[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL to permit access to some attributes

Subject: Re: ACL to permit access to some attributes
From: "José M. Fandiño" <ldap@fadesa.es>
Date: Fri, 02 Apr 2004 12:21:37 +0200
Cc: openldap-software@OpenLDAP.org
Organization: Inmobiliaria FADESA
References: <406852D1.17DBB92B@fadesa.es> <2676543445.1080555809@cadabra.stanford.edu> <4069B1E0.3FFC53A@fadesa.es> <2761852313.1080641120@cadabra.stanford.edu> <406AAEA3.8FBFF216@fadesa.es> <65169568.1080726736@cadabra.stanford.edu> <406C438F.5B39E4AA@fadesa.es> <310260340.1080815810@cadabra-dsl.stanford.edu>

Quanah Gibson-Mount wrote:
> 
> --On Thursday, April 01, 2004 6:30 PM +0200 "José M. Fandiño"
> <ldap@fadesa.es> wrote:
> 
> > => access_allowed: search access to "uid=00010,dc=fadesa,dc=es"
> > "objectClass" requested => dn: [1]
> > => dn: [2] cn=subschema
> > => dn: [3] dc=fadesa,dc=es
> > => acl_get: [3] matched
> > => acl_get: [3] check attr objectClass
> > <= acl_get: done.
> > => access_allowed: no more rules
> 
> You are filtering on objectclass = ?? but you haven't given access to the
> objectclasses for filtering.  You can't filter on something that you
> haven't given access to.  Right now, you need more acl's.
> 
> access to dn.children="dc=fadesa,dc=es" attrs=mail,objectclass
> by * read

Quanah, 

first of all thank you for help me with this, you are the only
man in the list who try to resolve the problem.

Permit access to objectclass attributes was one of my first
thoughts and subsequent tests show me that it doesn't makes
any difference. (below I post a test)

I saw some examples to permit access to userPassword
attributes, i.e.:

access to attrs=userPassword
        by self write
        by dn.exact="cn=admin,ou=users,dc=domain" write
        by anonymous auth

so, I concluded my current ACL (apparently simple),
unfortunately the only method to do this work is
by removing attrs directives :(

any other idea?

	/----/

# cat -A slapd.conf
.
.
#^IDirectives needed to implement policy:$
$
access to dn.base="" by * read break$
$
access to dn.base="cn=Subschema" by * read break$
$
access to dn.children="dc=fadesa,dc=es" attrs=objectclass,mail by * read$
$

	/----/

# /usr/local/libexec/slapd -4 -h ldap:// -d 224
.
.
line 24 (argsfile /var/run/slapd.args)
line 26 (sasl-secprops none)
line 56 (access to dn.base="" by * read break)
Global ACL: access to *
        by * read(=rscx) break

line 58 (access to dn.base="cn=Subschema" by * read break)
Global ACL: access to dn.base=cn=subschema
        by * read(=rscx) break

line 60 (access to dn.children="dc=fadesa,dc=es" attrs=objectclass,mail by * read)
Global ACL: access to dn.children=dc=fadesa,dc=es
 attrs=objectclass,mail
        by * read(=rscx)

line 89 (database bdb)
.
.
=> test_filter
    PRESENT
=> access_allowed: search access to "uid=00010,dc=fadesa,dc=es" "mail" requested
=> dn: [1]
=> dn: [2] cn=subschema
=> dn: [3] dc=fadesa,dc=es
=> acl_get: [3] matched
=> acl_get: [3] check attr mail
<= acl_get: [3] acl uid=00010,dc=fadesa,dc=es attr: mail
=> acl_mask: access to entry "uid=00010,dc=fadesa,dc=es", attr "mail" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscx) (stop)
<= acl_mask: [1] mask: read(=rscx)
=> access_allowed: search access granted by read(=rscx)
<= test_filter 6
=> access_allowed: read access to "uid=00010,dc=fadesa,dc=es" "entry" requested
=> dn: [1]
=> dn: [2] cn=subschema
=> dn: [3] dc=fadesa,dc=es
=> acl_get: [3] matched
=> acl_get: [3] check attr entry
<= acl_get: done.
=> access_allowed: no more rules
send_search_entry: access to entry not allowed

	/----/

# ldapsearch -x  -h 195.55.55.167 -s sub -b "dc=fadesa,dc=es" '(mail=*)'
# extended LDIF
#
# LDAPv3
# base <dc=fadesa,dc=es> with scope sub
# filter: (mail=*)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

	/----/

# ldapsearch -x  -h 195.55.55.167 -s sub -b "dc=fadesa,dc=es" mail
# extended LDIF
#
# LDAPv3
# base <dc=fadesa,dc=es> with scope sub
# filter: (objectclass=*)
# requesting: mail
#

# search result
search: 2
result: 0 Success

# numResponses: 1

	/----/

dn: uid=00010,dc=fadesa,dc=es
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: uidObject
objectClass: top
objectClass: fadesaPerson
sn:: ZmFuZGnDsW8gcGl0YQ==
cn: fan
uid: 00010
userPassword: xxxxx
mail: perico@foo.bar
fadesaPersonHTTP: TRUE
fadesaPersonSMTP: TRUE
-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT d- s+:+() a- C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
G++ e- h+(++) !r !z
------END GEEK CODE BLOCK------

Follow-Ups:
- Re: ACL to permit access to some attributes
  - From: Tony Earnshaw <tonye@billy.demon.nl>
- Re: ACL to permit access to some attributes
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

References:
- Re: ACL to permit access to some attributes
  - From: "José M. Fandiño" <ldap@fadesa.es>
- Re: ACL to permit access to some attributes
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: [Fwd: Re: LDBM or BDB ?]
Next by Date: openldap 2.1.25 crashes on ch_malloc on a HPUX 11
Index(es):
- Chronological
- Thread