[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: ldap proxy acl filter problem

To: Howard Chu <hyc@symas.com>
Subject: Re: ldap proxy acl filter problem
From: Ron Peterson <rpeterso@mtholyoke.edu>
Date: Fri, 16 Sep 2011 09:25:41 -0400
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <20110915122254.GA25446@mtholyoke.edu>
Organization: Mount Holyoke College
References: <20110914203356.GI24824@mtholyoke.edu> <4E7114A0.8090505@symas.com> <20110915122254.GA25446@mtholyoke.edu>
User-agent: Mutt/1.5.20 (2009-06-14)
2011-09-15_08:22:54-0400 Ron Peterson <rpeterso@mtholyoke.edu>:
> 2011-09-14_16:54:56-0400 Howard Chu <hyc@symas.com>:
> > >I've turned my logging way up, and the hiccup seems to be that the DN
> > >I've authenticated as
> > >(uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu) needs read
> > >access to the attributes in the filter expression.  But how do I give
> > >that account read access to those attributes, without then exposing the
> > >objects that I'm trying to hide with the filter expression?
> > 
> > Give it auth access, not read access.

My previous example had too much going on for any sane person to wade
through, so I've distilled this configuration down to illustrate the
essence of the problem.  No fancy rewrite rules, etc.  The problem
remains: adding a filter expression makes it impossible to query the
value of particular attributes, although I can retrieve the entire
object.

It must be possible to filter the result set in a back-ldap proxy setup
when querying for particular attributes, but how?

________________________________________________________________________
ldaprc like:

BASE ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu
BINDDN uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu
URI ldap://dirt.mtholyoke.edu
SIZELIMIT   40000
TLS_CACERT /local/etc/cert/ca/cacert.pem

________________________________________________________________________
proxy config like:

database            ldap
suffix              "ou=accounts,ou=prod,dc=mtholyoke,dc=edu"
uri                 "ldapi://%2Fvar%2Frun%2Fslapd%2Fmastertest%2Fldapi"

access to dn.sub="ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" attrs="entry"
       by dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" read
       by * none

# log file (see below) seems to indicate proxy wants search permission on this attribute,
# but this doesn't help
access to dn.sub="ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" attrs="yApplicationPermission"
       by dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" search
       by * none

access to dn.sub="ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" filter="(yApplicationPermission=email)"
       by dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" read
       by * none

________________________________________________________________________
(1) This query works (returns all attributes):
ldapsearch -LLL -Z -x -y ../../private/pwemail '(yUsername=rpeterso)'

(2) This query does not (only returns DN, but not yPrimaryEmail):
ldapsearch -LLL -Z -x -y ../../private/pwemail '(yUsername=rpeterso)' yPrimaryEmail

________________________________________________________________________
Log for both master and proxy database (loglevel 256 128 64 32), for
query (2) above:

