[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Decyphering openldap ACL logs

To: Openldap list <openldap-software@OpenLDAP.org>
Subject: Re: Decyphering openldap ACL logs
From: Tony Earnshaw <tonye@billy.demon.nl>
Date: Thu, 29 Apr 2004 19:08:36 +0200
In-reply-to: <63e9c5fa4a.5fa4a63e9c@asianetindia.com>
Organization: Billy
References: <63e9c5fa4a.5fa4a63e9c@asianetindia.com>

tor, 29.04.2004 kl. 08.54 skrev rajkumars@asianetindia.com:

> My  slapd.conf's acl section is some thing like 
> 
> access to attr=userPassword
>         by anonymous auth

O.k., as long as you understand that you ought to have "by * none" and
why that is default in this case.

> access to *
>         by dn="cn=admin,dc=com" write
>         by aci write
>         by * read
> with aci's configured in my directory.

Adam's (Williams) one of the few perversive ACIer on this list. Why make
it supremely difficult for yourself? What happens if you use a perfectly
normal ACL? What does your ACI look like? Not that I could help you ...

> To debug the problem I enabled logging with level 128, and I am getting copious logs. I am some what able to make out what the logs mean, but in order to get the exact meaning I searched for some documentation about the logs entries. But could not find any. 
> 
> One of my logs fragment looks like this:
> => access_allowed: write access to "dc=cse,dc
> =com" "entry" requested 
> => acl_get: [1] check attr entry 
> => acl_get: [2] check attr entry 
> <= acl_get: [2] acl dc=cse,dc=com attr: entry
> => acl_mask: access to entry "dc=cse,dc=com", attr "entry" requested 
> => acl_mask: to all values by "uid=mailadmin, dc=com", (=n)  
> <= check a_dn_pat: cn=admin,dc=com 
> <= check a_dn_pat: * 
> <= acl_mask: [3] applying read(=rscx) (stop) 
> <= acl_mask: [3] mask: read(=rscx) 
> => access_allowed: write access denied by rea
> d(=rscx) 
> 
> (I have removed date/time etc) 
> 
> Can some one tell me (or point to some documentation) from where I can understand what these logs mean?

=> acl_mask: access to entry "dc=cse,dc=com", attr "entry" requested 
> => acl_mask: to all values by "uid=mailadmin, dc=com", (=n)

"all values by "uid=mailadmin, dc=com", (=n)"

'man slapd.access'. At the least, look for "privileges" if you're using
a *reasonably* (like Openldap www.openldap.org advertises as *the*
standard OL version) recent OL version. You do not say.

--Tonni

-- 

We make out of the quarrel with others rhetoric
but out of the quarrel with ourselves, poetry.

mail: billy - at - billy.demon.nl
http://www.billy.demon.nl

References:
- Decyphering openldap ACL logs
  - From: rajkumars@asianetindia.com

Prev by Date: Re: grep-ldif script
Next by Date: ldapadd problem
Index(es):
- Chronological
- Thread