[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapd 2.4.12 acl problem with multiple groups

To: openldap-software@openldap.org
Subject: slapd 2.4.12 acl problem with multiple groups
From: Tobias Florek <florek@math.hu-berlin.de>
Date: Tue, 13 Oct 2009 09:50:33 +0200 (CEST)
User-agent: Alpine 2.00 (LFD 1167 2008-08-23)

hi,

I have a problem with acls on openldap. one defined group does not match any ofits members. specifically, when i add an entry in ou=people,dc=... as member ofcn=studadm,ou=group,dc=... (uid=florek) it works and i get in slapd's log(shortened):

slapd[29022]: => access_allowed: add access to"ou=people,DC=mathematik,DC=hu-berlin,DC=de" "children" requestedslapd[29022]: => dn: [1]cn=krbcontainer,ou=kerberos,DC=mathematik,DC=hu-berlin,DC=de

slapd[29022]: => dn: [6] ou=autofs,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => dn: [7] ou=group,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => dn: [8] ou=people,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => acl_get: [8] matched
slapd[29022]: => acl_get: [8] attr children

slapd[29022]: => acl_mask: access to entry"ou=people,DC=mathematik,DC=hu-berlin,DC=de", attr "children" requestedslapd[29022]: => acl_mask: to all values by"uid=florek,ou=people,DC=mathematik,DC=hu-berlin,DC=de", (=0)slapd[29022]: <= check a_group_pat:cn=adm,ou=group,DC=mathematik,DC=hu-berlin,DC=deslapd[29022]: => bdb_entry_get: found entry:"cn=adm,ou=group,DC=mathematik,DC=hu-berlin,DC=de"slapd[29022]: <= check a_group_pat:cn=studadm,ou=group,DC=mathematik,DC=hu-berlin,DC=deslapd[29022]: => bdb_entry_get: found entry:"cn=studadm,ou=group,DC=mathematik,DC=hu-berlin,DC=de"

slapd[29022]: <= acl_mask: [2] applying manage(=mwrscxd) (stop)
slapd[29022]: <= acl_mask: [2] mask: manage(=mwrscxd)
slapd[29022]: => slap_access_allowed: add access granted by manage(=mwrscxd)
slapd[29022]: => access_allowed: add access granted by manage(=mwrscxd)
[...]


as member of cn=adm,ou=group,dc=... (uid=musch) it does not and i get:

slapd[29022]: => access_allowed: add access to"ou=people,DC=mathematik,DC=hu-berlin,DC=de" "children" requestedslapd[29022]: => dn: [1]cn=krbcontainer,ou=kerberos,DC=mathematik,DC=hu-berlin,DC=de

slapd[29022]: => dn: [6] ou=autofs,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => dn: [7] ou=group,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => dn: [8] ou=people,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => acl_get: [8] matched
slapd[29022]: => acl_get: [8] attr children

slapd[29022]: => acl_mask: access to entry"ou=people,DC=mathematik,DC=hu-berlin,DC=de", attr "children" requestedslapd[29022]: => acl_mask: to all values by"uid=musch,ou=people,DC=mathematik,DC=hu-berlin,DC=de", (=0)slapd[29022]: <= check a_group_pat:cn=adm,ou=group,DC=mathematik,DC=hu-berlin,DC=deslapd[29022]: => bdb_entry_get: found entry:"cn=adm,ou=group,DC=mathematik,DC=hu-berlin,DC=de"slapd[29022]: <= check a_group_pat:cn=studadm,ou=group,DC=mathematik,DC=hu-berlin,DC=deslapd[29022]: => bdb_entry_get: found entry:"cn=studadm,ou=group,DC=mathematik,DC=hu-berlin,DC=de"

slapd[29022]: <= check a_peername_path: 141.20.50.0%255.255.254.0
slapd[29022]: <= check a_peername_path: 141.20.52.0%255.255.252.0
slapd[29022]: <= acl_mask: [4] applying read(=rscxd) (stop)
slapd[29022]: <= acl_mask: [4] mask: read(=rscxd)
slapd[29022]: => slap_access_allowed: add access denied by read(=rscxd)
slapd[29022]: => access_allowed: no more rules

i am using openldap 2.4.12 from sles11 (rpm-version 2.4.12-7.18.1) with thefollowing acls (added linebreaks to ease reading) (attribute olcAccess inolcDatabase={1}hdb,cn=config)

