Re: [LDAP-SOFTWARE] ACLand regex (matching self)

[Ace Suares <ace@suares.nl>]

>
 slapd(8) allows one to place access controls on any and all entries
> including system entries.


With slapd(8) you mean the file in the distribution under doc/man8/slapd.8 ?
In both version 2.0.27 and 2.1.12 I could not find any reference to ACL's.

In 2.1.12 in doc/man5/slapd.access.5 is some information, the same as in the 
ldap admin guide 2.1 as far as I can see. It's not clear to me where the 
'system' entries are listed and that there are system entires at all and how 
to put ACL's on them.
>
>
> By STATS, I was referring to the log level which provides basic
> information about protocol requests and responses.

In slapd.conf.5 (version 2.1.12) I could only find the following entries for 
logging:

                      1      trace function calls
                      2      debug packet handling
                      4      heavy trace debugging
                      8      connection management
                      16     print out packets sent and received
                      32     search filter processing
                      64     configuration file processing
                      128    access control list processing
                      256    stats log connections/operations/results
                      512    stats log entries sent
                      1024   print communication with shell backends
                      2048   entry parsing


Which one do you refer to as STAT ? (256 or 512 ?)

> >Feb 23 18:13:16 curacao slapd[1057]: => access_allowed: search access to
> > "" "objectClass" requested
> >
> >I explain this as: the function 'access_allowed' tries to find out if
> > 'search access to "" "objectClass" ' is  available.
> >
> >Immediately I ask my self: what is this "" between to and "Objectcllas" ?
>
> The first string is the target DN, the second string is the target
> attribute. A DN of "" implies the root DSE is the target.

In the openldap admin guide 2.1, the phrase 'root DSE' appears exactly once, 
and not in an explanatory context. The acronym 'DSE' appears 3 times. 
(including the above phrase). 

Until now I assumed that the root DSE the top entry is in the database, in my 
case: app=qwido. Is that right ?

>
> Please feel free to submit documentation updates.

I will, once I know what I am doing ;-0

I had collected a lot of info on ACL's before, but 'jsanchez' beat me in 
putting it in the Faq-o-matic.

> >Feb 23 18:13:16 curacao slapd[1057]: => acl_get: [1] check attr
> > objectClass
{snip}
> >But, what's that [1] doing there ?
>
> [1] means slapd is looking at the 1st access statement in the list,
> checking if the target attribute matches.

So, the 'thing being matched' is 'attr objectClass' and it is matched against 
the first ACL in the list ?

{snip}
> >But, what's the nsub: 1 doing ?

> number of substitutions.

Thanks.

{snip}
> >Feb 23 18:13:16 curacao slapd[1057]: => access_allowed: search access
> > denied by =n
> >
> >acces denied (by default, because there was no rule that matched, and
> >defaultaccess=none.... ?)
>
> If none of teh specified rules are applicable, then access is
> always denied.   defaultaccess is only considered with there
> are no rules specified.

So, even if I say 'defaultaccess=write' but have at least 1 access rule (ACL) 
specified, then the defaultaccess will be ignored, even if nothing matches 
that rule !? (I had a totally different idea of what defautlaccess meant !)

rule a:

> >access to attr=userpassword
> >        by self write
> >        by group="group=managers,app=qwido" write
> >        by anonymous auth
> >
{snip}
> Rule a actually says: "allow self and managers to modify
> userPassword; allow anonymous to authentication"

by 'modify' you mean 'add (if it's not there), delete (if it's there) or 
change (if it's there)' (assuming that the schema allows it) ??

This question comes around to my misconception about the 'write' privilige - 
in many cases 'write' means not only modify (change) but also add and delete.

rule b:
> >access to dn="app=qwido"
> >        by dn="app=qwido" read

{snip}
>
> Rule b actually says: "allow app=qwido to read app=qwido".  It
> is equivalent to saying:
>         access to dn.exact="app=qwido" by self read

I assume it is equally equivalent to
         access to dn="app=qwido" by self read

or... not ?


> It says nothing about DNs under "app=qwido".  For this, you'd
> need to say:
>         access to dn.subtree="app=qwido" by dn="app=qwido" read

Your answer saves me from going crazy. There must be something severely wrong 
in my setup. Because, I can view the entire tree ! (while binding as 
app=qwido)

> >BUT
> >when binding as, for example, 'oc=isp001,app=qwido' which is an existing
> > entry and has it's own userpassword, I can still read the entire tree.
>
> Then I suspect you have other access control statements.
>
> Kurt

I don't know. I thought I hadn't. I checked everything a hundred times. Maybe 
I oversee something. I have send you (off-list) the ldap config and database 
(and the little installer i use to test this).
Maybe you can find what's wrong. 

But at least I now know that the way it works in my situation, is *not* the 
way it is supposed to work, and that makes me feel a hell of a lot better.

Thanks,
Ace