[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL confusion



At 11:43 AM -0700 6/24/99, "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:

Thanks very much for the help.

That's not a valid DN (per RFC1779) and will likely cause problems.
Namely, the "," in o='Invantage, Inc.' must be quoted using an
approved mechanism.  "'" character is NOT a quote character.

I tried quoting by following the example at the end of chapter 5 of the SLAPD and SLURPD Administrators Guide: "o=\"Invantage, Inc.\",c=US". This did not work - it yielded error messages everywhere. Using single quotes looked distinctly bad to me, but it had worked everywhere so far. I see from RFC 1779 that "o=Invantage\, Inc.,c=US" should be permitted. I'll try that later.


>>access to       *
>> by dn="uid=root,ou=Staff,o='Invantage, Inc.',c=US" write
>> by dn="cn=Netscape Server ,o='Invantage, Inc.',c=US" write
                           ^
typo: s/cn=Netscape Server /cn=Netscape Server Admin/

Sorry, that was an accidental deletion from the email - it was specified correctly in the config file.


I rebuilt the database with o=Invantage, to make sure that the comma in the DN does not contribute to the problem, and tried again. The same problem still occurs, as best I can tell. Here is the LDIF file I imported to begin with:

dn: o=Invantage,c=US
objectclass: organization

dn: ou=Staff,o=Invantage,c=US
objectclass: organizationalUnit

dn: cn=Nicholas Riley,ou=Staff,o=Invantage,c=US
cn: Nicholas Riley
sn: Riley
uid: nicholas
ou: Staff
mail: nicholas@invantage.com
objectclass: person
userpassword: {crypt}<stuff>

dn: uid=root,ou=Staff,o=Invantage,c=US
uid: root
ou: Staff
description: System Administrator account
seeAlso: cn=Nicholas Riley,ou=Staff,o=Invantage,c=US
objectclass: account

dn: Netscape Server Admin,o=Invantage,c=US
cn: Netscape Server Admin
o: Invantage
uid: admin
description: Netscape server administrator
objectclass: person
userpassword: {crypt}<other stuff>

and portions of slapd.conf again:

rootdn          "uid=root,ou=Staff,o=Invantage,c=US"

defaultaccess   read

access to       attr=userpassword
by self        write
by dn="uid=root,ou=Staff,o=Invantage,c=US" write
by dn="cn=Netscape Server Admin,o=Invantage,c=US" write
by *           compare

access to       *
by dn="uid=root,ou=Staff,o=Invantage,c=US" write
by dn="cn=Netscape Server Admin,o=Invantage,c=US" write
by *           read


If you have further problems,
be sure to provide a log details with TRACE and ARGS enabled
in addition to ACLS, ie: -d 1 -d 4 -d 128  OR -d 133.

OK, this is huge...

{nicholas#pts/0@hannibal:51} 3:15pm ~>sudo /usr/local/libexec/slapd -d 133
slapd 1.2.1-Release (Wed Jun 23 11:59:45 EDT 1999)
        nicholas@hannibal:/home/nicholas/ldap/servers/slapd
ACL: access to
 attrs=userpassword
        by dn=self
        by dn=UID=ROOT,OU=STAFF,O=INVANTAGE,C=US
        by dn=CN=NETSCAPE SERVER ADMIN,O=INVANTAGE,C=US
        by dn=.*

ACL: access to dn=.*
        by dn=UID=ROOT,OU=STAFF,O=INVANTAGE,C=US
        by dn=CN=NETSCAPE SERVER ADMIN,O=INVANTAGE,C=US
        by dn=.*

