[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL question: is the topmost entry different ?

To: OpenLDAP-software@OpenLDAP.org
Subject: Re: ACL question: is the topmost entry different ?
From: Ace Suares <ace@suares.nl>
Date: Sun, 23 Feb 2003 14:16:41 +0400
In-reply-to: <5.2.0.9.0.20030223100112.01a10e40@127.0.0.1>
References: <200302231301.20293.ace@suares.nl> <5.2.0.9.0.20030223100112.01a10e40@127.0.0.1>

> I suggest you enable ACL logging.  It will tell you exactly
> which to and by clauses are being applied (or not).
>
> Kurt

That's (in slapd.conf)

	loglevel        128

isn't it ?

Here's an example:

Feb 23 17:46:27 curacao slapd[1056]: => acl_get: [4] check attr objectClass
Feb 23 17:46:27 curacao slapd[1056]: <= acl_get: [4] acl app=qwido attr: 
objectClass
Feb 23 17:46:27 curacao slapd[1056]: => acl_mask: access to entry "app=qwido", 
attr "objectClass" requested
Feb 23 17:46:27 curacao slapd[1056]: => acl_mask: to all values by 
"MANAGER=MANAGER001,OC=ISP001,APP=QWIDO", (=n)
Feb 23 17:46:27 curacao slapd[1056]: <= check a_dn_pat: APP=QWIDO
Feb 23 17:46:27 curacao slapd[1056]: <= acl_mask: no more <who> clauses, 
returning =n (stop)
Feb 23 17:46:27 curacao slapd[1056]: => access_allowed: search access denied 
by =n
Feb 23 17:53:01 curacao /USR/SBIN/CRON[1060]: (mail) CMD (  if [ -x 
/usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi)
Feb 23 18:06:22 curacao -- MARK --
Feb 23 18:08:01 curacao /USR/SBIN/CRON[1062]: (mail) CMD (  if [ -x 
/usr/sbin/exim -a -f /etc/exim/exim.conf ]; then /usr/sbin/exim -q ; fi)
Feb 23 18:13:16 curacao slapd[1056]: => access_allowed: auth access to 
"manager=manager001,oc=isp001,app=qwido" "userPassword" requested
Feb 23 18:13:16 curacao slapd[1056]: => acl_get: [1] check attr userPassword
Feb 23 18:13:16 curacao slapd[1056]: <= acl_get: [1] acl 
manager=manager001,oc=isp001,app=qwido attr: userPassword
Feb 23 18:13:16 curacao slapd[1056]: => acl_mask: access to entry 
"manager=manager001,oc=isp001,app=qwido", attr "userPassword" requested
Feb 23 18:13:16 curacao slapd[1056]: => acl_mask: to all values by "", (=n)
Feb 23 18:13:16 curacao slapd[1056]: <= check a_dn_pat: self
Feb 23 18:13:16 curacao slapd[1056]: => ldbm_back_group: cannot find group: 
"GROUP=MANAGERS,APP=QWIDO"
Feb 23 18:13:16 curacao slapd[1056]: <= check a_dn_pat: anonymous
Feb 23 18:13:16 curacao slapd[1056]: <= acl_mask: [3] applying auth (=x) 
(stop)
Feb 23 18:13:16 curacao slapd[1056]: <= acl_mask: [3] mask: auth (=x)
Feb 23 18:13:16 curacao slapd[1056]: => access_allowed: auth access granted by 
auth (=x)
Feb 23 18:13:16 curacao slapd[1057]: => access_allowed: search access to "" 
"objectClass" requested
Feb 23 18:13:16 curacao slapd[1057]: => acl_get: [1] check attr objectClass
Feb 23 18:13:16 curacao slapd[1057]: => dnpat: [2] oc=(.*),app=qwido nsub: 1
Feb 23 18:13:16 curacao slapd[1057]: => dnpat: [3] app=qwido nsub: 0
Feb 23 18:13:16 curacao slapd[1057]: => dnpat: [4] app=qwido nsub: 0
Feb 23 18:13:16 curacao slapd[1057]: <= acl_get: done.
Feb 23 18:13:16 curacao slapd[1057]: => access_allowed: no more rules
Feb 23 18:13:16 curacao slapd[1057]: => access_allowed: search access denied 
by =n
Feb 23 18:13:17 curacao slapd[1056]: => access_allowed: auth access to 
"manager=manager001,oc=isp001,app=qwido" "userPassword" requested
Feb 23 18:13:17 curacao slapd[1056]: => acl_get: [1] check attr userPassword
Feb 23 18:13:17 curacao slapd[1056]: <= acl_get: [1] acl 
manager=manager001,oc=isp001,app=qwido attr: userPassword
Feb 23 18:13:17 curacao slapd[1056]: => acl_mask: access to entry 
"manager=manager001,oc=isp001,app=qwido", attr "userPassword" requested
Feb 23 18:13:17 curacao slapd[1056]: => acl_mask: to all values by "", (=n)
Feb 23 18:13:17 curacao slapd[1056]: <= check a_dn_pat: self
Feb 23 18:13:17 curacao slapd[1056]: => ldbm_back_group: cannot find group: 
"GROUP=MANAGERS,APP=QWIDO"
Feb 23 18:13:17 curacao slapd[1056]: <= check a_dn_pat: anonymous
Feb 23 18:13:17 curacao slapd[1056]: <= acl_mask: [3] applying auth (=x) 
(stop)
