[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [LDAP-SOFTWARE] ACLand regex (matching self)

At 07:33 AM 2/23/2003, Ace Suares wrote:
>> Well, you might want to find them.  Aside from allowing you to
>> test the software, the suite provides a number of useful examples.
>Thank You. I have downloaded 2.0.27 from openldap.org and untarred it.
>The test scripts didn't work of ocurse, since I haven't compiled openldap yet, 
>I am just browsing the files. The first thing I find in tests/data is a file 
>called slapd-acl.conf. An extract:
># normal installations should protect root dse,
># cn=monitor, cn=schema, and cn=config
>>From this, I gather that there is such thing as 'protecting' the schema.
>If this is correct, that could explain some of my troubles with GQ (Which 
>would render that topic off-(off-topic) ).

slapd(8) allows one to place access controls on any and all entries
including system entries.

>> confused as to what the applicable subject (authorization) and
>> target (entry) DNs are.  The logs tell exactly which who is
>> accessing what (STATS) and "to" and "by" clauses contribute to
>> the access allowed/denied (ACLs).  Other logging may also be useful.
>In my log file, which is with loglevel 128, I can not find any string 'STATS' 
>even with grep -i.

By STATS, I was referring to the log level which provides basic
information about protocol requests and responses.

>Just an extract from my logfile.
>Feb 23 18:13:16 curacao slapd[1057]: => access_allowed: search access to "" 
>"objectClass" requested
>I explain this as: the function 'access_allowed' tries to find out if 'search 
>access to "" "objectClass" ' is  available.
>Immediately I ask my self: what is this "" between to and "Objectcllas" ?

The first string is the target DN, the second string is the target attribute.
A DN of "" implies the root DSE is the target.

>And then, I am lost. Can't find it in the docs.  (You *know* I am willing to 
>spend hundreds of hours wriing the docs, by lack of other possibility to 
>contribute to the source code itself...!).

Please feel free to submit documentation updates.

>Feb 23 18:13:16 curacao slapd[1057]: => acl_get: [1] check attr objectClass
>Next line: the function 'get_acl' (GET ACL ?) checks for any ACL's matching 
>But, what's that [1] doing there ? 

[1] means slapd is looking at the 1st access statement in the list,
checking if the target attribute matches.

>Feb 23 18:13:16 curacao slapd[1057]: => dnpat: [2] oc=(.*),app=qwido nsub: 1

Now slapd has moved on to the second.

>It found a dnpat (DN Pattern ?) that is: oc=(.*),app=qwido
>But, what's the nsub: 1 doing ? 

number of substitutions.

>Feb 23 18:13:16 curacao slapd[1057]: => dnpat: [3] app=qwido nsub: 0

Its now moved onto the 3rd directive.

>Feb 23 18:13:16 curacao slapd[1057]: => dnpat: [4] app=qwido nsub: 0

And the 4th.

>two times the same dnpat, probably the same pattern in different ACL's ? 

I would assume so.

>Could  be ! what's the nsub: 0 ?

No substitutions.

>Feb 23 18:13:16 curacao slapd[1057]: <= acl_get: done.
>it's done

>Feb 23 18:13:16 curacao slapd[1057]: => access_allowed: no more rules
>there are no more rules
>Feb 23 18:13:16 curacao slapd[1057]: => access_allowed: search access denied 
>by =n
>acces denied (by default, because there was no rule that matched, and 
>defaultaccess=none.... ?)

If none of teh specified rules are applicable, then access is
always denied.   defaultaccess is only considered with there
are no rules specified.

>The simplest ACL I can devise is this:
># protect all userPasswords.
># qwido: managers have access to all passwords
>access to attr=userpassword
>        by self write
>        by group="group=managers,app=qwido" write
>        by anonymous auth
>access to dn="app=qwido" 
>        by dn="app=qwido" read
>I expect it to do the following:
>a. let every entry authenticate itself against it's password. If an 
>'anonymous' bind is done, it should authenticate. If an existing DN is 
>binding, it should authenticate because of 'by self write'
>Forget about that group, for now, but it should be able to authenticate too.

Rule a actually says: "allow self and managers to modify
userPassword; allow anonymous to authentication"

>b. Let the one that binds to the database as 'app=qwido' (yes, that entry has 
>it's own userpassword) read the entry app=qwido and anything under it.

Rule b actually says: "allow app=qwido to read app=qwido".  It
is equivalent to saying:
        access to dn.exact="app=qwido" by self read

It says nothing about DNs under "app=qwido".  For this, you'd
need to say:
        access to dn.subtree="app=qwido" by dn="app=qwido" read

>when binding as, for example, 'oc=isp001,app=qwido' which is an existing entry 
>and has it's own userpassword, I can still read the entire tree.

Then I suspect you have other access control statements.