[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: AW: "break" broken?

To: openldap-software@OpenLDAP.org
Subject: Re: AW: "break" broken?
From: David Olivier <David.Olivier@univ-lyon2.fr>
Date: Wed, 30 May 2001 18:38:00 +0200
In-reply-to: <CD576BEA0509D511A2A7000629D573DE1C4763@exmail.infonova.at>

--Le mercredi 30 mai 2001 17:51 +0200 daniel.tiefnig@infonova.at écrivait:

-----Ursprüngliche Nachricht-----
Von: David Olivier [mailto:David.Olivier@univ-lyon2.fr]

I'm on openldap 2.0.7. I have come upon some strange behaviour in the

    <control> ::= [ stop | continue | break ]

clause, that doesn't seem to conform to what is said in that
FAQ. I think
it is a bug.

In my tests, I attempt to bind as some entry I will call myBindDn;
specifically:

    myBindDn = "uid=testAdm,ou=people,dc=univ-lyon2,dc=fr"

For this, it appears from the FAQ and from my own tests that I need:

   privilege: "auth" ("x")

   to be granted on: myBindDn, attribute userPassword

   to: "anonymous".

My first test is with the following ACLs:

============== slapd.acl.conf: ======= (1)
defaultaccess   none

# First and only access clause:
access to dn.base="uid=testAdm,ou=people,dc=univ-lyon2,dc=fr"
attrs=userPassword
       by anonymous
          auth
=========== End of slapd.acl.conf. === (1)

Bind is successful, as expected.

In my second test I just add a "break" clause:

============== slapd.acl.conf: ======= (2)
defaultaccess   none

# First and only access clause:
access to dn.base="uid=testAdm,ou=people,dc=univ-lyon2,dc=fr"
attrs=userPassword
       by anonymous
          auth    break
=========== End of slapd.acl.conf. === (2)

This time, bind fails! Error code 50, "Insufficient Access
Rights". Note
that these are all my ACLs; i.e. there is no other access
clause after this
one.

In other words, the only difference between test (1) and (2)
is that after
granting "anonymous" the "auth" privileges to myBindDn, the
server should
go on and analyze any further access clauses, to add or
remove privileges.
But here there are no more access clauses, so the "break"
should have no
effect! Instead, does have an effect: it cancels the
privileges already
granted.

What makes me feel its a bug is that if I add to (2) another
access clause:

============== slapd.acl.conf: ======= (3)
defaultaccess   none

# First access clause:
access to dn.base="uid=testAdm,ou=people,dc=univ-lyon2,dc=fr"
attrs=userPassword
       by anonymous
          auth    break

# Second access clause:
access to dn.base="uid=testAdm,ou=people,dc=univ-lyon2,dc=fr"
attrs=userPassword
       by dn.base="uid=smurgle,ou=people,dc=univ-lyon2,dc=fr"
          none
=========== End of slapd.acl.conf. === (3)

bind becomes successful again!


the debug output of the server might be of interest here. what does it say
when granting access to the entry? i.e. which of the acl's grants
access..? (i know, access 'none' shouldn't allow anything, but i think
this all looks weird enough for everything..)

You asked for it! Here is the output, in each of the four cases. I also include it as an attachment, since I suspect a line or two might get folded here. (The output is slightly edited to remove some clutter.)

Test (1):
=========

May 30 18:10:15 bambou slapd[1344]: [ID 923158 local4.debug] => access_allowed: auth access to "uid=testAdm, ou=people, dc=univ-lyon2, dc=fr" "userPassword" requested May 30 18:10:15 bambou slapd[1344]: [ID 184944 local4.debug] => dn: [1] UID=TESTADM,OU=PEOPLE,DC=UNIV-LYON2,DC=FR May 30 18:10:15 bambou slapd[1344]: [ID 462149 local4.debug] => acl_get: [1] matched May 30 18:10:15 bambou slapd[1344]: [ID 967793 local4.debug] => acl_get: [1] check attr userPassword May 30 18:10:15 bambou slapd[1344]: [ID 155642 local4.debug] <= acl_get: [1] acl uid=testAdm, ou=people, dc=univ-lyon2, dc=fr attr: userPassword May 30 18:10:15 bambou slapd[1344]: [ID 971074 local4.debug] => acl_mask: access to entry "uid=testAdm, ou=people, dc=univ-lyon2, dc=fr", attr "userPassword" requested May 30 18:10:15 bambou slapd[1344]: [ID 488679 local4.debug] => acl_mask: to all values by "", (=n) May 30 18:10:15 bambou slapd[1344]: [ID 704950 local4.debug] <= check a_dn_pat: anonymous May 30 18:10:15 bambou slapd[1344]: [ID 279303 local4.debug] <= acl_mask: [1] applying auth (=x) (stop) May 30 18:10:15 bambou slapd[1344]: [ID 804284 local4.debug] <= acl_mask: [1] mask: auth (=x) May 30 18:10:15 bambou slapd[1344]: [ID 384072 local4.debug] => access_allowed: auth access granted by auth (=x)


