[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapo-dynlist desgin question(s)





--On Friday, January 12, 2007 8:49 PM +0100 Pierangelo Masarati <ando@sys-net.it> wrote:

Quanah Gibson-Mount wrote:
My intention is to be able to do something like:

access to dn.exact="cn=groupa,cn=groups,dc=stanford,dc=edu"

This should read:

access to dn.exact="cn=groupa,cn=groups,dc=stanford,dc=edu" attrs=member
Try this patch (to HEAD as of now).

No go... I have:

access to dn.exact="cn=registry-consult,cn=groups,cn=applications,dc=stanford,dc=edu" attrs=member
by dn.base="uid=cadabra,cn=accounts,dc=stanford,dc=edu" read
by * none



(cadabra is my test account)


I get nothing back.

If I change it to:

access to dn.exact="cn=registry-consult,cn=groups,cn=applications,dc=stanford,dc=edu"
by dn.base="uid=cadabra,cn=accounts,dc=stanford,dc=edu" sasl_ssf=56 read
by * none


I can see:

dn: cn=registry-consult,cn=groups,cn=applications,dc=stanford,dc=edu
objectClass: groupOfURLs
cn: registry-consult
memberURL: ldap:///cn=people,dc=stanford,dc=edu??sub?(suprivilegegroup=registr
y:consult)





(notice no membership)


If I search this with my normal id (quanah) which has full access, I get the listing + members.


debug level -1 shows:

[snip]

<==slap_sasl2dn: Converted SASL name to uid=cadabra,cn=accounts,dc=stanford,dc=edu
slap_sasl_getdn: dn:id converted to uid=cadabra,cn=accounts,dc=stanford,dc=edu
SASL Canonicalize [conn=0]: slapAuthcDN="uid=cadabra,cn=accounts,dc=stanford,dc=edu"
SASL proxy authorize [conn=0]: authcid="cadabra@stanford.edu" authzid="cadabra@stanford.edu"
conn=0 op=3 BIND authcid="cadabra@stanford.edu" authzid="cadabra@stanford.edu"
SASL Authorize [conn=0]: proxy authorization allowed authzDN=""
send_ldap_sasl: err=0 len=-1
conn=0 op=3 BIND dn="uid=cadabra,cn=accounts,dc=stanford,dc=edu" mech=GSSAPI ssf=56


conn=0 op=4 SRCH base="cn=groups,cn=applications,dc=stanford,dc=edu" scope=2 deref=0 filter="(cn=registry-consult)"

=> access_allowed: search access to "cn=registry-consult,cn=groups,cn=applications,dc=stanford,dc=edu" "cn" requested

=> acl_mask: access to entry "cn=registry-consult,cn=groups,cn=applications,dc=stanford,dc=edu", attr "cn" requested
=> acl_mask: to value by "uid=cadabra,cn=accounts,dc=stanford,dc=edu", (=0)
<= check a_dn_pat: uid=cadabra,cn=accounts,dc=stanford,dc=edu
<= check a_authz.sai_sasl_ssf: ACL 56 > OP 56
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> slap_access_allowed: search access granted by read(=rscxd)
=> access_allowed: search access granted by read(=rscxd)
<= test_filter 6
ldap_url_parse_ext(ldap:///cn=people,dc=stanford,dc=edu??sub?(suprivilegegroup=registry:consult))
dnPrettyNormal: <cn=people,dc=stanford,dc=edu>
=> ldap_bv2dn(cn=people,dc=stanford,dc=edu,0)
<= ldap_bv2dn(cn=people,dc=stanford,dc=edu)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=people,dc=stanford,dc=edu)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=people,dc=stanford,dc=edu)=0
<<< dnPrettyNormal: <cn=people,dc=stanford,dc=edu>, <cn=people,dc=stanford,dc=edu>
str2filter "(&(!(objectClass=groupOfURLs))(suprivilegegroup=registry:consult))"
put_filter: "(&(!(objectClass=groupOfURLs))(suprivilegegroup=registry:consult))"
put_filter: AND
put_filter_list "(!(objectClass=groupOfURLs))(suprivilegegroup=registry:consult)"
put_filter: "(!(objectClass=groupOfURLs))"
put_filter: NOT
put_filter_list "(objectClass=groupOfURLs)"
put_filter: "(objectClass=groupOfURLs)"
put_filter: simple
put_simple_filter: "objectClass=groupOfURLs"
put_filter: "(suprivilegegroup=registry:consult)"
put_filter: simple
put_simple_filter: "suprivilegegroup=registry:consult"
begin get_filter
AND
begin get_filter_list
begin get_filter
NOT
begin get_filter
EQUALITY


search_candidates: base="cn=people,dc=stanford,dc=edu" (0x00000006) scope=2




Most importantly, as you can see here:


=> acl_mask: access to entry "suRegID=000648cb784048849a1573566ffe0ef8,cn=people,dc=stanford,dc=edu", attr "objectClass" requested
=> acl_mask: to value by "uid=cadabra,cn=accounts,dc=stanford,dc=edu", (=0)


[snip]

<= acl_mask: no more <who> clauses, returning =0 (stop)
=> slap_access_allowed: search access denied by =0
=> access_allowed: no more rules


It is still using the "cadabra" credentials to find membership in the group, and not the internal rootdn.



--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html