "uid" requested
Jul 10 12:32:34 brick slapd[10498]: => acl_mask: to all values by "", (=n)
Jul 10 12:32:34 brick slapd[10498]: <= check a_dn_pat: *
Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] applying read(=rscx) (stop)
Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] mask: read(=rscx)
Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access granted by read(=rscx)
Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access to "cn=Andrew Pathan+uid=u000997,dc=example,dc=org" "mail" requested
Jul 10 12:32:34 brick slapd[10498]: => acl_get: [1] check attr mail
Jul 10 12:32:34 brick slapd[10498]: <= acl_get: [1] acl cn=Andrew Pathan+uid=u000997,dc=example,dc=org attr: mail
Jul 10 12:32:34 brick slapd[10498]: => acl_mask: access to entry "cn=Andrew Pathan+uid=u000997,dc=example,dc=org", attr "mail" requested
Jul 10 12:32:34 brick slapd[10498]: => acl_mask: to all values by "", (=n)
Jul 10 12:32:34 brick slapd[10498]: <= check a_dn_pat: *
Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] applying read(=rscx) (stop)
Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] mask: read(=rscx)
Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access granted by read(=rscx)
Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access to "cn=Andrew Pathan+uid=u000997,dc=example,dc=org" "telephoneNumber" requested
Jul 10 12:32:34 brick slapd[10498]: => acl_get: [1] check attr telephoneNumber
Jul 10 12:32:34 brick slapd[10498]: <= acl_get: [1] acl cn=Andrew Pathan+uid=u000997,dc=example,dc=org attr: telephoneNumber
Jul 10 12:32:34 brick slapd[10498]: => acl_mask: access to entry "cn=Andrew Pathan+uid=u000997,dc=example,dc=org", attr "telephoneNumber" requested
Jul 10 12:32:34 brick slapd[10498]: => acl_mask: to all values by "", (=n)
Jul 10 12:32:34 brick slapd[10498]: <= check a_dn_pat: *
Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] applying read(=rscx) (stop)
Jul 10 12:32:34 brick slapd[10498]: <= acl_mask: [1] mask: read(=rscx)
Jul 10 12:32:34 brick slapd[10498]: => access_allowed: read access granted by read(=rscx)
Jul 10 12:32:34 brick slapd[10498]: conn=0 op=1 ENTRY dn="cn=Andrew Pathan+uid=u000997,dc=example,dc=org"
Jul 10 12:32:34 brick slapd[10498]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul 10 12:32:40 brick slapd[10498]: conn=0 op=2 UNBIND
Jul 10 12:32:40 brick slapd[10498]: conn=0 fd=12 closed
Jul 10 12:32:52 brick slapd[10495]: daemon: conn=1 fd=12 connection from IP=127.0.0.1:42801 (IP=0.0.0.0:389) accepted.
Jul 10 12:32:52 brick slapd[10498]: conn=1 op=0 BIND dn="" method=128
Jul 10 12:32:52 brick slapd[10498]: conn=1 op=0 RESULT tag=97 err=0 text=
Jul 10 12:32:52 brick slapd[10498]: begin get_filter
Jul 10 12:32:52 brick slapd[10498]: PRESENT
Jul 10 12:32:52 brick slapd[10498]: end get_filter 0
Jul 10 12:32:52 brick slapd[10498]: conn=1 op=1 SRCH base="" scope=0 filter="(objectClass=*)"
Jul 10 12:32:52 brick slapd[10498]: => test_filter
Jul 10 12:32:52 brick slapd[10498]: PRESENT
Jul 10 12:32:52 brick slapd[10498]: => access_allowed: search access to "" "objectClass" requested
Jul 10 12:32:52 brick slapd[10498]: => acl_get: [1] check attr objectClass
Jul 10 12:32:52 brick slapd[10498]: <= acl_get: [1] acl attr: objectClass
Jul 10 12:32:52 brick slapd[10498]: => acl_mask: access to entry "", attr "objectClass" requested
Jul 10 12:32:52 brick slapd[10498]: => acl_mask: to all values by "", (=n)
Jul 10 12:32:52 brick slapd[10498]: <= check a_dn_pat: *
Jul 10 12:32:52 brick slapd[10498]: <= acl_mask: [1] applying read(=rscx) (stop)
Jul 10 12:32:52 brick slapd[10498]: <= acl_mask: [1] mask: read(=rscx)
Jul 10 12:32:52 brick slapd[10498]: => access_allowed: search access granted by read(=rscx)
Jul 10 12:32:52 brick slapd[10498]: <= test_filter 6
Jul 10 12:32:52 brick slapd[10498]: => access_allowed: read access to "" "entry" requested
Jul 10 12:32:52 brick slapd[10498]: => acl_get: [1] check attr entry
Jul 10 12:32:52 brick slapd[10498]: <= acl_get: [1] acl attr: entry
Jul 10 12:32:52 brick slapd[10498]: => acl_mask: access to entry "", attr "entry" requested
Jul 10 12:32:52 brick slapd[10498]: => acl_mask: to all values by "", (=n)
Jul 10 12:32:52 brick slapd[10498]: <= check a_dn_pat: *
Jul 10 12:32:52 brick slapd[10498]: <= acl_mask: [1] applying read(=rscx) (stop)
Jul 10 12:32:52 brick slapd[10498]: <= acl_mask: [1] mask: read(=rscx)
Jul 10 12:32:52 brick slapd[10498]: => access_allowed: read access granted by read(=rscx)
Jul 10 12:32:52 brick slapd[10498]: => access_allowed: read access to "" "namingContexts" requested
Jul 10 12:32:52 brick slapd[10498]: => acl_get: [1] check attr namingContexts
Jul 10 12:32:52 brick slapd[10498]: <= acl_get: [1] acl attr: namingContexts
Jul 10 12:32:52 brick slapd[10498]: => acl_mask: access to entry "", attr "namingContexts" requested
Jul 10 12:32:52 brick slapd[10498]: => acl_mask: to all values by "", (=n)
Jul 10 12:32:52 brick slapd[10498]: <= check a_dn_pat: *
Jul 10 12:32:52 brick slapd[10498]: <= acl_mask: [1] applying read(=rscx) (stop)
Jul 10 12:32:52 brick slapd[10498]: <= acl_mask: [1] mask: read(=rscx)
Jul 10 12:32:52 brick slapd[10498]: => access_allowed: read access granted by read(=rscx)
Jul 10 12:32:52 brick slapd[10498]: conn=1 op=1 ENTRY dn=""
Jul 10 12:32:52 brick slapd[10498]: conn=1 op=1 RESULT tag=101 err=0 text=
Jul 10 12:32:52 brick slapd[10501]: conn=1 op=2 UNBIND
Jul 10 12:32:52 brick slapd[10501]: conn=1 fd=12 closed
-----------------------------------------------------------------------
Result of ldapsearch command:
#
# LDAPv3
# filter: cn=*pathan*
# requesting: ALL
#
# Andrew Pathan + u000997, example.org
dn: cn=Andrew Pathan+uid=u000997,dc=example,dc=org
objectClass: inetOrgPerson
objectClass: person
displayName: Andrew Pathan
cn: Andrew Pathan
sn: Pathan
uid: u000997
mail: u000997@example.org
telephoneNumber: +44 1234 567997
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
-----------------------------------------------------------------------