Test (2):
=========

May 30 18:10:57 bambou slapd[1354]: [ID 923158 local4.debug] => access_allowed: auth access to "uid=testAdm, ou=people, dc=univ-lyon2, dc=fr" "userPassword" requested May 30 18:10:57 bambou slapd[1354]: [ID 184944 local4.debug] => dn: [1] UID=TESTADM,OU=PEOPLE,DC=UNIV-LYON2,DC=FR May 30 18:10:57 bambou slapd[1354]: [ID 462149 local4.debug] => acl_get: [1] matched May 30 18:10:57 bambou slapd[1354]: [ID 967793 local4.debug] => acl_get: [1] check attr userPassword May 30 18:10:57 bambou slapd[1354]: [ID 155642 local4.debug] <= acl_get: [1] acl uid=testAdm, ou=people, dc=univ-lyon2, dc=fr attr: userPassword May 30 18:10:57 bambou slapd[1354]: [ID 971074 local4.debug] => acl_mask: access to entry "uid=testAdm, ou=people, dc=univ-lyon2, dc=fr", attr "userPassword" requested May 30 18:10:57 bambou slapd[1354]: [ID 488679 local4.debug] => acl_mask: to all values by "", (=n) May 30 18:10:57 bambou slapd[1354]: [ID 704950 local4.debug] <= check a_dn_pat: anonymous May 30 18:10:57 bambou slapd[1354]: [ID 279303 local4.debug] <= acl_mask: [1] applying auth (=x) (break) May 30 18:10:57 bambou slapd[1354]: [ID 804284 local4.debug] <= acl_mask: [1] mask: auth (=x) May 30 18:10:57 bambou slapd[1354]: [ID 932338 local4.debug] <= acl_get: done. May 30 18:10:57 bambou slapd[1354]: [ID 127828 local4.debug] => access_allowed: no more rules May 30 18:10:57 bambou slapd[1354]: [ID 384072 local4.debug] => access_allowed: auth access denied by =n


Test (3):
=========

May 30 18:12:35 bambou slapd[1364]: [ID 923158 local4.debug] => access_allowed: auth access to "uid=testAdm, ou=people, dc=univ-lyon2, dc=fr" "userPassword" requested May 30 18:12:35 bambou slapd[1364]: [ID 184944 local4.debug] => dn: [1] UID=TESTADM,OU=PEOPLE,DC=UNIV-LYON2,DC=FR May 30 18:12:35 bambou slapd[1364]: [ID 462149 local4.debug] => acl_get: [1] matched May 30 18:12:35 bambou slapd[1364]: [ID 967793 local4.debug] => acl_get: [1] check attr userPassword May 30 18:12:35 bambou slapd[1364]: [ID 155642 local4.debug] <= acl_get: [1] acl uid=testAdm, ou=people, dc=univ-lyon2, dc=fr attr: userPassword May 30 18:12:35 bambou slapd[1364]: [ID 971074 local4.debug] => acl_mask: access to entry "uid=testAdm, ou=people, dc=univ-lyon2, dc=fr", attr "userPassword" requested May 30 18:12:35 bambou slapd[1364]: [ID 488679 local4.debug] => acl_mask: to all values by "", (=n) May 30 18:12:35 bambou slapd[1364]: [ID 704950 local4.debug] <= check a_dn_pat: anonymous May 30 18:12:35 bambou slapd[1364]: [ID 279303 local4.debug] <= acl_mask: [1] applying auth (=x) (break) May 30 18:12:35 bambou slapd[1364]: [ID 804284 local4.debug] <= acl_mask: [1] mask: auth (=x) May 30 18:12:35 bambou slapd[1364]: [ID 184944 local4.debug] => dn: [2] UID=TESTADM,OU=PEOPLE,DC=UNIV-LYON2,DC=FR May 30 18:12:35 bambou slapd[1364]: [ID 462149 local4.debug] => acl_get: [2] matched May 30 18:12:35 bambou slapd[1364]: [ID 967793 local4.debug] => acl_get: [2] check attr userPassword May 30 18:12:35 bambou slapd[1364]: [ID 155642 local4.debug] <= acl_get: [2] acl uid=testAdm, ou=people, dc=univ-lyon2, dc=fr attr: userPassword May 30 18:12:35 bambou slapd[1364]: [ID 971074 local4.debug] => acl_mask: access to entry "uid=testAdm, ou=people, dc=univ-lyon2, dc=fr", attr "userPassword" requested May 30 18:12:35 bambou slapd[1364]: [ID 488679 local4.debug] => acl_mask: to all values by "", (auth (=x)) May 30 18:12:35 bambou slapd[1364]: [ID 704950 local4.debug] <= check a_dn_pat: UID=SMURGLE,OU=PEOPLE,DC=UNIV-LYON2,DC=FR May 30 18:12:35 bambou slapd[1364]: [ID 315582 local4.debug] <= acl_mask: no more <who> clauses, returning auth (=x) (stop) May 30 18:12:35 bambou slapd[1364]: [ID 384072 local4.debug] => access_allowed: auth access granted by auth (=x)


