[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Challenge With Access Control



Michal,

	Tried your suggestion, ldapsearch still fails.  Here is the log:

Jul  5 11:09:31 ias2 slapd[11565]: entry_decode:
"SFTid=0002-00000000,ou=servers,o=sft"
Jul  5 11:09:31 ias2 slapd[11565]: <=
entry_decode(SFTid=0002-00000000,ou=servers,o=sft)
Jul  5 11:09:31 ias2 slapd[11565]: =>
bdb_dn2id("SFTid=0002-00000000,ou=servers,o=sft")
Jul  5 11:09:31 ias2 slapd[11565]: <= bdb_dn2id: got id=0x00000030
Jul  5 11:09:31 ias2 slapd[11565]: => test_filter
Jul  5 11:09:31 ias2 slapd[11565]:     EQUALITY
Jul  5 11:09:31 ias2 slapd[11565]: => access_allowed: search access to
"SFTid=0002-00000000,ou=servers,o=sft" "SFTid" requested
Jul  5 11:09:31 ias2 slapd[11565]: => acl_get: [1] attr SFTid
Jul  5 11:09:31 ias2 slapd[11565]: => acl_mask: access to entry
"SFTid=0002-00000000,ou=servers,o=sft", attr "SFTid" requested
Jul  5 11:09:31 ias2 slapd[11565]: => acl_mask: to value by "", (=0)
Jul  5 11:09:31 ias2 slapd[11565]: <= check a_dn_pat: self
Jul  5 11:09:31 ias2 slapd[11565]: <= check a_peername_path: 10.16.13.84
Jul  5 11:09:31 ias2 slapd[11565]: <= check a_peername_path:
IP=10.16.13.8[1-6]*
Jul  5 11:09:31 ias2 slapd[11565]: => acl_string_expand: pattern:
IP=10.16.13.8[1-6]*
Jul  5 11:09:31 ias2 slapd[11565]: => acl_string_expand: expanded:
IP=10.16.13.8[1-6]*
Jul  5 11:09:31 ias2 slapd[11565]: => regex_matches: string:^I
IP=127.0.0.1:46749
Jul  5 11:09:31 ias2 slapd[11565]: => regex_matches: rc: 1 no matches
Jul  5 11:09:31 ias2 slapd[11565]: <= acl_mask: no more <who> clauses,
returning =0 (stop)
Jul  5 11:09:31 ias2 slapd[11565]: => access_allowed: search access
denied by =0
Jul  5 11:09:31 ias2 slapd[11565]: <= test_filter 50
Jul  5 11:09:31 ias2 slapd[11565]: bdb_search: 48 does not match filter 

-----Original Message-----
From: Michal Dobroczynski [mailto:michal.dobroczynski@gmail.com] 
Sent: Thursday, July 05, 2007 11:01 AM
To: Brian Gaber
Cc: openldap-software@openldap.org
Subject: Re: Challenge With Access Control

As far as I understand the log - you need to include the port. This
should help then:

by peername.regex="IP=10\.16\.13\.8[1-6]:[0-9]*" read

Regards,
Michal

On 05/07/07, Brian Gaber <Brian.Gaber@pwgsc.gc.ca> wrote:
> Tried your suggestion and still have a problem.
>
> Here is the new slapd.conf:
>
> access to *
>   by self write
>   by peername.ip=10.16.13.84 write
>   by peername.regex="IP=10\.16\.13\.8[1-6]" read
>
> Here is the log:
>
> entry_decode: "SFTid=0001-00000000,ou=servers,o=sft"
> Jul  5 10:46:35 ias2 slapd[11401]: <=
> entry_decode(SFTid=0001-00000000,ou=servers,o=sft)
> Jul  5 10:46:35 ias2 slapd[11401]: =>
> bdb_dn2id("SFTid=0001-00000000,ou=servers,o=sft")
> Jul  5 10:46:35 ias2 slapd[11401]: <= bdb_dn2id: got id=0x0000002f Jul

