[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Letting Users Create Groups

To: Christian Manal <moenoel@informatik.uni-bremen.de>
Subject: Re: Letting Users Create Groups
From: Tim Gustafson <tjg@soe.ucsc.edu>
Date: Fri, 18 Mar 2011 09:36:07 -0700 (PDT)
Cc: openldap-technical@openldap.org
In-reply-to: <4D824486.6080609@informatik.uni-bremen.de>

>  ACLs along these lines should do the rest

Actually, this doesn't seem to work:

access to
 dn.exact="ou=Group,dc=example"
 attrs=children
 by users write
 by * break

access to
 dn.subtree="ou=Group,dc=example"
 attrs=entry
 filter="(&(objectClass=posixGroup)(objectClass=myGroup)(gidNumber>=1000)(gidNumber<=10000))"
 by users add
 by * break

access to
 dn.subtree="ou=Group,dc=example"
 attrs=manager,memberUid,description,myStatus
 by set="this/manager & user" write
 by * break

If I take out the "filter" line, it works fine, but with the "filter" line there it doesn't work, regardless of what gidNumber I provide.

The OpenLDAP log with "acl" logging enabled is attached.  What do I need to add to these ACLs to get this working?  I tried adding all the group-specific attributes to the "attrs=entry" line, but that did not help.

Tim Gustafson
Baskin School of Engineering
UC Santa Cruz
tjg@soe.ucsc.edu
831-459-5354