Test (4):
=========

May 30 18:13:11 bambou slapd[1373]: [ID 923158 local4.debug] => access_allowed: auth access to "uid=testAdm, ou=people, dc=univ-lyon2, dc=fr" "userPassword" requested May 30 18:13:11 bambou slapd[1373]: [ID 184944 local4.debug] => dn: [1] UID=TESTADM,OU=PEOPLE,DC=UNIV-LYON2,DC=FR May 30 18:13:11 bambou slapd[1373]: [ID 462149 local4.debug] => acl_get: [1] matched May 30 18:13:11 bambou slapd[1373]: [ID 967793 local4.debug] => acl_get: [1] check attr userPassword May 30 18:13:11 bambou slapd[1373]: [ID 155642 local4.debug] <= acl_get: [1] acl uid=testAdm, ou=people, dc=univ-lyon2, dc=fr attr: userPassword May 30 18:13:11 bambou slapd[1373]: [ID 971074 local4.debug] => acl_mask: access to entry "uid=testAdm, ou=people, dc=univ-lyon2, dc=fr", attr "userPassword" requested May 30 18:13:11 bambou slapd[1373]: [ID 488679 local4.debug] => acl_mask: to all values by "", (=n) May 30 18:13:11 bambou slapd[1373]: [ID 704950 local4.debug] <= check a_dn_pat: anonymous May 30 18:13:11 bambou slapd[1373]: [ID 279303 local4.debug] <= acl_mask: [1] applying auth (=x) (break) May 30 18:13:11 bambou slapd[1373]: [ID 804284 local4.debug] <= acl_mask: [1] mask: auth (=x) May 30 18:13:11 bambou slapd[1373]: [ID 184944 local4.debug] => dn: [2] UID=BLOTCH,OU=PEOPLE,DC=UNIV-LYON2,DC=FR May 30 18:13:11 bambou slapd[1373]: [ID 932338 local4.debug] <= acl_get: done. May 30 18:13:11 bambou slapd[1373]: [ID 127828 local4.debug] => access_allowed: no more rules May 30 18:13:11 bambou slapd[1373]: [ID 384072 local4.debug] => access_allowed: auth access denied by =n

Notice how in case (1), it ends with "mask: auth (=x)" and proceeds to
grant access -

whereas in case (2), it comes to the same conclusion - "mask: auth (=x)" -
but then gets disappointed that there are "no more rules", and spits out
"auth access denied".

============== workaround: =======
# Last access clause:
access to *
       by dn.base="cn=No-One, o=no-org, c=Utopia"
          write
======= End of workaround. =======


and here.. if access 'none' in stead of 'write' has the "same" effect, it
might be the better choice..


Yes, it can make one feel safer... but I chose "write" in my example to
emphasize that the permission is never really granted (as long as no one
can bind to your server as "cn=No-One, o=no-org, c=Utopia"). I tried just
"+" (i.e. plus nothing) and it works too.