slapd starting
do_bind
do_bind: version 2 dn (uid=root,ou=Staff,o=Invantage,c=US) method 128
==> ldbm_back_bind: dn: UID=ROOT,OU=STAFF,O=INVANTAGE,C=US
dn2entry_r: dn: "UID=ROOT,OU=STAFF,O=INVANTAGE,C=US"
=> dn2id( "UID=ROOT,OU=STAFF,O=INVANTAGE,C=US" )
=> ldbm_cache_open( "/var/ldap/ldbm-invantage/dn2id.gdbm", 2, 600 )
ldbm_cache_open (blksize 8192) (maxids 2046) (maxindirect 2)
<= ldbm_cache_open (opened 0)
<= dn2id 4
=> id2entry_r( 4 )
=> ldbm_cache_open( "/var/ldap/ldbm-invantage/id2entry.gdbm", 2, 600 )
ldbm_cache_open (blksize 8192) (maxids 2046) (maxindirect 2)
<= ldbm_cache_open (opened 1)
=> str2entry
<= str2entry 0x62138
entry_rdwr_rlock: ID: 4
<= id2entry_r( 4 ) (disk)
====> cache_return_entry_r
entry_rdwr_runlock: ID: 4
do_bind: bound "uid=root,ou=Staff,o=Invantage,c=US" to "uid=root,ou=Staff,o=Invantage,c=US"
send_ldap_result 0::
do_search
SRCH "O=INVANTAGE,C=US" 2 0 0 0 -1
filter: (uid=ADMIN)
attrs: objectclass
=> ldbm_back_search
using base "O=INVANTAGE,C=US"
subtree_candidates: base: "O=INVANTAGE,C=US" lookupbase
dn2entry_r: dn: "O=INVANTAGE,C=US"
=> dn2id( "O=INVANTAGE,C=US" )
=> ldbm_cache_open( "/var/ldap/ldbm-invantage/dn2id.gdbm", 2, 600 )
<= ldbm_cache_open (cache 0)
<= dn2id 1
=> id2entry_r( 1 )
=> ldbm_cache_open( "/var/ldap/ldbm-invantage/id2entry.gdbm", 2, 600 )
<= ldbm_cache_open (cache 1)
=> str2entry
<= str2entry 0xa5778
entry_rdwr_rlock: ID: 1
<= id2entry_r( 1 ) (disk)
====> cache_return_entry_r
entry_rdwr_runlock: ID: 1
=> filter_candidates
=> list_candidates 0xa1
=> filter_candidates
=> ava_candidates 0xa3
=> index_read( "objectclass" "=" "REFERRAL" )
=> ldbm_cache_open( "/var/ldap/ldbm-invantage/objectclass.gdbm", 2, 600 )
ldbm_cache_open (blksize 8192) (maxids 2046) (maxindirect 2)
<= ldbm_cache_open (opened 2)
<= index_read 0 candidates
<= ava_candidates 0
<= filter_candidates 0
=> filter_candidates
=> ava_candidates 0xa3
=> index_read( "uid" "=" "ADMIN" )
=> ldbm_cache_open( "/var/ldap/ldbm-invantage/uid.gdbm", 2, 600 )
ldbm_cache_open (blksize 8192) (maxids 2046) (maxindirect 2)
<= ldbm_cache_open (opened 3)
<= index_read 1 candidates
<= ava_candidates 1
<= filter_candidates 1
<= list_candidates 1
<= filter_candidates 1
=> id2entry_r( 5 )
=> ldbm_cache_open( "/var/ldap/ldbm-invantage/id2entry.gdbm", 2, 600 )
<= ldbm_cache_open (cache 1)
=> str2entry
<= str2entry 0xde208
entry_rdwr_rlock: ID: 5
<= id2entry_r( 5 ) (disk)


=> access_allowed: entry (Netscape Server Admin,o=Invantage,c=US) attr (uid)

=> acl_get: entry (Netscape Server Admin,o=Invantage,c=US) attr (uid)
<= acl_get: no acl applicable to database root

=> acl_access_allowed: search access to entry "Netscape Server Admin,o=Invantage,c=US"

=> acl_access_allowed: search access to value "ADMIN" by "UID=ROOT,OU=STAFF,O=INVANTAGE,C=US"
<= acl_access_allowed: granted to database root


=> access_allowed: exit (Netscape Server Admin,o=Invantage,c=US) attr (uid)
=> send_search_entry (Netscape Server Admin,o=Invantage,c=US)

=> access_allowed: entry (Netscape Server Admin,o=Invantage,c=US) attr (entry)

=> acl_get: entry (Netscape Server Admin,o=Invantage,c=US) attr (entry)
<= acl_get: no acl applicable to database root

=> acl_access_allowed: read access to entry "Netscape Server Admin,o=Invantage,c=US"

=> acl_access_allowed: read access to value "any" by "UID=ROOT,OU=STAFF,O=INVANTAGE,C=US"
<= acl_access_allowed: granted to database root


=> access_allowed: exit (Netscape Server Admin,o=Invantage,c=US) attr (entry)

=> acl_get: entry (Netscape Server Admin,o=Invantage,c=US) attr (objectclass)
<= acl_get: no acl applicable to database root

=> acl_access_allowed: read access to entry "Netscape Server Admin,o=Invantage,c=US"