> 5 10:46:35 ias2 slapd[11401]: => test_filter
> Jul  5 10:46:35 ias2 slapd[11401]:     EQUALITY
> Jul  5 10:46:35 ias2 slapd[11401]: => access_allowed: search access to

> "SFTid=0001-00000000,ou=servers,o=sft" "SFTid" requested Jul  5 
> 10:46:35 ias2 slapd[11401]: => acl_get: [1] attr SFTid Jul  5 10:46:35

> ias2 slapd[11401]: => acl_mask: access to entry 
> "SFTid=0001-00000000,ou=servers,o=sft", attr "SFTid" requested Jul  5 
> 10:46:35 ias2 slapd[11401]: => acl_mask: to value by "", (=0) Jul  5 
> 10:46:35 ias2 slapd[11401]: <= check a_dn_pat: self Jul  5 10:46:35 
> ias2 slapd[11401]: <= check a_peername_path: 10.16.13.84 Jul  5 
> 10:46:35 ias2 slapd[11401]: <= check a_peername_path:
> IP=10.16.13.8[1-6]
> Jul  5 10:46:35 ias2 slapd[11401]: => acl_string_expand: pattern:
> IP=10.16.13.8[1-6]
> Jul  5 10:46:35 ias2 slapd[11401]: => acl_string_expand: expanded:
> IP=10.16.13.8[1-6]
> Jul  5 10:46:35 ias2 slapd[11401]: => regex_matches: string:^I
> IP=127.0.0.1:46504
> Jul  5 10:46:35 ias2 slapd[11401]: => regex_matches: rc: 1 no matches 
> Jul  5 10:46:35 ias2 slapd[11401]: <= acl_mask: no more <who> clauses,

> returning =0 (stop) Jul  5 10:46:35 ias2 slapd[11401]: => 
> access_allowed: search access denied by =0 Jul  5 10:46:35 ias2 
> slapd[11401]: <= test_filter 50
>
> -----Original Message-----
> From: Michal Dobroczynski [mailto:michal.dobroczynski@gmail.com]
> Sent: Thursday, July 05, 2007 10:36 AM
> To: Brian Gaber
> Cc: openldap-software@openldap.org
> Subject: Re: Challenge With Access Control
>
> On 05/07/07, Brian Gaber <Brian.Gaber@pwgsc.gc.ca> wrote:
> >
> >
> >
> > Hope someone can explain this to me.  I am sure it is very trivial.

> > I
>
> > have a primary LDAP server (10.16.13.84), a replica LDAP server
> > (10.16.13.85) and a few clients all with a 10.16.13.x address.
> >
> > Here is the access control I thought would work:
> >
> > access  to *
> >   by self write
> >   by peername=10.16.13.84 write
> >   by peername=10.16.13.81 read
> >   by peername=10.16.13.82 read
> >   by peername=10.16.13.83 read
> >   by peername=10.16.13.85 read
> >   by peername=10.16.13.86 read
> >
> > Here is what does work:
> >
> > access to *
> >   by self write
> >   by peername.ip=10.16.13.84 write
> >   by * read
> >
> >         By work I mean that when I am on the replica (10.16.13.85) 
> > and
>
> > issue an ldapsearch to itself I get a 32 no such object with the top

> > access, but I get the expected result with the bottom access.
>
> I am not 100% sure, but maybe this will help you (I am using similar 
> ACL). AFAIR in the peername you need to add the "IP=" - but I don't 
> really remember, please correct me. The regex matching directive that 
> works for me looks like this:
>
>  by peername.regex="IP=10\.10\.120\..+" read
>
> Then you could try:
>
> by peername.regex="IP=10\.16\.13\.8[1-6]" read
>
> And please double check if you need to supply the "IP=10.10.10.10" for

> the "by peername" without regex.
> The regex solution will not conflict with the first entry as write 
> permission includes reading (and ACL parsing stops on the first 
> matched rule).
>
> Hope this helps.
>
> Regards,
> Michal
>
> >
> > Brian Gaber
>