Re: slapd-meta and acls

["Dieter Kluenter" <dieter@dkluenter.de>]

Irina Shetuhina <irka@masterhost.ru> writes:

> ÐÐÐÑÑÐ ÐÐÐÑ.
>
>> Dmitriy Kirhlarov <dimma@higis.ru> writes:
>
>>> Hi list.
>>>
>>> I'll try to ask again. :)
>>>
>>> We are want use slapd-meta for aggregate several databases to one
>>> DIT. We are suppose, users will read and write "o=vega" (virtual)
>>> suffix. Members of cn=sysadmins should have write access to all db
>>> objects.
>>> Also, we would like to use ACL's per-databases, not global.
>>>
>>> Currently, write access to ou=devel doesn't work and we can't find
>>> error in our acls.
>
>> run slapd in debugging mode, that is slapd -dacl, to watch acl
>> parsing. 
>
>> -Dieter
>
>
> I connect to "cn=root on devels hosts,ou=sudoers,ou=devel" as
> "uid=ishetukhina,ou=users,o=vega".
>
> acl:
> access to dn.sub="ou=devel"
>         by group/groupOfUniqueNames/uniqueMember="cn=sysadmins,ou=groups,o=vega-main" write
>         by * read
>
> "uid=ishetukhina,ou=users,o=vega" is in "cn=sysadmins,ou=groups,o=vega-main"
>
> But I see in log:
>
> Dec  1 18:54:40 ldap slapd[17667]: => acl_mask: access to entry "cn=root on devels hosts,ou=sudoers,ou=devel", attr "entry" requested
> Dec  1 18:54:40 ldap slapd[17667]: => acl_mask: to all values by "", (=0)
> Dec  1 18:54:40 ldap slapd[17667]: <= check a_dn_pat: *
> Dec  1 18:54:40 ldap slapd[17667]: <= acl_mask: [2] applying read(=rscxd) (stop)
> Dec  1 18:54:40 ldap slapd[17667]: <= acl_mask: [2] mask: read(=rscxd)
>
> Why do [2] work?

Because the DSA is only authoritative for the Directory Information
Tree ou=devel, but not authoritatvie for the DIT o=vega-main, thus
cannot check the membership of the group cn=sysadmins, ...
Threfor access rule 2 (by * read) is applied.

-Dieter

-- 
Dieter KlÃnter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
sip: +49.180.1555.7770535
GPG Key ID:8EF7B6C6
53Â08'09,95"N
10Â08'02,42"E