[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Decyphering openldap ACL logs

To: rajkumars@asianetindia.com
Subject: Re: Decyphering openldap ACL logs
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 29 Apr 2004 08:00:40 -0700
Cc: "openldap-software@OpenLDAP.org" <openldap-software@OpenLDAP.org>
In-reply-to: <63e9c5fa4a.5fa4a63e9c@asianetindia.com>
References: <63e9c5fa4a.5fa4a63e9c@asianetindia.com>

At 11:54 PM 4/28/2004, rajkumars@asianetindia.com wrote:
>I am working on configuring qmail-ldap and facing some permission problems with my ldap configuration. 

(Thank you for limited your questions on this list to those specific
to OpenLDAP Software.  Questions specific to qmail-ldap, of course,
should go to the qmail-ldap list.)

You didn't bother to say which version of OpenLDAP Software.  I'll
assume you are using latest release (2.2.11), but the answers should
be fine for latest stable release as well (2.1.30).  If you using
some other release, I suggest you consider updating.

>My  slapd.conf's acl section is some thing like 
>
>access to attr=userPassword
>        by anonymous auth

userPassword can be used for authentication, but cannot otherwise
be accessed (except, of course, by the rootdn).

>access to *
>        by dn="cn=admin,dc=com" write
>        by aci write
>        by * read

The first clause likely should be dn.exact="cn=admin,dc=com".

>with aci's configured in my directory. 

okay.  And I see you've allow every (including anonymous to read)
everything (excepting userPassword).

>To debug the problem I enabled logging with level 128, and I am getting copious logs. 
>I am some what able to make out what the logs mean, but in order to get the exact meaning I searched for some documentation about the logs entries. But could not find any. 
>
>One of my logs fragment looks like this:
>=> access_allowed: write access to "dc=cse,dc
>=com" "entry" requested 

Here it's checking for access to the entry itself (see the slap.access(5)
and the admin guide discussion regarding "entry" (and "children")).

>=> acl_get: [1] check attr entry 

The first access statement didn't apply to "entry".  Moving on.

>=> acl_get: [2] check attr entry 

The second does.

><= acl_get: [2] acl dc=cse,dc=com attr: entry
>=> acl_mask: access to entry "dc=cse,dc=com", attr "entry" requested 
>=> acl_mask: to all values by "uid=mailadmin, dc=com", (=n)  
><= check a_dn_pat: cn=admin,dc=com 
><= check a_dn_pat: * 

This is from the first clause of the second access statement.
It doesn't match.

><= acl_mask: [3] applying read(=rscx) (stop) 
><= acl_mask: [3] mask: read(=rscx) 

Here it's saying that the third clause of (second) access access
statement applied.

>=> access_allowed: write access denied by read(=rscx) 

This says that write access to entry was denied as subject
(uid=mailadmin,dc=com) was only authorized to read.

>(I have removed date/time etc) 
>
>Can some one tell me (or point to some documentation) from where I can understand what these logs mean?

Well, understanding the access control model, as documented in slap.access(5),
the admin guide, and the FAQ, is key to understanding the access control logs. 

Kurt

References:
- Decyphering openldap ACL logs
  - From: rajkumars@asianetindia.com

Prev by Date: Re: Connection limit
Next by Date: Re: Decyphering openldap ACL logs
Index(es):
- Chronological
- Thread