[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Showing ALL attribute values && ACI's



I believe ACIs have never been tested after adding ACL caching...
Can you provide a significant portion of your LDIF and your
slapd.conf, so that I can test it?

Ciao, p.


> I can't manage to get all the attribute values when using
> ACI's...
>
> Part of the LDIF:
> ----- s n i p -----
> dn: uid=turbo,ou=People,o=Swe.Net AB,c=SE
> objectClass: person
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: top
> objectClass: krb5Principal
> objectClass: mailRecipient
> objectClass: shadowAccount
> objectClass: trustAccount
> OpenLDAPaci: 0#entry#grant;r,s,c;objectClass,[entry]#public#
> OpenLDAPaci: 1#entry#grant;x;userPassword#public#
> OpenLDAPaci: 2#entry#grant;c,x;krb5PrincipalName#public#
> OpenLDAPaci:
> 3#entry#grant;r,s,c;uid,cn,accountStatus,uidNumber,gidNumber,gecos,homeDirectory,loginShell#public#
> OpenLDAPaci:
> 4#entry#grant;r,s,c;mail,mailAlternateAddress,mailHost,mailQuotaSize,mailQuotaCount,accountStatus,deliveryMode,userPassword,mailMessageStore,deliveryProgramPath#access-id#uid=qmail,ou=People,o=Swe.Net
> AB,c=SE
> OpenLDAPaci:
> 5#entry#grant;r,s,c;sn,givenName,homePostalAddress,mobile,homePhone,labeledURI,mailForwardingAddress,street,physicalDeliveryOfficeName,mailMessageStore,o,l,st,telephoneNumber,postalCode,title#users#
> OpenLDAPaci:
> 6#entry#grant;w,r,s,c;sn,givenName,homePostalAddress,mobile,homePhone,labeledURI,mailForwardingAddress,street,physicalDeliveryOfficeName,o,l,st,telephoneNumber,postalCode,title,deliveryMode,userPassword#self#
> OpenLDAPaci:
> 7#entry#grant;w,r,s,c,x;[all]#access-id#uid=turbo,ou=People,o=Swe.Net
> AB,c=SE
> OpenLDAPaci:
> 8#entry#grant;w,r,s,c,x;[all]#access-id#uid=malin,ou=People,o=Swe.Net
> AB,c=SE
> OpenLDAPaci:
> 9#entry#grant;w,r,s,c,x;[all]#access-id#uid=ma,ou=People,o=Swe.Net AB,c=SE
> ----- s n i p -----
>
> The search string (and it's result):
> ----- s n i p -----
> CHROOT/Woody-devel# ldapsearch -LLL uid=turbo objectClass
> SASL/GSSAPI authentication started
> SASL username: turbo@SWE.NET
> SASL SSF: 56
> SASL installing layers
> dn: uid=turbo,ou=People,o=Swe.Net AB,c=SE
> objectClass: person
> ----- s n i p -----
>
> That's it! Only ONE line of 'objectClass'...
>
> The output from 'slapd -d 128':
> ----- s n i p -----
> => access_allowed: read access to "uid=turbo,ou=People,o=Swe.Net AB,c=SE"
> "objectClass" requested
> => dn: [1]
> => dn: [2]
> => dn: [3] cn=monitor
> => dn: [4] cn=monitor
> => dn: [5] cn=subschema
> => acl_get: [6] attr objectClass
> access_allowed: no res from state (objectClass)
> => acl_mask: access to entry "uid=turbo,ou=People,o=Swe.Net AB,c=SE", attr
> "objectClass" requested
> => acl_mask: to value by "uid=turbo,ou=people,o=swe.net ab,c=se", (=n)
> <= aci_mask grant =wrscx deny =n
> <= acl_mask: [10] applying +wrscx (stop)
> <= acl_mask: [10] mask: =wrscx
> => access_allowed: read access granted by =wrscx
> => access_allowed: read access to "uid=turbo,ou=People,o=Swe.Net AB,c=SE"
> "objectClass" requested
> <= acl_get: done.
> => access_allowed: no more rules
> acl: access to attribute objectClass, value 1 not allowed
> => access_allowed: read access to "uid=turbo,ou=People,o=Swe.Net AB,c=SE"
> "objectClass" requested
> <= acl_get: done.
> => access_allowed: no more rules
> acl: access to attribute objectClass, value 2 not allowed
> => access_allowed: read access to "uid=turbo,ou=People,o=Swe.Net AB,c=SE"
> "objectClass" requested
> <= acl_get: done.
> => access_allowed: no more rules
> acl: access to attribute objectClass, value 3 not allowed
> => access_allowed: read access to "uid=turbo,ou=People,o=Swe.Net AB,c=SE"
> "objectClass" requested
> <= acl_get: done.
> => access_allowed: no more rules
> acl: access to attribute objectClass, value 4 not allowed
> => access_allowed: read access to "uid=turbo,ou=People,o=Swe.Net AB,c=SE"
> "objectClass" requested
> <= acl_get: done.
> => access_allowed: no more rules
> acl: access to attribute objectClass, value 5 not allowed
> => access_allowed: read access to "uid=turbo,ou=People,o=Swe.Net AB,c=SE"
> "objectClass" requested
> <= acl_get: done.
> => access_allowed: no more rules
> acl: access to attribute objectClass, value 6 not allowed
> => access_allowed: read access to "uid=turbo,ou=People,o=Swe.Net AB,c=SE"
> "objectClass" requested
> <= acl_get: done.
> => access_allowed: no more rules
> acl: access to attribute objectClass, value 7 not allowed
> ----- s n i p -----
>
> Why do I get 'no more rules' and 'acl: access to attribute
> objectClass, value [1-7] not allowed' here?
>
> Is there something I've missed in the changes from 2.1 to
> 2.2 (this is a 2.2.11 server/client running in a chroot)?
>


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497