slapd[50953]: => access_allowed: result not in cache (userPassword)
slapd[50953]: => access_allowed: auth access to "uid=webtest,ou=People,dc=example" "userPassword" requested
slapd[50953]: => acl_get: [1] attr userPassword
slapd[50953]: => acl_mask: access to entry "uid=webtest,ou=People,dc=example", attr "userPassword" requested
slapd[50953]: => acl_mask: to value by "", (=0) 
slapd[50953]: <= check a_dn_pat: uid=replicator,ou=people,dc=example
slapd[50953]: <= check a_dn_pat: *
slapd[50953]: <= acl_mask: [3] applying +0 (break)
slapd[50953]: <= acl_mask: [3] mask: =0
slapd[50953]: => dn: [2] ou=pykota,dc=example
slapd[50953]: => dn: [3] ou=people,dc=example
slapd[50953]: => acl_get: [3] matched
slapd[50953]: => dn: [4] ou=people,dc=example
slapd[50953]: => acl_get: [4] matched
slapd[50953]: => access_allowed: search access to "uid=webtest,ou=People,dc=example" "objectClass" requested
slapd[50953]: => access_allowed: search access to "uid=webtest,ou=People,dc=example" "soeStatus" requested
slapd[50953]: => access_allowed: search access to "uid=webtest,ou=People,dc=example" "soeStatus" requested
slapd[50953]: => dn: [5] ou=people,dc=example
slapd[50953]: => acl_get: [5] matched
slapd[50953]: => acl_get: [5] attr userPassword
slapd[50953]: => acl_mask: access to entry "uid=webtest,ou=People,dc=example", attr "userPassword" requested
slapd[50953]: => acl_mask: to value by "", (=0) 
slapd[50953]: <= check a_dn_pat: uid=radius,ou=people,dc=example
slapd[50953]: <= check a_dn_pat: self
slapd[50953]: <= check a_dn_pat: anonymous
slapd[50953]: <= check a_authz.sai_ssf: ACL 128 > OP 256
slapd[50953]: <= acl_mask: [3] applying auth(=xd) (stop)
slapd[50953]: <= acl_mask: [3] mask: auth(=xd)
slapd[50953]: => slap_access_allowed: auth access granted by auth(=xd)
slapd[50953]: => access_allowed: auth access granted by auth(=xd)
slapd[50953]: => access_allowed: search access to "ou=Group,dc=example" "entry" requested
slapd[50953]: <= root access granted
slapd[50953]: => access_allowed: search access granted by manage(=mwrscxd)
slapd[50953]: => access_allowed: search access to "ou=Group,dc=example" "entry" requested
slapd[50953]: <= root access granted
slapd[50953]: => access_allowed: search access granted by manage(=mwrscxd)
slapd[50953]: slap_queue_csn: queing 0x7fffff3fd220 20110318163310.018942Z#000000#000#000000
slapd[50953]: => access_allowed: add access to "ou=Group,dc=example" "children" requested
slapd[50953]: => acl_get: [1] attr children
slapd[50953]: => acl_mask: access to entry "ou=Group,dc=example", attr "children" requested
slapd[50953]: => acl_mask: to all values by "uid=webtest,ou=people,dc=example", (=0) 
slapd[50953]: <= check a_dn_pat: uid=replicator,ou=people,dc=example
slapd[50953]: <= check a_group_pat: cn=ldap-admins,ou=group,dc=example
slapd[50953]: => bdb_entry_get: found entry: "cn=ldap-admins,ou=group,dc=example"
slapd[50953]: <= check a_dn_pat: *
slapd[50953]: <= acl_mask: [3] applying +0 (break)
slapd[50953]: <= acl_mask: [3] mask: =0
slapd[50953]: => dn: [2] ou=pykota,dc=example
slapd[50953]: => dn: [3] ou=people,dc=example
slapd[50953]: => dn: [4] ou=people,dc=example
slapd[50953]: => dn: [5] ou=people,dc=example
slapd[50953]: => dn: [6] ou=people,dc=example
slapd[50953]: => dn: [7] ou=people,dc=example
slapd[50953]: => dn: [8] ou=people,dc=example
slapd[50953]: => dn: [9] ou=people,dc=example
slapd[50953]: => dn: [10] ou=group,dc=example
slapd[50953]: => acl_get: [10] matched
slapd[50953]: => acl_get: [10] attr children
slapd[50953]: => acl_mask: access to entry "ou=Group,dc=example", attr "children" requested
slapd[50953]: => acl_mask: to all values by "uid=webtest,ou=people,dc=example", (=0) 
slapd[50953]: <= check a_dn_pat: users
slapd[50953]: <= acl_mask: [1] applying write(=wrscxd) (stop)
slapd[50953]: <= acl_mask: [1] mask: write(=wrscxd)
slapd[50953]: => slap_access_allowed: add access granted by write(=wrscxd)
slapd[50953]: => access_allowed: add access granted by write(=wrscxd)
slapd[50953]: => access_allowed: add access to "cn=foo,ou=Group,dc=example" "entry" requested
slapd[50953]: => acl_get: [1] attr entry
slapd[50953]: => acl_mask: access to entry "cn=foo,ou=Group,dc=example", attr "entry" requested
slapd[50953]: => acl_mask: to all values by "uid=webtest,ou=people,dc=example", (=0) 
slapd[50953]: <= check a_dn_pat: uid=replicator,ou=people,dc=example
slapd[50953]: <= check a_group_pat: cn=ldap-admins,ou=group,dc=example
slapd[50953]: <= check a_dn_pat: *
slapd[50953]: <= acl_mask: [3] applying +0 (break)
slapd[50953]: <= acl_mask: [3] mask: =0
slapd[50953]: => dn: [2] ou=pykota,dc=example
slapd[50953]: => dn: [3] ou=people,dc=example
slapd[50953]: => dn: [4] ou=people,dc=example
slapd[50953]: => dn: [5] ou=people,dc=example
slapd[50953]: => dn: [6] ou=people,dc=example
slapd[50953]: => dn: [7] ou=people,dc=example
slapd[50953]: => dn: [8] ou=people,dc=example
slapd[50953]: => dn: [9] ou=people,dc=example
slapd[50953]: => dn: [10] ou=group,dc=example
slapd[50953]: => dn: [11] ou=group,dc=example
slapd[50953]: => acl_get: [11] matched
slapd[50953]: => access_allowed: search access to "cn=foo,ou=Group,dc=example" "objectClass" requested
slapd[50953]: => access_allowed: search access to "cn=foo,ou=Group,dc=example" "objectClass" requested
slapd[50953]: => dn: [12] ou=group,dc=example
slapd[50953]: => acl_get: [12] matched
slapd[50953]: => acl_get: [13] attr entry
slapd[50953]: => acl_mask: access to entry "cn=foo,ou=Group,dc=example", attr "entry" requested
slapd[50953]: => acl_mask: to all values by "uid=webtest,ou=people,dc=example", (=0) 
slapd[50953]: <= check a_peername_path: 128.114..*
slapd[50953]: => acl_string_expand: pattern:  128.114..*
slapd[50953]: => acl_string_expand: expanded: 128.114..*
slapd[50953]: <= acl_mask: [1] applying read(=rscxd) (stop)
slapd[50953]: <= acl_mask: [1] mask: read(=rscxd)
slapd[50953]: => slap_access_allowed: add access denied by read(=rscxd)
slapd[50953]: => access_allowed: no more rules
slapd[50953]: slap_graduate_commit_csn: removing 0x807016790 20110318163310.018942Z#000000#000#000000

Follow-Ups:
- Re: Letting Users Create Groups
  - From: Christian Manal <moenoel@informatik.uni-bremen.de>

References:
- Re: Letting Users Create Groups
  - From: Christian Manal <moenoel@informatik.uni-bremen.de>

Prev by Date: Re: newbie problem importing ldap
Next by Date: Re: Confused about pwdpolicy - password changing policy
Index(es):
- Chronological
- Thread