[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Decyphering openldap ACL logs



----- Original Message -----
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thursday, April 29, 2004 8:30 pm
Subject: Re: Decyphering openldap ACL logs

> (Thank you for limited your questions on this list to those specific
> to OpenLDAP Software.  Questions specific to qmail-ldap, of course,
> should go to the qmail-ldap list.)

Thanks every one for answering my questions...

> You didn't bother to say which version of OpenLDAP Software.  I'll
> assume you are using latest release (2.2.11), but the answers should
> be fine for latest stable release as well (2.1.30).  If you using
> some other release, I suggest you consider updating.


I am using openldap-2.1.30, 


> userPassword can be used for authentication, but cannot otherwise
> be accessed (except, of course, by the rootdn).

Understood.

> 
> >access to *
> >        by dn="cn=admin,dc=com" write
> >        by aci write
> >        by * read
> 
> The first clause likely should be dn.exact="cn=admin,dc=com".

Ok.

> 
> >with aci's configured in my directory. 
> 
> okay.  And I see you've allow every (including anonymous to read)
> everything (excepting userPassword).

Ideally I want all my access control using ACI. That way Complete access control will be via my web interface. The ACL based directory I am replacing is available at http://phpqladmin.bayour.com/demo/slapd.conf.demo.txt

> >=> access_allowed: write access to "dc=cse,dc
> >=com" "entry" requested 

What is the meaning of "=>" and "<=" ? 

> Here it's checking for access to the entry itself (see the 
> slap.access(5)and the admin guide discussion regarding "entry" (and 
> "children")).

Understood.

> >=> acl_get: [1] check attr entry 
> 
> The first access statement didn't apply to "entry".  Moving on.
> 
> >=> acl_get: [2] check attr entry 
> 
> The second does.

How did you find that? both log([1] and [2]) entries are similar!

> ><= acl_get: [2] acl dc=cse,dc=com attr: entry
> >=> acl_mask: access to entry "dc=cse,dc=com", attr "entry" 
> requested 
> >=> acl_mask: to all values by "uid=mailadmin, dc=com", (=n)  
> ><= check a_dn_pat: cn=admin,dc=com 
> ><= check a_dn_pat: * 

What is the meaning of acl_get, acl_mask, a_dn_pat? 

> This is from the first clause of the second access statement.
> It doesn't match.
> 
> ><= acl_mask: [3] applying read(=rscx) (stop) 
> ><= acl_mask: [3] mask: read(=rscx) 
> 
> Here it's saying that the third clause of (second) access access
> statement applied.

What is the meaning of "applying read(=rscx) (stop)" and "mask: read(=rscx)" ?

> >=> access_allowed: write access denied by read(=rscx) 
> 
> This says that write access to entry was denied as subject
> (uid=mailadmin,dc=com) was only authorized to read.

Ok. My ldif file is given below, I am wondering why the aci entries were not applied. Sorry for asking too many questions, I am just trying to learn and understand this :)

thanks for your time,

raj

dn: dc=com
o: linuxense.com
dc: com
administrator: uid=mailadmin,dc=com
OpenLDAPaci: 1.2.3#entry#grant;r;[entry]#public#
OpenLDAPaci: 1.2.3#entry#grant;r,s,c;objectClass,[entry]#public#
OpenLDAPaci: 1.2.3#entry#grant;r,s,c;dc,userReference,branchReference,administ
 rator#public#
OpenLDAPaci: 1.2.3#entry#grant;w,r,s,c;[children]#access-id#uid=mailadmin,dc=c
 om
OpenLDAPaci: 1.2.3#entry#grant;w,r,s,c,x;[entry]#access-id#uid=mailadmin,dc=co
 m
OpenLDAPaci: 1.2.3#entry#grant;w,r,s,c,x;[all]#access-id#uid=mailadmin,dc=com
branchReference: dc
branchObjectClass: organization
branchObjectClass: dcobject
userObjectClass: person
userObjectClass: posixaccount
userObjectClass: qmailuser
hostMaster: raj@linuxense.com
minimumUIDNumber: 5000
objectClass: top
objectClass: organization
objectClass: phpQLAdminBranch
objectClass: phpQLAdminConfig
objectClass: phpQLAdminGlobal
structuralObjectClass: organization
entryUUID: 362d8998-2d57-1028-8249-8e332eee8fb9
creatorsName: cn=anonymous
createTimestamp: 20040428115913Z
entryCSN: 2004042817:34:21Z#0x0005#0#0000
modifiersName: uid=mailadmin,dc=com
modifyTimestamp: 20040428173421Z