pid 32160 = proxy server
pid 24268 = master directory server

Sep 16 09:17:41 mid slapd[32160]: conn=1001 fd=13 ACCEPT from IP=138.110.86.129:51010 (IP=138.110.86.129:389)
Sep 16 09:17:41 mid slapd[32160]: conn=1001 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Sep 16 09:17:41 mid slapd[32160]: conn=1001 op=0 STARTTLS
Sep 16 09:17:41 mid slapd[32160]: conn=1001 op=0 RESULT oid= err=0 text=
Sep 16 09:17:41 mid slapd[32160]: conn=1001 fd=13 TLS established tls_ssf=256 ssf=256
Sep 16 09:17:41 mid slapd[32160]: conn=1001 op=1 BIND dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" method=128
Sep 16 09:17:41 mid slapd[24268]: conn=1025 fd=13 ACCEPT from PATH=/var/run/slapd/mastertest/ldapi (PATH=/var/run/slapd/mastertest/ldapi)
Sep 16 09:17:41 mid slapd[24268]: conn=1025 op=0 BIND dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" method=128
Sep 16 09:17:41 mid slapd[24268]: => access_allowed: result not in cache (userPassword)
Sep 16 09:17:41 mid slapd[24268]: => access_allowed: auth access to "uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" "userPassword" requested
Sep 16 09:17:41 mid slapd[24268]: => acl_get: [1] attr userPassword
Sep 16 09:17:41 mid slapd[24268]: => acl_mask: access to entry "uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu", attr "userPassword" requested
Sep 16 09:17:41 mid slapd[24268]: => acl_mask: to value by "", (=0) 
Sep 16 09:17:41 mid slapd[24268]: <= check a_dn_pat: self
Sep 16 09:17:41 mid slapd[24268]: <= check a_dn_pat: anonymous
Sep 16 09:17:41 mid slapd[24268]: <= acl_mask: [2] applying auth(=xd) (stop)
Sep 16 09:17:41 mid slapd[24268]: <= acl_mask: [2] mask: auth(=xd)
Sep 16 09:17:41 mid slapd[24268]: => slap_access_allowed: auth access granted by auth(=xd)
Sep 16 09:17:41 mid slapd[24268]: => access_allowed: auth access granted by auth(=xd)
Sep 16 09:17:41 mid slapd[24268]: conn=1025 op=0 BIND dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" mech=SIMPLE ssf=0
Sep 16 09:17:41 mid slapd[24268]: conn=1025 op=0 RESULT tag=97 err=0 text=
Sep 16 09:17:41 mid slapd[32160]: conn=1001 op=1 BIND dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" mech=SIMPLE ssf=0
Sep 16 09:17:41 mid slapd[32160]: conn=1001 op=1 RESULT tag=97 err=0 text=
Sep 16 09:17:41 mid slapd[32160]: begin get_filter
Sep 16 09:17:41 mid slapd[32160]: EQUALITY
Sep 16 09:17:41 mid slapd[32160]: end get_filter 0
Sep 16 09:17:41 mid slapd[32160]: conn=1001 op=2 SRCH base="ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" scope=2 deref=0 filter="(yUsername=rpeterso)"
Sep 16 09:17:41 mid slapd[32160]: conn=1001 op=2 SRCH attr=yPrimaryEmail
Sep 16 09:17:41 mid slapd[24268]: conn=1025 op=1 SRCH base="ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" scope=2 deref=0 filter="(yUsername=rpeterso)"
Sep 16 09:17:41 mid slapd[24268]: conn=1025 op=1 SRCH attr=yPrimaryEmail
Sep 16 09:17:41 mid slapd[24268]: => access_allowed: search access to "ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" "entry" requested
Sep 16 09:17:41 mid slapd[24268]: => dn: [3] dc=mtholyoke,dc=edu
Sep 16 09:17:41 mid slapd[24268]: => acl_get: [3] matched
Sep 16 09:17:41 mid slapd[24268]: => acl_get: [3] attr entry
Sep 16 09:17:41 mid slapd[24268]: => acl_mask: access to entry "ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu", attr "entry" requested
Sep 16 09:17:41 mid slapd[24268]: => acl_mask: to all values by "uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu", (=0) 
Sep 16 09:17:41 mid slapd[24268]: <= check a_dn_pat: ^uid=[^,]*,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu
Sep 16 09:17:41 mid slapd[24268]: => acl_string_expand: pattern:  ^uid=[^,]*,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu
Sep 16 09:17:41 mid slapd[24268]: => acl_string_expand: expanded: ^uid=[^,]*,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu
Sep 16 09:17:41 mid slapd[24268]: <= acl_mask: [1] applying read(=rscxd) (stop)
Sep 16 09:17:41 mid slapd[24268]: <= acl_mask: [1] mask: read(=rscxd)
