[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Re: attribute search help

To: Julio Sanchez Fernandez <j_sanchez@stl.es>, openldap-software@OpenLDAP.org
Subject: Re: Re: attribute search help
From: "Pitts, David S" <dsp6855@qx.net>
Date: Wed, 14 Nov 2001 16:23:10 -0600
User-agent: Internet Messaging Program (IMP) 2.3.7-cvs

So,
If I understand what you are telling me correctly, then I should not have to do 
anything to get the server to read the attributes for the filtering to occur.  
Perhaps, then, there is a flaw in my filtering?  Here is what I have:

access to attr=userPassword
 by * auth
access to attr=cn
 by * read
# testing2...
access to attr=Security
 by * read
access to  filter=Security=PRIVATE attrs=*
 by users read
 by * search
access to filter=Security=PUBLIC attrs=*
 by * read

(Note:  I have also tried reversing the filter and attrs for the access lines:
access to * filter=blah as was shown in my original e-mail.)


I have slapd -d -160 running....
I do a basic search and notice the logs.  Here is a sampling from an entry that 
does not match my search:

=> test_filter
    SUBSTRINGS
begin test_substrings_filter
=> access_allowed: search access to "cn=rogersrr" "cn" requested
=> acl_get: [1] check attr cn
=> acl_get: [2] check attr cn
<= acl_get: [2] acl cn=rogersrr attr: cn
=> acl_mask: access to entry "cn=rogersrr", attr "cn" requested
=> acl_mask: to all values by "CN=PITTSDS", (=n) 
<= check a_dn_pat: *
<= acl_mask: [1] applying read (=rscx) (stop)
<= acl_mask: [1] mask: read (=rscx)
=> access_allowed: search access granted by read (=rscx)
end test_substrings_filter 1
<= test_filter 5

As I understand it, this tells me that I have access search the cn for this 
record.  It then finds that the entry does not pass the search string.

Here is a sampling from an entry that does match my search and the Security is 
set to "Public":

=> test_filter
    SUBSTRINGS
begin test_substrings_filter
=> access_allowed: search access to "cn=pittsdsp" "cn" requested
=> acl_get: [1] check attr cn
=> acl_get: [2] check attr cn
<= acl_get: [2] acl cn=pittsdsp attr: cn
=> acl_mask: access to entry "cn=pittsdsp", attr "cn" requested
=> acl_mask: to all values by "CN=PITTSDS", (=n) 
<= check a_dn_pat: *
<= acl_mask: [1] applying read (=rscx) (stop)
<= acl_mask: [1] mask: read (=rscx)
=> access_allowed: search access granted by read (=rscx)
<= test_filter 6
=> access_allowed: read access to "cn=pittsdsp" "entry" requested
=> acl_get: [1] check attr entry
=> acl_get: [2] check attr entry
=> acl_get: [3] check attr entry
=> test_filter
    EQUALITY
=> access_allowed: search access to "cn=pittsdsp" "Security" requested
<= test_filter 5
=> test_filter
    EQUALITY
=> access_allowed: search access to "cn=pittsdsp" "Security" requested
<= test_filter 5
<= acl_get: done.
=> access_allowed: no more rules
=> access_allowed: read access denied by =n
acl: access to entry not allowed


Finally, here is an entry which matches my search criteria and has security set 
to "Private""

=> test_filter
    SUBSTRINGS
begin test_substrings_filter
=> access_allowed: search access to "cn=pittsde" "cn" requested
=> acl_get: [1] check attr cn
=> acl_get: [2] check attr cn
<= acl_get: [2] acl cn=pittsde attr: cn
=> acl_mask: access to entry "cn=pittsde", attr "cn" requested
=> acl_mask: to all values by "CN=PITTSDS", (=n) 
<= check a_dn_pat: *
<= acl_mask: [1] applying read (=rscx) (stop)
<= acl_mask: [1] mask: read (=rscx)
=> access_allowed: search access granted by read (=rscx)
<= test_filter 6
=> access_allowed: read access to "cn=pittsde" "entry" requested
=> acl_get: [1] check attr entry
=> acl_get: [2] check attr entry
=> acl_get: [3] check attr entry
=> test_filter
    EQUALITY
=> access_allowed: search access to "cn=pittsde" "Security" requested
<= test_filter 5
=> test_filter
    EQUALITY
=> access_allowed: search access to "cn=pittsde" "Security" requested
<= test_filter 5
<= acl_get: done.
=> access_allowed: no more rules
=> access_allowed: read access denied by =n
acl: access to entry not allowed





> 
> From: Julio Sanchez Fernandez <j_sanchez@stl.es>
> Date: 2001/11/14 Wed PM 07:26:49 EST
> To: "Pitts, David S" <dsp6855@qx.net>
> CC: openldap-software@OpenLDAP.org
> Subject: Re: attribute search help
> 
> "Pitts, David S" <dsp6855@qx.net> writes:
> 
> > access to * filter="(Security=PRIVATE)"
> >  by users read
> > access to * filter="(Security=PUBLIC)"
> >  by * read
> > 
> > of course, this won't work if the client does not request the "security" 
> > attribute.  The question becomes (assuming everything I have said above is 
> > true), "How do I force the attribute "security" to be returned (and, thus, 
> > filtered upon) every time the server is accessed?
> 
> Uhmmmm...
> 
> Does not work like that?  It should. I think your understanding of
> access control in slapd is wrong, I don't think this case is
> influenced by what filter was used in the search.
> 
> Slapd retrieves the complete entry from disk or cache and has it at
> hand as a whole while evaluating the access control lists to decide
> what data, if any, to return to the client.
> 
> I'd be surprised if it the filter used in the search would make any
> difference.
> 
> Julio
>

Follow-Ups:
- Re: Re: attribute search help
  - From: Benjamin Moedinger <moedinger@wlb-stuttgart.de>

Prev by Date: Re: Default authentication method
Next by Date: Re: Re: attribute search help
Index(es):
- Chronological
- Thread