---
David Olivier
Klebs gardien Alpages CRI courrier brebis Lyon 2 Lumière

Test (1):


May 30 18:10:15 bambou slapd[1344]: [ID 923158 local4.debug] => access_allowed: auth access to "uid=testAdm, ou=people, dc=univ-lyon2, dc=fr" "userPassword" requested
May 30 18:10:15 bambou slapd[1344]: [ID 184944 local4.debug] => dn: [1] UID=TESTADM,OU=PEOPLE,DC=UNIV-LYON2,DC=FR
May 30 18:10:15 bambou slapd[1344]: [ID 462149 local4.debug] => acl_get: [1] matched
May 30 18:10:15 bambou slapd[1344]: [ID 967793 local4.debug] => acl_get: [1] check attr userPassword
May 30 18:10:15 bambou slapd[1344]: [ID 155642 local4.debug] <= acl_get: [1] acl uid=testAdm, ou=people, dc=univ-lyon2, dc=fr attr: userPassword
May 30 18:10:15 bambou slapd[1344]: [ID 971074 local4.debug] => acl_mask: access to entry "uid=testAdm, ou=people, dc=univ-lyon2, dc=fr", attr "userPassword" requested
May 30 18:10:15 bambou slapd[1344]: [ID 488679 local4.debug] => acl_mask: to all values by "", (=n)
May 30 18:10:15 bambou slapd[1344]: [ID 704950 local4.debug] <= check a_dn_pat: anonymous
May 30 18:10:15 bambou slapd[1344]: [ID 279303 local4.debug] <= acl_mask: [1] applying auth (=x) (stop)
May 30 18:10:15 bambou slapd[1344]: [ID 804284 local4.debug] <= acl_mask: [1] mask: auth (=x)
May 30 18:10:15 bambou slapd[1344]: [ID 384072 local4.debug] => access_allowed: auth access granted by auth (=x)


Test (2):


May 30 18:10:57 bambou slapd[1354]: [ID 923158 local4.debug] => access_allowed: auth access to "uid=testAdm, ou=people, dc=univ-lyon2, dc=fr" "userPassword" requested
May 30 18:10:57 bambou slapd[1354]: [ID 184944 local4.debug] => dn: [1] UID=TESTADM,OU=PEOPLE,DC=UNIV-LYON2,DC=FR
May 30 18:10:57 bambou slapd[1354]: [ID 462149 local4.debug] => acl_get: [1] matched
May 30 18:10:57 bambou slapd[1354]: [ID 967793 local4.debug] => acl_get: [1] check attr userPassword
May 30 18:10:57 bambou slapd[1354]: [ID 155642 local4.debug] <= acl_get: [1] acl uid=testAdm, ou=people, dc=univ-lyon2, dc=fr attr: userPassword
May 30 18:10:57 bambou slapd[1354]: [ID 971074 local4.debug] => acl_mask: access to entry "uid=testAdm, ou=people, dc=univ-lyon2, dc=fr", attr "userPassword" requested
May 30 18:10:57 bambou slapd[1354]: [ID 488679 local4.debug] => acl_mask: to all values by "", (=n)
May 30 18:10:57 bambou slapd[1354]: [ID 704950 local4.debug] <= check a_dn_pat: anonymous
May 30 18:10:57 bambou slapd[1354]: [ID 279303 local4.debug] <= acl_mask: [1] applying auth (=x) (break)
May 30 18:10:57 bambou slapd[1354]: [ID 804284 local4.debug] <= acl_mask: [1] mask: auth (=x)
May 30 18:10:57 bambou slapd[1354]: [ID 932338 local4.debug] <= acl_get: done.
May 30 18:10:57 bambou slapd[1354]: [ID 127828 local4.debug] => access_allowed: no more rules
May 30 18:10:57 bambou slapd[1354]: [ID 384072 local4.debug] => access_allowed: auth access denied by =n


Test (3):


