[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL to permit access to some attributes

To: openldap-software@OpenLDAP.org
Subject: Re: ACL to permit access to some attributes
From: "José M. Fandiño" <ldap@fadesa.es>
Date: Wed, 31 Mar 2004 13:42:27 +0200
Organization: Inmobiliaria FADESA
References: <406852D1.17DBB92B@fadesa.es> <2676543445.1080555809@cadabra.stanford.edu> <4069B1E0.3FFC53A@fadesa.es> <2761852313.1080641120@cadabra.stanford.edu>

Hello list,

> > Quanah Gibson-Mount wrote:
> >> Add break statements.  slapd processes up to the FIRST applicable rule,
> >> and then stops processing, unless there is a break statement telling it
> >> to 'continue'.
> >>
> >> --Quanah
> >>
> >> > access to dn.base="" by * read
> >>     by * break
> >> > access to dn.base="cn=Subschema" by * read
> >>   by * break
> >> > access to * attrs=mail
> >> >       by * read
> >

> > thank you for reply, I have tried you suggestion without any
> > luck.
> >
> > Effectively the break statement helps to continue acl
> > processing, but it don't return any value. However removing
> > "attrs=mail" works but all attributes are now visibles :(

> Quanah Gibson-Mount wrote:
> Try changing the last ACL line to:
> 
> access to dn.children="dc=fadesa,dc=es" attrs=mail
>         by * read
> 
> Also see my ACL page:

I tried this before but the results are identical to 
the others. Whenever I do slapd always returns an empty
response :-?

Below I did the same search with and without "attrs=mail".
As you can see the attrs directive causes an empty result,
I'm lost here, what's the diference?

# ldapsearch -x  -h 195.55.55.167 -s sub -b "dc=fadesa,dc=es" mail
# extended LDIF
#
# LDAPv3
# base <dc=fadesa,dc=es> with scope sub
# filter: (objectclass=*)
# requesting: mail
#

# search result
search: 2
result: 0 Success

# numResponses: 1

	/-------/

# /usr/local/libexec/slapd -4 -h ldap:// -d 224 
.
.
line 57 (access to dn.base=""  by * read break)
Global ACL: access to *
        by * read(=rscx) break

line 60 (access to dn.base="cn=Subschema"  by * read break)
Global ACL: access to dn.base=cn=subschema
        by * read(=rscx) break

line 63 (access to dn.children="dc=fadesa,dc=es" attrs=mail        by * read)
Global ACL: access to dn.children=dc=fadesa,dc=es
 attrs=mail
        by * read(=rscx)

line 93 (database bdb)
.
.
.
=> test_filter
    PRESENT
=> access_allowed: search access to "uid=00010,dc=fadesa,dc=es" "objectClass" requested
=> dn: [1]
=> dn: [2] cn=subschema
=> dn: [3] dc=fadesa,dc=es
=> acl_get: [3] matched
=> acl_get: [3] check attr objectClass
<= acl_get: done.
=> access_allowed: no more rules
<= test_filter 50

	/----------/

now I remove attrs=mail and it works: 

# ldapsearch -x  -h 195.55.55.167 -s sub -b "dc=fadesa,dc=es" mail
# extended LDIF
#
# LDAPv3
# base <dc=fadesa,dc=es> with scope sub
# filter: (objectclass=*)
# requesting: mail
.
.
.
# 00010, fadesa.es
dn: uid=00010,dc=fadesa,dc=es
mail: perico@foo.bar

	/--------/

=> test_filter
    PRESENT
=> access_allowed: search access to "uid=00010,dc=fadesa,dc=es" "objectClass" requested
=> dn: [1]
=> dn: [2] cn=subschema
=> dn: [3] dc=fadesa,dc=es
=> acl_get: [3] matched
=> acl_get: [3] check attr objectClass
<= acl_get: [3] acl uid=00010,dc=fadesa,dc=es attr: objectClass
=> acl_mask: access to entry "uid=00010,dc=fadesa,dc=es", attr "objectClass" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscx) (stop)
<= acl_mask: [1] mask: read(=rscx)
=> access_allowed: search access granted by read(=rscx)
<= test_filter 6
=> access_allowed: read access to "uid=00010,dc=fadesa,dc=es" "entry" requested
=> dn: [1]
=> dn: [2] cn=subschema
=> dn: [3] dc=fadesa,dc=es
=> acl_get: [3] matched
=> acl_get: [3] check attr entry
<= acl_get: [3] acl uid=00010,dc=fadesa,dc=es attr: entry
=> acl_mask: access to entry "uid=00010,dc=fadesa,dc=es", attr "entry" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscx) (stop)
<= acl_mask: [1] mask: read(=rscx)
=> access_allowed: read access granted by read(=rscx)
=> access_allowed: read access to "uid=00010,dc=fadesa,dc=es" "mail" requested
=> dn: [1]
=> dn: [2] cn=subschema
=> dn: [3] dc=fadesa,dc=es
=> acl_get: [3] matched
=> acl_get: [3] check attr mail
<= acl_get: [3] acl uid=00010,dc=fadesa,dc=es attr: mail
access_allowed: no res from state (mail)
=> acl_mask: access to entry "uid=00010,dc=fadesa,dc=es", attr "mail" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscx) (stop)
<= acl_mask: [1] mask: read(=rscx)
=> access_allowed: read access granted by read(=rscx)

-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCS/IT d- s+:+() a- C+++ UBL+++$ P+ L+++ E--- W++ N+ o++ K- w---
O+ M+ V- PS+ PE+ Y++ PGP+>+++ t+ 5 X+$ R- tv-- b+++ DI D++>+++
G++ e- h+(++) !r !z
------END GEEK CODE BLOCK------

Follow-Ups:
- Re: ACL to permit access to some attributes
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

References:
- ACL to permit access to some attributes
  - From: "José M. Fandiño" <ldap@fadesa.es>
- Re: ACL to permit access to some attributes
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: RE: password synchronzation
Next by Date: RE: password synchronzation
Index(es):
- Chronological
- Thread