Sep 16 09:17:41 mid slapd[24268]: => slap_access_allowed: search access granted by read(=rscxd)
Sep 16 09:17:41 mid slapd[24268]: => access_allowed: search access granted by read(=rscxd)
Sep 16 09:17:41 mid slapd[24268]: => access_allowed: search access to "yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" "yUsername" requested
Sep 16 09:17:41 mid slapd[24268]: => dn: [3] dc=mtholyoke,dc=edu
Sep 16 09:17:41 mid slapd[24268]: => acl_get: [3] matched
Sep 16 09:17:41 mid slapd[24268]: => dn: [4] dc=mtholyoke,dc=edu
Sep 16 09:17:41 mid slapd[24268]: => acl_get: [4] matched
Sep 16 09:17:41 mid slapd[24268]: => acl_get: [4] attr yUsername
Sep 16 09:17:41 mid slapd[24268]: => acl_mask: access to entry "yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu", attr "yUsername" requested
Sep 16 09:17:41 mid slapd[24268]: => acl_mask: to value by "uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu", (=0) 
Sep 16 09:17:41 mid slapd[24268]: <= check a_dn_pat: ^uid[^,]*,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu
Sep 16 09:17:41 mid slapd[24268]: => acl_string_expand: pattern:  ^uid[^,]*,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu
Sep 16 09:17:41 mid slapd[24268]: => acl_string_expand: expanded: ^uid[^,]*,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu
Sep 16 09:17:41 mid slapd[24268]: <= acl_mask: [1] applying read(=rscxd) (stop)
Sep 16 09:17:41 mid slapd[24268]: <= acl_mask: [1] mask: read(=rscxd)
Sep 16 09:17:41 mid slapd[24268]: => slap_access_allowed: search access granted by read(=rscxd)
Sep 16 09:17:41 mid slapd[24268]: => access_allowed: search access granted by read(=rscxd)
Sep 16 09:17:41 mid slapd[24268]: => access_allowed: read access to "yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" "entry" requested
Sep 16 09:17:41 mid slapd[24268]: => dn: [3] dc=mtholyoke,dc=edu
Sep 16 09:17:41 mid slapd[24268]: => acl_get: [3] matched
Sep 16 09:17:41 mid slapd[24268]: => acl_get: [3] attr entry
Sep 16 09:17:41 mid slapd[24268]: => acl_mask: access to entry "yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu", attr "entry" requested
Sep 16 09:17:41 mid slapd[24268]: => acl_mask: to all values by "uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu", (=0) 
Sep 16 09:17:41 mid slapd[24268]: <= check a_dn_pat: ^uid=[^,]*,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu
Sep 16 09:17:41 mid slapd[24268]: => acl_string_expand: pattern:  ^uid=[^,]*,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu
Sep 16 09:17:41 mid slapd[24268]: => acl_string_expand: expanded: ^uid=[^,]*,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu
Sep 16 09:17:41 mid slapd[24268]: <= acl_mask: [1] applying read(=rscxd) (stop)
Sep 16 09:17:41 mid slapd[24268]: <= acl_mask: [1] mask: read(=rscxd)
Sep 16 09:17:41 mid slapd[24268]: => slap_access_allowed: read access granted by read(=rscxd)
Sep 16 09:17:41 mid slapd[24268]: => access_allowed: read access granted by read(=rscxd)
Sep 16 09:17:41 mid slapd[24268]: => access_allowed: result not in cache (yPrimaryEmail)
Sep 16 09:17:41 mid slapd[24268]: => access_allowed: read access to "yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" "yPrimaryEmail" requested
Sep 16 09:17:41 mid slapd[24268]: => dn: [3] dc=mtholyoke,dc=edu
Sep 16 09:17:41 mid slapd[24268]: => acl_get: [3] matched
Sep 16 09:17:41 mid slapd[24268]: => dn: [4] dc=mtholyoke,dc=edu
Sep 16 09:17:41 mid slapd[24268]: => acl_get: [4] matched
Sep 16 09:17:41 mid slapd[24268]: => acl_get: [4] attr yPrimaryEmail
Sep 16 09:17:41 mid slapd[24268]: => acl_mask: access to entry "yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu", attr "yPrimaryEmail" requested
Sep 16 09:17:41 mid slapd[24268]: => acl_mask: to value by "uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu", (=0) 
Sep 16 09:17:41 mid slapd[24268]: <= check a_dn_pat: ^uid[^,]*,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu
Sep 16 09:17:41 mid slapd[24268]: => acl_string_expand: pattern:  ^uid[^,]*,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu
