[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP 2.1 and ACL

To: "Tony Earnshaw" <tonni@billy.demon.nl>
Subject: Re: OpenLDAP 2.1 and ACL
From: "Emmanuel Blot" <emmanuel.blot@free.fr>
Date: Tue, 28 Jan 2003 00:39:19 +0100
Cc: "Hallvard B Furuseth" <h.b.furuseth@usit.uio.no>, <openldap-software@OpenLDAP.org>
References: <016801c2ba8c$5f5cf2f0$0f06a8c0@oulx> <HBF.20030113kanr@bombur.uio.no><013f01c2bfe5$fa31f830$0f06a8c0@oulx> <HBF.20030121c88n@bombur.uio.no> <0ad801c2c588$d25cb3b0$0f06a8c0@oulx> <1043670061.5828.55.camel@localhost>

First of all, thank for your help.

I've changed the ACL as you specified, however, I still get issues:

slapd still seems to require access to the 'entry' attribute to perform the search.
I've added:
access to attr=entry
       by users read

and it works. However, I don't know if this can be a security breach, or if it is the
recommanded way.
I may have another ACL error...

Do you have any advice, I don't know where to look... ??

access to attr=userPassword
       by group="cn=administrators,ou=Anciens,o=ANIENIB,c=FR" write
       by self write
       by anonymous auth

access to attr=uid,sn,cn,member
       by group="cn=administrators,ou=Anciens,o=ANIENIB,c=FR" write
       by users read

access to attr=entry
       by users read



SLAPD LOG, with ldapsearch -D "uid=eblot,ou=Anciens,o=ANIENIB,c=FR" -b
"ou=Anciens,o=ANIENIB,c=FR" -x -W '(sn=blot)' userPassword sn
[there are two objects with sn==blot, both are part of the 'administrators' group]