{0} todn.subtree="cn=krbContainer,ou=kerberos,DC=mathematik,DC=hu-berlin,DC=de"

     by dn.base="cn=kdc,ou=kerberos,DC=mathematik,DC=hu-berlin,DC=de" read
     by dn="cn=kadmin,ou=kerberos,DC=mathematik,DC=hu-berlin,DC=de" manage
     by * none
{1} to attrs=userPassword,userPKCS12
     by self write
     by * auth
{2} to attrs=shadowLastChange
     by self write
     by * read
{3} to attrs=uidNumber,gidNumber,homeDirectory
     by group="cn=adm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
     by group="cn=studadm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
     by peername.ip=141.20.50.0%255.255.254.0 read
     by peername.ip=141.20.52.0%255.255.252.0 read
     by * none
{4} to attrs=sambaNTPassword,sambaLMPassword
    by * none
{5} to dn.subtree="ou=autofs,DC=mathematik,DC=hu-berlin,DC=de"
    by group="cn=adm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
    by group="cn=studadm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
    by peername.ip=141.20.50.0%255.255.254.0 read
    by peername.ip=141.20.52.0%255.255.252.0 read
    by * none
{6} to dn.subtree="ou=group,DC=mathematik,DC=hu-berlin,DC=de"
    by group="cn=adm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
    by group="cn=studadm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
    by peername.ip=141.20.50.0%255.255.254.0 read
    by peername.ip=141.20.52.0%255.255.252.0 read
    by * none
{7} to dn.subtree="ou=people,DC=mathematik,DC=hu-berlin,DC=de"
    by group="cn=adm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
    by group="cn=studadm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
    by peername.ip=141.20.50.0%255.255.254.0 read
    by peername.ip=141.20.52.0%255.255.252.0 read
    by * none
{8} to dn.subtree="ou=ethers,DC=mathematik,DC=hu-berlin,DC=de"
    by group="cn=adm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
    by group="cn=studadm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
    by peername.ip=141.20.50.0%255.255.254.0 read
    by peername.ip=141.20.52.0%255.255.252.0 read
    by * none
{9} to *
    by * read

groups are defined as follows:

dn: cn=studadm,ou=group,DC=mathematik,DC=hu-berlin,DC=de
gidNumber: 1300
memberUid: petrov
memberUid: florek
description: studentische Administratoren der Rechentechnik
cn: studadm
member: uid=petrov,ou=people,DC=mathematik,DC=hu-berlin,DC=de
member: uid=florek,ou=people,DC=mathematik,DC=hu-berlin,DC=de
objectClass: top
objectClass: posixGroup
objectClass: namedObject
objectClass: groupOfNames


dn: cn=adm,ou=group,DC=mathematik,DC=hu-berlin,DC=de
cn: adm
gidNumber: 1303
memberUid: gehne
memberUid: rmielke
memberUid: musch
description: Administratoren der Rechentechnik
member: uid=gehne,ou=people,DC=mathematik,DC=hu-berlin.de
member: uid=rmielke,ou=people,DC=mathematik,DC=hu-berlin.de
member: uid=musch,ou=people,DC=mathematik,DC=hu-berlin.de
objectClass: top
objectClass: posixGroup
objectClass: namedObject
objectClass: groupOfNames


and users like this:

dn: uid=musch,ou=people,DC=mathematik,DC=hu-berlin,DC=de
uid: musch
uidNumber: 3001
gidNumber: 3000
cn: Andre Musch
objectClass: top
objectClass: account
objectClass: posixAccount
loginShell: /bin/bash
homeDirectory: /home_s/musch

dn: uid=florek,ou=people,DC=mathematik,DC=hu-berlin,DC=de
uid: florek
uidNumber: 32839
gidNumber: 32003
cn: Tobias Florek
homeDirectory: /u/florek
objectClass: top
objectClass: account
objectClass: posixAccount
loginShell: /bin/zsh


any ideas?

 Tobias Florek

Prev by Date: Re: performance very differently for two hosts that are configured identical
Next by Date: Re: performance very differently for two hosts that are configured identical
Index(es):
- Chronological
- Thread