[Date Prev][Date Next] [Chronological] [Thread] [Top]

problem with access by set and group membership (posixgroup, groupofnames)



Hi

I am trying to garnt users access to a group by there group membership.
Because the groups are posixgroups and not groupofnames
I have tried the following ACL's according to
(running openldap-2.3.27-5)

http://www.openldap.org/faq/data/cache/1133.html
and
http://www.mail-archive.com/openldap-software@openldap.org/msg08524.html

access to dn.sub="cn=Domain Admins,ou=Groups,dc=byn,dc=drv"
       by set="([uid=] + ([cn=domain
admins,ou=groups,dc=byn,dc=drv])/memberUid  + [,ou=users,dc=byn,dc=drv])
& user" write
       by * none

or

by set="user/uid & [cn=Domain Admins,ou=Groups,dc=byn,dc=drv]/memberUid"
write

The group has the folowing members

dn: cn=Domain Admins,ou=Groups,dc=byn,dc=drv
memberUid: NetAdmin1
memberUid: Netadmin5
memberUid: NT_IEXPLORE
memberUid: Siadmin
memberUid: Netadmin3
memberUid: NT_FSecure

but a search as uid=Netadmin3,ou=Users,dc=byn,dc=drv

does not succeedd

Here the logs

Oct 26 12:41:11 master slapd[18574]: => access_allowed: search access to
"cn=Domain Admins,ou=Groups,dc=byn,dc=drv" "cn"
requested
Oct 26 12:41:11 master slapd[18574]: => dn: [3] cn=domain
admins,ou=groups,dc=byn,dc=drv
Oct 26 12:41:11 master slapd[18574]: => acl_get: [3] matched
Oct 26 12:41:11 master slapd[18574]: => acl_get: [3] attr cn
Oct 26 12:41:11 master slapd[18574]: => acl_mask: access to entry
"cn=Domain Admins,ou=Groups,dc=byn,dc=drv", attr "cn" requested
Oct 26 12:41:11 master slapd[18574]: => acl_mask: to value by
"uid=netadmin3,ou=users,dc=byn,dc=drv", (=0)
Oct 26 12:41:11 master slapd[18574]: <= check a_set_pat: ([uid=] +
([cn=domain admins,ou=groups,dc=byn,dc=drv])/memberUid  +
[,ou=users,dc=byn,dc=drv]) & user
Oct 26 12:41:11 master slapd[18574]: >>> dnNormalize: <cn=domain
admins,ou=groups,dc=byn,dc=drv>
Oct 26 12:41:11 master slapd[18574]: <<< dnNormalize: <cn=domain
admins,ou=groups,dc=byn,dc=drv>
Oct 26 12:41:11 master slapd[18574]: <= check a_dn_pat: *
Oct 26 12:41:11 master slapd[18574]: <= acl_mask: [2] applying none(=0)
(stop)
Oct 26 12:41:11 master slapd[18574]: <= acl_mask: [2] mask: none(=0)
Oct 26 12:41:11 master slapd[18574]: => access_allowed: search access
denied by none(=0)

If I use something simple like
by set="([uid=] + user/uid + [,ou=users,dc=byn,dc=drv]) & user " write
in order to test if by set works, the search works

Oct 26 12:35:45 master slapd[18488]: => acl_mask: to value by
"uid=netadmin3,ou=users,dc=byn,dc=drv", (=0)
Oct 26 12:35:45 master slapd[18488]: <= check a_set_pat: ([uid=] +
user/uid + [,ou=users,dc=byn,dc=drv]) & user
Oct 26 12:35:45 master slapd[18488]: >>> dnNormalize:
<uid=netadmin3,ou=users,dc=byn,dc=drv>
Oct 26 12:35:45 master slapd[18488]: <<< dnNormalize:
<uid=netadmin3,ou=users,dc=byn,dc=drv>
Oct 26 12:35:45 master slapd[18488]: => bdb_entry_get: ndn:
"uid=netadmin3,ou=users,dc=byn,dc=drv"
Oct 26 12:35:45 master slapd[18488]: => bdb_entry_get: oc: "(null)", at:
"uid"
Oct 26 12:35:45 master slapd[18488]:
bdb_dn2entry("uid=netadmin3,ou=users,dc=byn,dc=drv")
Oct 26 12:35:45 master slapd[18488]: => bdb_entry_get: found entry:
"uid=netadmin3,ou=users,dc=byn,dc=drv"
Oct 26 12:35:45 master slapd[18488]: bdb_entry_get: rc=0
Oct 26 12:35:45 master slapd[18488]: <= acl_mask: [1] applying
write(=wrscxd) (stop)
Oct 26 12:35:45 master slapd[18488]: <= acl_mask: [1] mask: write(=wrscxd)
Oct 26 12:35:45 master slapd[18488]: => access_allowed: read access
granted by write(=wrscxd)
Oct 26 12:35:45 master slapd[18488]: conn=0 op=1 ENTRY dn="cn=domain
admins,ou=groups,dc=byn,dc=drv"



It seems that the
([cn=domain admins,ou=groups,dc=byn,dc=drv])/memberUid
is not expanded to all members
I have tried several cases (Groups or groups) with no success.

Is this the correct way of using posixgroups for ldap acl's?
If not, what is the right way?
If yes, what am I doing wrong?

greetings

hansjörg

--
Dr. Hansjörg Maurer
itsystems Deutschland AG
Linprunstraße 10
80335 München
Tel:   +49-89-52 04 68-41
Fax:   +49-89-52 04 68-59
E-Mail: hansjoerg.maurer@itsd.de
Web:    http://www.itsd.de


Amtsgericht München HRB 132146 USt-IdNr. DE 812991301 Steuer-Nr. 143/100/81575

Aufsichtsratsvorsitzender:
Stefan Adam
Vorstand:
Dr. Michael Krocka
Dr. Hansjörg Maurer
Dr. Wilfried Trinkl