Jan 28 00:27:23 anciens slapd[14152]: daemon: conn=0 fd=9 connection from IP=127.0.0.1:35209
(IP=0.0.0.0:389) accepted.
Jan 28 00:27:23 anciens slapd[14154]: conn=0 op=0 BIND dn="uid=eblot,ou=Anciens,o=ANIENIB,c=FR"
method=128
Jan 28 00:27:23 anciens slapd[14154]: => access_allowed: auth access to
"uid=eblot,ou=Anciens,o=ANIENIB,c=FR" "userPassword" requested
Jan 28 00:27:23 anciens slapd[14154]: => acl_get: [1] check attr userPassword
Jan 28 00:27:23 anciens slapd[14154]: => acl_get: [2] check attr userPassword
Jan 28 00:27:23 anciens slapd[14154]: => acl_get: [3] check attr userPassword
Jan 28 00:27:23 anciens slapd[14154]: => acl_get: [4] check attr userPassword
Jan 28 00:27:23 anciens slapd[14154]: => acl_get: [5] check attr userPassword
Jan 28 00:27:23 anciens slapd[14154]: => acl_get: [6] check attr userPassword
Jan 28 00:27:23 anciens slapd[14154]: => acl_get: [7] check attr userPassword
Jan 28 00:27:23 anciens slapd[14154]: <= acl_get: [7] acl uid=eblot,ou=Anciens,o=ANIENIB,c=FR
attr: userPassword
Jan 28 00:27:23 anciens slapd[14154]: => acl_mask: access to entry
"uid=eblot,ou=Anciens,o=ANIENIB,c=FR", attr "userPassword" requested
Jan 28 00:27:23 anciens slapd[14154]: => acl_mask: to all values by "", (=n)
Jan 28 00:27:23 anciens slapd[14154]: <= check a_dn_pat: self
Jan 28 00:27:23 anciens slapd[14154]: <= check a_dn_pat: anonymous
Jan 28 00:27:23 anciens slapd[14154]: <= acl_mask: [3] applying auth(=x) (stop)
Jan 28 00:27:23 anciens slapd[14154]: <= acl_mask: [3] mask: auth(=x)
Jan 28 00:27:23 anciens slapd[14154]: => access_allowed: auth access granted by auth(=x)
Jan 28 00:27:23 anciens slapd[14154]: conn=0 op=0 RESULT tag=97 err=0 text=
Jan 28 00:27:23 anciens slapd[14155]: begin get_filter
Jan 28 00:27:23 anciens slapd[14155]: EQUALITY
Jan 28 00:27:23 anciens slapd[14155]: end get_filter 0
Jan 28 00:27:23 anciens slapd[14155]: conn=0 op=1 SRCH base="ou=Anciens,o=ANIENIB,c=FR" scope=2
filter="(sn=blot)"
Jan 28 00:27:23 anciens slapd[14155]:   AND
Jan 28 00:27:23 anciens slapd[14155]:   DN SUBTREE
Jan 28 00:27:23 anciens slapd[14155]:   OR
Jan 28 00:27:23 anciens slapd[14155]:   EQUALITY
Jan 28 00:27:23 anciens slapd[14155]:   EQUALITY
Jan 28 00:27:23 anciens slapd[14155]: => test_filter
Jan 28 00:27:23 anciens slapd[14155]:     EQUALITY
Jan 28 00:27:23 anciens slapd[14155]: => access_allowed: search access to
"uid=emmanuel.blot.1997,ou=Anciens,o=ANIENIB,c=FR" "sn" requested
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [1] check attr sn
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [2] check attr sn
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [3] check attr sn
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [4] check attr sn
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [5] check attr sn
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [6] check attr sn
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [7] check attr sn
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [8] check attr sn
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [9] check attr sn
Jan 28 00:27:23 anciens slapd[14155]: <= acl_get: [9] acl
uid=emmanuel.blot.1997,ou=Anciens,o=ANIENIB,c=FR attr: sn
Jan 28 00:27:23 anciens slapd[14155]: => acl_mask: access to entry
"uid=emmanuel.blot.1997,ou=Anciens,o=ANIENIB,c=FR", attr "sn" requested
Jan 28 00:27:23 anciens slapd[14155]: => acl_mask: to value by
"uid=eblot,ou=anciens,o=anienib,c=fr", (=n)
Jan 28 00:27:23 anciens slapd[14155]: => ldbm_back_group: found group:
"cn=administrators,ou=anciens,o=anienib,c=fr"
Jan 28 00:27:23 anciens slapd[14155]: <= ldbm_back_group: found objectClass groupOfNames and
member
Jan 28 00:27:23 anciens slapd[14155]: <= ldbm_back_group: "uid=eblot,ou=anciens,o=anienib,c=fr"
is in "cn=administrators,ou=anciens,o=anienib,c=fr": member
Jan 28 00:27:23 anciens slapd[14155]: <= acl_mask: [1] applying write(=wrscx) (stop)
Jan 28 00:27:23 anciens slapd[14155]: <= acl_mask: [1] mask: write(=wrscx)
Jan 28 00:27:23 anciens slapd[14155]: => access_allowed: search access granted by write(=wrscx)
Jan 28 00:27:23 anciens slapd[14155]: <= test_filter 6
Jan 28 00:27:23 anciens slapd[14155]: => access_allowed: read access to
"uid=emmanuel.blot.1997,ou=Anciens,o=ANIENIB,c=FR" "entry" requested
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [1] check attr entry
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [2] check attr entry
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [2] check attr entry
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [3] check attr entry
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [4] check attr entry
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [5] check attr entry
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [6] check attr entry
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [7] check attr entry
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [8] check attr entry
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [9] check attr entry
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [10] check attr entry
Jan 28 00:27:23 anciens slapd[14155]: <= acl_get: [10] acl
uid=emmanuel.blot.1997,ou=Anciens,o=ANIENIB,c=FR attr: entry
Jan 28 00:27:23 anciens slapd[14155]: => acl_mask: access to entry
"uid=emmanuel.blot.1997,ou=Anciens,o=ANIENIB,c=FR", attr "entry" requested
Jan 28 00:27:23 anciens slapd[14155]: => acl_mask: to all values by
"uid=eblot,ou=anciens,o=anienib,c=fr", (=n)
Jan 28 00:27:23 anciens slapd[14155]: <= check a_dn_pat: users
Jan 28 00:27:23 anciens slapd[14155]: <= acl_mask: [1] applying search(=scx) (stop)
Jan 28 00:27:23 anciens slapd[14155]: <= acl_mask: [1] mask: search(=scx)
Jan 28 00:27:23 anciens slapd[14155]: => access_allowed: read access denied by search(=scx)
Jan 28 00:27:23 anciens slapd[14155]: send_search_entry: access to entry not allowed
Jan 28 00:27:23 anciens slapd[14155]: => test_filter
Jan 28 00:27:23 anciens slapd[14155]:     EQUALITY
Jan 28 00:27:23 anciens slapd[14155]: => access_allowed: search access to
"uid=eblot,ou=Anciens,o=ANIENIB,c=FR" "sn" requested
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [1] check attr sn
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [2] check attr sn
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [3] check attr sn
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [4] check attr sn
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [5] check attr sn
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [6] check attr sn
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [7] check attr sn
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [8] check attr sn
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [9] check attr sn
Jan 28 00:27:23 anciens slapd[14155]: <= acl_get: [9] acl uid=eblot,ou=Anciens,o=ANIENIB,c=FR
attr: sn
Jan 28 00:27:23 anciens slapd[14155]: => acl_mask: access to entry
"uid=eblot,ou=Anciens,o=ANIENIB,c=FR", attr "sn" requested
Jan 28 00:27:23 anciens slapd[14155]: => acl_mask: to value by
"uid=eblot,ou=anciens,o=anienib,c=fr", (=n)
Jan 28 00:27:23 anciens slapd[14155]: <= acl_mask: [1] applying write(=wrscx) (stop)
Jan 28 00:27:23 anciens slapd[14155]: <= acl_mask: [1] mask: write(=wrscx)
Jan 28 00:27:23 anciens slapd[14155]: => access_allowed: search access granted by write(=wrscx)
Jan 28 00:27:23 anciens slapd[14155]: <= test_filter 6
Jan 28 00:27:23 anciens slapd[14155]: => access_allowed: read access to
"uid=eblot,ou=Anciens,o=ANIENIB,c=FR" "entry" requested
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [1] check attr entry
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [2] check attr entry
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [3] check attr entry
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [4] check attr entry
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [5] check attr entry
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [6] check attr entry
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [7] check attr entry
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [8] check attr entry
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [9] check attr entry
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [10] check attr entry
Jan 28 00:27:23 anciens slapd[14155]: => acl_get: [10] check attr entry
Jan 28 00:27:23 anciens slapd[14155]: <= acl_get: [10] acl uid=eblot,ou=Anciens,o=ANIENIB,c=FR
attr: entry
Jan 28 00:27:23 anciens slapd[14155]: => acl_mask: access to entry
"uid=eblot,ou=Anciens,o=ANIENIB,c=FR", attr "entry" requested
Jan 28 00:27:23 anciens slapd[14155]: => acl_mask: to all values by
"uid=eblot,ou=anciens,o=anienib,c=fr", (=n)
Jan 28 00:27:23 anciens slapd[14155]: <= check a_dn_pat: users
Jan 28 00:27:23 anciens slapd[14155]: <= acl_mask: [1] applying search(=scx) (stop)
Jan 28 00:27:23 anciens slapd[14155]: <= acl_mask: [1] mask: search(=scx)
Jan 28 00:27:23 anciens slapd[14155]: => access_allowed: read access denied by search(=scx)
Jan 28 00:27:23 anciens slapd[14155]: send_search_entry: access to entry not allowed
Jan 28 00:27:23 anciens slapd[14155]: conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
Jan 28 00:27:23 anciens slapd[14154]: conn=0 op=2 UNBIND
Jan 28 00:27:23 anciens slapd[14154]: conn=0 fd=9 closed