Sep 16 09:17:41 mid slapd[24268]: => acl_string_expand: expanded: ^uid[^,]*,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu
Sep 16 09:17:41 mid slapd[24268]: <= acl_mask: [1] applying read(=rscxd) (stop)
Sep 16 09:17:41 mid slapd[24268]: <= acl_mask: [1] mask: read(=rscxd)
Sep 16 09:17:41 mid slapd[24268]: => slap_access_allowed: read access granted by read(=rscxd)
Sep 16 09:17:41 mid slapd[24268]: => access_allowed: read access granted by read(=rscxd)
Sep 16 09:17:41 mid slapd[24268]: conn=1025 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Sep 16 09:17:41 mid slapd[32160]: => access_allowed: read access to "yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" "entry" requested
Sep 16 09:17:41 mid slapd[32160]: => dn: [1] ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu
Sep 16 09:17:41 mid slapd[32160]: => acl_get: [1] matched
Sep 16 09:17:41 mid slapd[32160]: => acl_get: [1] attr entry
Sep 16 09:17:41 mid slapd[32160]: => acl_mask: access to entry "yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu", attr "entry" requested
Sep 16 09:17:41 mid slapd[32160]: => acl_mask: to all values by "uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu", (=0) 
Sep 16 09:17:41 mid slapd[32160]: <= check a_dn_pat: uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu
Sep 16 09:17:41 mid slapd[32160]: <= acl_mask: [1] applying read(=rscxd) (stop)
Sep 16 09:17:41 mid slapd[32160]: <= acl_mask: [1] mask: read(=rscxd)
Sep 16 09:17:41 mid slapd[32160]: => slap_access_allowed: read access granted by read(=rscxd)
Sep 16 09:17:41 mid slapd[32160]: => access_allowed: read access granted by read(=rscxd)
Sep 16 09:17:41 mid slapd[32160]: => access_allowed: result not in cache (yPrimaryEmail)
Sep 16 09:17:41 mid slapd[32160]: => access_allowed: read access to "yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" "yPrimaryEmail" requested
Sep 16 09:17:41 mid slapd[32160]: => dn: [1] ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu
Sep 16 09:17:41 mid slapd[32160]: => acl_get: [1] matched
Sep 16 09:17:41 mid slapd[32160]: => dn: [2] ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu
Sep 16 09:17:41 mid slapd[32160]: => acl_get: [2] matched
Sep 16 09:17:41 mid slapd[32160]: => dn: [3] ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu
Sep 16 09:17:41 mid slapd[32160]: => acl_get: [3] matched
Sep 16 09:17:41 mid slapd[32160]: => test_filter
Sep 16 09:17:41 mid slapd[32160]:     EQUALITY
Sep 16 09:17:41 mid slapd[32160]: => access_allowed: search access to "yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" "yApplicationPermission" requested
Sep 16 09:17:41 mid slapd[32160]: <= test_filter 5
Sep 16 09:17:41 mid slapd[32160]: <= acl_get: done.
Sep 16 09:17:41 mid slapd[32160]: => slap_access_allowed: no more rules
Sep 16 09:17:41 mid slapd[32160]: => access_allowed: no more rules
Sep 16 09:17:41 mid slapd[32160]: send_search_entry: conn 1001 access to attribute yPrimaryEmail, value #0 not allowed
Sep 16 09:17:41 mid slapd[32160]: conn=1001 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Sep 16 09:17:41 mid slapd[32160]: conn=1001 op=3 UNBIND
Sep 16 09:17:41 mid slapd[24268]: conn=1025 op=2 UNBIND
Sep 16 09:17:41 mid slapd[32160]: conn=1001 fd=13 closed
Sep 16 09:17:41 mid slapd[24268]: conn=1025 fd=13 closed
Sep 16 09:17:41 mid slapd[24268]: connection_read(13): no connection!
Sep 16 09:17:41 mid slapd[24268]: connection_read(13): no connection!



-- 
Ron Peterson
Network & Systems Administrator
Mount Holyoke College
http://www.mtholyoke.edu/~rpeterso
References:
- ldap proxy acl filter problem
  - From: Ron Peterson <rpeterso@mtholyoke.edu>
- Re: ldap proxy acl filter problem
  - From: Howard Chu <hyc@symas.com>
- Re: ldap proxy acl filter problem
  - From: Ron Peterson <rpeterso@mtholyoke.edu>
Prev by Date: Re: open LDAP + TLS/SSL bind Failed.
Next by Date: Re: How to disable cn=config module in OpenLDAP
Index(es):
- Chronological
- Thread