Feb 23 18:13:17 curacao slapd[1056]: <= acl_mask: [3] mask: auth (=x)
Feb 23 18:13:17 curacao slapd[1056]: => access_allowed: auth access granted by 
auth (=x)
Feb 23 18:13:17 curacao slapd[1057]: => access_allowed: search access to 
"oc=isp001,app=qwido" "objectClass" requested
Feb 23 18:13:17 curacao slapd[1057]: => acl_get: [1] check attr objectClass
Feb 23 18:13:17 curacao slapd[1057]: => dnpat: [2] oc=(.*),app=qwido nsub: 1
Feb 23 18:13:17 curacao slapd[1057]: => acl_get: [2] matched
Feb 23 18:13:17 curacao slapd[1057]: => acl_get: [2] check attr objectClass
Feb 23 18:13:17 curacao slapd[1057]: <= acl_get: [2] acl oc=isp001,app=qwido 
attr: objectClass
Feb 23 18:13:17 curacao slapd[1057]: => acl_mask: access to entry 
"oc=isp001,app=qwido", attr "objectClass" requested
Feb 23 18:13:17 curacao slapd[1057]: => acl_mask: to all values by 
"MANAGER=MANAGER001,OC=ISP001,APP=QWIDO", (=n)
Feb 23 18:13:17 curacao slapd[1057]: <= check a_dn_pat: OC=$1,APP=QWIDO
Feb 23 18:13:17 curacao slapd[1057]: <= check a_dn_pat: APP=QWIDO
Feb 23 18:13:17 curacao slapd[1057]: <= acl_mask: no more <who> clauses, 
returning =n (stop)
Feb 23 18:13:17 curacao slapd[1057]: => access_allowed: search access denied 
by =n
Feb 23 18:13:18 curacao slapd[1056]: => access_allowed: search access to 
"app=qwido" "objectClass" requested
Feb 23 18:13:18 curacao slapd[1056]: => acl_get: [1] check attr objectClass
Feb 23 18:13:18 curacao slapd[1056]: => dnpat: [2] oc=(.*),app=qwido nsub: 1
Feb 23 18:13:18 curacao slapd[1056]: => dnpat: [3] app=qwido nsub: 0
Feb 23 18:13:18 curacao slapd[1056]: => acl_get: [3] matched
Feb 23 18:13:18 curacao slapd[1056]: => acl_get: [3] check attr objectClass
Feb 23 18:13:18 curacao slapd[1056]: => dnpat: [4] app=qwido nsub: 0
Feb 23 18:13:18 curacao slapd[1056]: => acl_get: [4] matched
Feb 23 18:13:18 curacao slapd[1056]: => acl_get: [4] check attr objectClass
Feb 23 18:13:18 curacao slapd[1056]: <= acl_get: [4] acl app=qwido attr: 
objectClass
Feb 23 18:13:18 curacao slapd[1056]: => acl_mask: access to entry "app=qwido", 
attr "objectClass" requested
Feb 23 18:13:18 curacao slapd[1056]: => acl_mask: to all values by 
"MANAGER=MANAGER001,OC=ISP001,APP=QWIDO", (=n)
Feb 23 18:13:18 curacao slapd[1056]: <= check a_dn_pat: APP=QWIDO
Feb 23 18:13:18 curacao slapd[1056]: <= acl_mask: no more <who> clauses, 
returning =n (stop)
Feb 23 18:13:18 curacao slapd[1056]: => access_allowed: search access denied 
by =n
Feb 23 18:13:22 curacao slapd[1056]: => access_allowed: search access to 
"app=qwido" "objectClass" requested
Feb 23 18:13:22 curacao slapd[1056]: => acl_get: [1] check attr objectClass
Feb 23 18:13:22 curacao slapd[1056]: => dnpat: [2] oc=(.*),app=qwido nsub: 1
Feb 23 18:13:22 curacao slapd[1056]: => dnpat: [3] app=qwido nsub: 0
Feb 23 18:13:22 curacao slapd[1056]: => acl_get: [3] matched
Feb 23 18:13:22 curacao slapd[1056]: => acl_get: [3] check attr objectClass
Feb 23 18:13:22 curacao slapd[1056]: => dnpat: [4] app=qwido nsub: 0
Feb 23 18:13:22 curacao slapd[1056]: => acl_get: [4] matched
Feb 23 18:13:22 curacao slapd[1056]: => acl_get: [4] check attr objectClass
Feb 23 18:13:22 curacao slapd[1056]: <= acl_get: [4] acl app=qwido attr: 
objectClass
Feb 23 18:13:22 curacao slapd[1056]: => acl_mask: access to entry "app=qwido", 
attr "objectClass" requested
Feb 23 18:13:22 curacao slapd[1056]: => acl_mask: to all values by 
"OC=ISP001,APP=QWIDO", (=n)
Feb 23 18:13:22 curacao slapd[1056]: <= check a_dn_pat: APP=QWIDO
Feb 23 18:13:22 curacao slapd[1056]: <= acl_mask: no more <who> clauses, 
returning =n (stop)
Feb 23 18:13:22 curacao slapd[1056]: => access_allowed: search access denied 
by =n


Honestly, I can't make much of it.

_Ace

References:
- Re: ACL question: is the topmost entry different ?
  - From: Ace Suares <ace@suares.nl>
- Re: ACL question: is the topmost entry different ?
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: [LDAP-SOFTWARE] ACLand regex (matching self)
Next by Date: Re: [LDAP-SOFTWARE] ACLand regex (matching self)
Index(es):
- Chronological
- Thread