May 30 18:12:35 bambou slapd[1364]: [ID 923158 local4.debug] => access_allowed: auth access to "uid=testAdm, ou=people, dc=univ-lyon2, dc=fr" "userPassword" requested
May 30 18:12:35 bambou slapd[1364]: [ID 184944 local4.debug] => dn: [1] UID=TESTADM,OU=PEOPLE,DC=UNIV-LYON2,DC=FR
May 30 18:12:35 bambou slapd[1364]: [ID 462149 local4.debug] => acl_get: [1] matched
May 30 18:12:35 bambou slapd[1364]: [ID 967793 local4.debug] => acl_get: [1] check attr userPassword
May 30 18:12:35 bambou slapd[1364]: [ID 155642 local4.debug] <= acl_get: [1] acl uid=testAdm, ou=people, dc=univ-lyon2, dc=fr attr: userPassword
May 30 18:12:35 bambou slapd[1364]: [ID 971074 local4.debug] => acl_mask: access to entry "uid=testAdm, ou=people, dc=univ-lyon2, dc=fr", attr "userPassword" requested
May 30 18:12:35 bambou slapd[1364]: [ID 488679 local4.debug] => acl_mask: to all values by "", (=n)
May 30 18:12:35 bambou slapd[1364]: [ID 704950 local4.debug] <= check a_dn_pat: anonymous
May 30 18:12:35 bambou slapd[1364]: [ID 279303 local4.debug] <= acl_mask: [1] applying auth (=x) (break)
May 30 18:12:35 bambou slapd[1364]: [ID 804284 local4.debug] <= acl_mask: [1] mask: auth (=x)
May 30 18:12:35 bambou slapd[1364]: [ID 184944 local4.debug] => dn: [2] UID=TESTADM,OU=PEOPLE,DC=UNIV-LYON2,DC=FR
May 30 18:12:35 bambou slapd[1364]: [ID 462149 local4.debug] => acl_get: [2] matched
May 30 18:12:35 bambou slapd[1364]: [ID 967793 local4.debug] => acl_get: [2] check attr userPassword
May 30 18:12:35 bambou slapd[1364]: [ID 155642 local4.debug] <= acl_get: [2] acl uid=testAdm, ou=people, dc=univ-lyon2, dc=fr attr: userPassword
May 30 18:12:35 bambou slapd[1364]: [ID 971074 local4.debug] => acl_mask: access to entry "uid=testAdm, ou=people, dc=univ-lyon2, dc=fr", attr "userPassword" requested
May 30 18:12:35 bambou slapd[1364]: [ID 488679 local4.debug] => acl_mask: to all values by "", (auth (=x))
May 30 18:12:35 bambou slapd[1364]: [ID 704950 local4.debug] <= check a_dn_pat: UID=SMURGLE,OU=PEOPLE,DC=UNIV-LYON2,DC=FR
May 30 18:12:35 bambou slapd[1364]: [ID 315582 local4.debug] <= acl_mask: no more <who> clauses, returning auth (=x) (stop)
May 30 18:12:35 bambou slapd[1364]: [ID 384072 local4.debug] => access_allowed: auth access granted by auth (=x)


Test (4):


May 30 18:13:11 bambou slapd[1373]: [ID 923158 local4.debug] => access_allowed: auth access to "uid=testAdm, ou=people, dc=univ-lyon2, dc=fr" "userPassword" requested
May 30 18:13:11 bambou slapd[1373]: [ID 184944 local4.debug] => dn: [1] UID=TESTADM,OU=PEOPLE,DC=UNIV-LYON2,DC=FR
May 30 18:13:11 bambou slapd[1373]: [ID 462149 local4.debug] => acl_get: [1] matched
May 30 18:13:11 bambou slapd[1373]: [ID 967793 local4.debug] => acl_get: [1] check attr userPassword
May 30 18:13:11 bambou slapd[1373]: [ID 155642 local4.debug] <= acl_get: [1] acl uid=testAdm, ou=people, dc=univ-lyon2, dc=fr attr: userPassword
May 30 18:13:11 bambou slapd[1373]: [ID 971074 local4.debug] => acl_mask: access to entry "uid=testAdm, ou=people, dc=univ-lyon2, dc=fr", attr "userPassword" requested
May 30 18:13:11 bambou slapd[1373]: [ID 488679 local4.debug] => acl_mask: to all values by "", (=n)
May 30 18:13:11 bambou slapd[1373]: [ID 704950 local4.debug] <= check a_dn_pat: anonymous
May 30 18:13:11 bambou slapd[1373]: [ID 279303 local4.debug] <= acl_mask: [1] applying auth (=x) (break)
May 30 18:13:11 bambou slapd[1373]: [ID 804284 local4.debug] <= acl_mask: [1] mask: auth (=x)
May 30 18:13:11 bambou slapd[1373]: [ID 184944 local4.debug] => dn: [2] UID=BLOTCH,OU=PEOPLE,DC=UNIV-LYON2,DC=FR
May 30 18:13:11 bambou slapd[1373]: [ID 932338 local4.debug] <= acl_get: done.
May 30 18:13:11 bambou slapd[1373]: [ID 127828 local4.debug] => access_allowed: no more rules
May 30 18:13:11 bambou slapd[1373]: [ID 384072 local4.debug] => access_allowed: auth access denied by =n

References:
- AW: "break" broken?
  - From: Tiefnig Daniel <daniel.tiefnig@infonova.at>

Prev by Date: Re: [LDAP: error code 17 - attribute description contains inappropriate characters]
Next by Date: Re: referrals
Index(es):
- Chronological
- Thread