dn: cn=admin,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: ZjAwcnUxeg==
OpenLDAPaci: 1.2.3#entry#grant;r;[entry]#public#
OpenLDAPaci: 1.2.3#entry#grant;r,s,c;objectClass,[entry]#public#
OpenLDAPaci: 1.2.3#entry#grant;x;userPassword,krb5PrincipalName#public#
OpenLDAPaci: 1.2.3#entry#grant;r,s,c;uid,cn,accountStatus,uidNumber,gidNumber,
 gecos,homeDirectory,loginShell#public#
OpenLDAPaci: 1.2.3#entry#grant;r,s,c;sn,givenName,homePostalAddress,mobile,hom
 ePhone,labeledURI,mailForwardingAddress,street,physicalDeliveryOfficeName,mai
 lMessageStore,o,l,st,telephoneNumber,postalCode,title#users#
OpenLDAPaci: 1.2.3#entry#grant;r,s,c;sn,givenName,homePostalAddress,mobile,hom
 ePhone,labeledURI,mailForwardingAddress,street,physicalDeliveryOfficeName,mai
 lMessageStore,o,l,st,telephoneNumber,postalCode,title#self#
OpenLDAPaci: 1.2.3#entry#grant;w,r,s,c;[children]#access-id#uid=mailadmin,dc=c
 om
OpenLDAPaci: 1.2.3#entry#grant;w,r,s,c,x;[entry]#access-id#uid=mailadmin,dc=co
 m
OpenLDAPaci: 1.2.3#entry#grant;w,r,s,c,x;[all]#access-id#uid=mailadmin,dc=com
structuralObjectClass: organizationalRole
entryUUID: 362fd0ae-2d57-1028-824a-8e332eee8fb9
creatorsName: cn=anonymous
modifiersName: cn=anonymous
createTimestamp: 20040428115913Z
modifyTimestamp: 20040428115913Z
entryCSN: 2004042811:59:13Z#0x0002#0#0000

dn: uid=mailadmin,dc=com
cn: mailadministrator
sn: System
givenName: mailadministrator
uid: mailadmin
userPassword:: ZjAwcnUxeg==
objectClass: inetorgperson
objectClass: organizationalperson
OpenLDAPaci: 1.2.3#entry#grant;r;[entry]#public#
OpenLDAPaci: 1.2.3#entry#grant;r,s,c;objectClass,[entry]#public#
OpenLDAPaci: 1.2.3#entry#grant;x;userPassword,krb5PrincipalName#public#
OpenLDAPaci: 1.2.3#entry#grant;r,s,c;uid,cn,accountStatus,uidNumber,gidNumber,
 gecos,homeDirectory,loginShell#public#
OpenLDAPaci: 1.2.3#entry#grant;r,s,c;sn,givenName,homePostalAddress,mobile,hom
 ePhone,labeledURI,mailForwardingAddress,street,physicalDeliveryOfficeName,mai
 lMessageStore,o,l,st,telephoneNumber,postalCode,title#users#
OpenLDAPaci: 1.2.3#entry#grant;r,s,c;sn,givenName,homePostalAddress,mobile,hom
 ePhone,labeledURI,mailForwardingAddress,street,physicalDeliveryOfficeName,mai
 lMessageStore,o,l,st,telephoneNumber,postalCode,title#self#
OpenLDAPaci: 1.2.3#entry#grant;w,r,s,c;[children]#access-id#uid=mailadmin,dc=c
 om
OpenLDAPaci: 1.2.3#entry#grant;w,r,s,c,x;[entry]#access-id#uid=mailadmin,dc=co
 m
OpenLDAPaci: 1.structuralObjectClass: inetorgperson
entryUUID: 36302dba-2d57-1028-824b-8e332eee8fb9
creatorsName: cn=anonymous
modifiersName: cn=anonymous
createTimestamp: 20040428115913Z
modifyTimestamp: 20040428115913Z
entryCSN: 2004042811:59:13Z#0x0003#0#0000
2.3#entry#grant;w,r,s,c,x;[all]#access-id#uid=mailadmin,dc=com

The log fragment again:
=> access_allowed: write access to "dc=cse.dynu.com,dc=com" "entry" requested
=> acl_get: [1] check attr entry
=> acl_get: [2] check attr entry
<= acl_get: [2] acl dc=cse.dynu.com,dc=com attr: entry
=> acl_mask: access to entry "dc=cse.dynu.com,dc=com", attr "entry" requested
=> acl_mask: to all values by "uid=mailadmin,dc=com", (=n)
<= check a_dn_pat: cn=admin,dc=com
<= check a_dn_pat: *
<= acl_mask: [3] applying read(=rscx) (stop)
<= acl_mask: [3] mask: read(=rscx)
=> access_allowed: write access denied by read(=rscx)