=> acl_access_allowed: read access to value "any" by "UID=ROOT,OU=STAFF,O=INVANTAGE,C=US"
<= acl_access_allowed: granted to database root
<= send_search_entry
====> cache_return_entry_r
entry_rdwr_runlock: ID: 5
send_ldap_result 0::
do_bind
do_bind: version 2 dn (Netscape Server Admin,o=Invantage,c=US) method 128
==> ldbm_back_bind: dn: NETSCAPESERVERADMIN,O=INVANTAGE,C=US
dn2entry_r: dn: "NETSCAPESERVERADMIN,O=INVANTAGE,C=US"
=> dn2id( "NETSCAPESERVERADMIN,O=INVANTAGE,C=US" )
====> cache_find_entry_dn2id: found dn: NETSCAPESERVERADMIN,O=INVANTAGE,C=US
<= dn2id 5 (in cache)
=> id2entry_r( 5 )
====> cache_find_entry_dn2id: found id: 5 rw: 0
entry_rdwr_rtrylock: ID: 5
<= id2entry_r 0xde208 (cache)
====> cache_return_entry_r
entry_rdwr_runlock: ID: 5
do_bind: bound "Netscape Server Admin,o=Invantage,c=US" to "Netscape Server Admin,o=Invantage,c=US"
send_ldap_result 0::
do_search
SRCH "O=INVANTAGE,C=US" 2 0 0 0 -1
filter: (uid=WILL)
attrs: uid
=> ldbm_back_search
using base "O=INVANTAGE,C=US"
subtree_candidates: base: "O=INVANTAGE,C=US" lookupbase
dn2entry_r: dn: "O=INVANTAGE,C=US"
=> dn2id( "O=INVANTAGE,C=US" )
====> cache_find_entry_dn2id: found dn: O=INVANTAGE,C=US
<= dn2id 1 (in cache)
=> id2entry_r( 1 )
====> cache_find_entry_dn2id: found id: 1 rw: 0
entry_rdwr_rtrylock: ID: 1
<= id2entry_r 0xa5778 (cache)
====> cache_return_entry_r
entry_rdwr_runlock: ID: 1
=> filter_candidates
=> list_candidates 0xa1
=> filter_candidates
=> ava_candidates 0xa3
=> index_read( "objectclass" "=" "REFERRAL" )
=> ldbm_cache_open( "/var/ldap/ldbm-invantage/objectclass.gdbm", 2, 600 )
<= ldbm_cache_open (cache 2)
<= index_read 0 candidates
<= ava_candidates 0
<= filter_candidates 0
=> filter_candidates
=> ava_candidates 0xa3
=> index_read( "uid" "=" "WILL" )
=> ldbm_cache_open( "/var/ldap/ldbm-invantage/uid.gdbm", 2, 600 )
<= ldbm_cache_open (cache 3)
<= index_read 0 candidates
<= ava_candidates 0
<= filter_candidates 0
<= list_candidates 0
<= filter_candidates 0
send_ldap_result 0::
do_add
do_add: ndn (UID=WILL,O=INVANTAGE,C=US)
==> ldbm_back_add: uid=will,o=Invantage,c=US
=> dn2id( "UID=WILL,O=INVANTAGE,C=US" )
=> ldbm_cache_open( "/var/ldap/ldbm-invantage/dn2id.gdbm", 2, 600 )
<= ldbm_cache_open (cache 0)
<= dn2id NOID
dn2entry_w: dn: "O=INVANTAGE,C=US"
=> dn2id( "O=INVANTAGE,C=US" )
====> cache_find_entry_dn2id: found dn: O=INVANTAGE,C=US
<= dn2id 1 (in cache)
=> id2entry_w( 1 )
====> cache_find_entry_dn2id: found id: 1 rw: 1
entry_rdwr_wtrylock: ID: 1
<= id2entry_w 0xa5778 (cache)


=> access_allowed: entry (o=Invantage,c=US) attr (children)

=> acl_get: entry (o=Invantage,c=US) attr (children)
=> acl_get: edn O=INVANTAGE,C=US
=> acl_get: [1] check attr children
=> dnpat: [2] .* nsub: 0
=> acl_get:[2]  backend ACL match
=> acl_get: [2] check attr children
<= acl_get: [2] backend acl o=Invantage,c=US attr: children

=> acl_access_allowed: write access to entry "o=Invantage,c=US"

=> acl_access_allowed: write access to value "any" by "NETSCAPESERVERADMIN,O=INVANTAGE,C=US"
<= check a_dnpat: UID=ROOT,OU=STAFF,O=INVANTAGE,C=US
=> string_expand: pattern: UID=ROOT,OU=STAFF,O=INVANTAGE,C=US
=> string_expand: expanded: UID=ROOT,OU=STAFF,O=INVANTAGE,C=US
=> regex_matches: string: NETSCAPESERVERADMIN,O=INVANTAGE,C=US
=> regex_matches: rc: 1 no matches
<= check a_dnpat: CN=NETSCAPE SERVER ADMIN,O=INVANTAGE,C=US
=> string_expand: pattern: CN=NETSCAPE SERVER ADMIN,O=INVANTAGE,C=US
=> string_expand: expanded: CN=NETSCAPE SERVER ADMIN,O=INVANTAGE,C=US
=> regex_matches: string: NETSCAPESERVERADMIN,O=INVANTAGE,C=US
=> regex_matches: rc: 1 no matches
<= check a_dnpat: .*
=> string_expand: pattern: .*
=> string_expand: expanded: .*
=> regex_matches: string: NETSCAPESERVERADMIN,O=INVANTAGE,C=US
=> regex_matches: rc: 0 matches
<= acl_access_allowed: matched by clause #3 access denied


=> access_allowed: exit (o=Invantage,c=US) attr (children)
no access to parent
send_ldap_result 50::
====> cache_return_entry_w
entry_rdwr_wunlock: ID: 1
do_unbind

--
Nicholas Riley <nicholas@invantage.com>
Invantage, Inc. / 149 Sidney St. / Cambridge MA 02139 / +1 617 577 7844