----- Original Message -----
From: "Tony Earnshaw" <tonni@billy.demon.nl>
To: "Emmanuel Blot" <emmanuel.blot@free.fr>
Cc: "Hallvard B Furuseth" <h.b.furuseth@usit.uio.no>; <openldap-software@OpenLDAP.org>
Sent: Monday, January 27, 2003 1:21 PM
Subject: Re: OpenLDAP 2.1 and ACL


> søn, 2003-01-26 kl. 23:18 skrev Emmanuel Blot:
>
> > I tried an alternaltive: to use group access, as documented.
>
> Not =quite= as documented. Ihave everything you set up, just as you set
> it up, with one difference - and mine works :-)
>
> > access to attr=userPassword
> >        by group="cn=administrators,ou=Anciens,o=ANIENIB,c=FR" write
> >        by self write
> >        by * auth
>
> "by * auth" means "by users auth". Users are those who are already
> authenticated. But the can't authenticate unless they can do that as
> anonymous entities, i.e. before they're authenticated.
>
> So: It should be "by anonymous auth".
>
> Best,
>
> Tony
>
> --
>
> Tony Earnshaw
>
> When all's said and done ...
> there's nothing left to say or do.
>
> e-post: tonni@billy.demon.nl
> www: http://www.billy.demon.nl
>
>
>

Follow-Ups:
- Re: OpenLDAP 2.1 and ACL
  - From: Tony Earnshaw <tonni@billy.demon.nl>

References:
- OpenLDAP 2.1 and filters
  - From: "Emmanuel Blot" <emmanuel.blot@free.fr>
- Re: OpenLDAP 2.1 and filters
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: OpenLDAP 2.1 and ACL
  - From: "Emmanuel Blot" <emmanuel.blot@free.fr>
- Re: OpenLDAP 2.1 and ACL
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: OpenLDAP 2.1 and ACL
  - From: "Emmanuel Blot" <emmanuel.blot@free.fr>
- Re: OpenLDAP 2.1 and ACL
  - From: Tony Earnshaw <tonni@billy.demon.nl>

Prev by Date: [RE: (no subject)]
Next by Date: RE: migrating already crypted passwords to ldif
Index(es):
- Chronological
- Thread