[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Question 'write stop' 'write break'



On Thu, Oct 15, 2009 at 11:22 AM, Edward Capriolo <edlinuxguru@gmail.com> wrote:
> Hello all,
>
> We are currently migrating from a master-slave, to a multi-master
> setup. All went well except for the fact that the access on the old
> master node was more liberal then the access on the slave node. As a
> result some applications were able to use this to their advantage and
> now are not working quite correctly when each node is a read write
> master.
>
> here is my configuration:
>
> #access to dn.regex="mail=.*.managed@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
> #  attrs=userPassword,accountstatus
> #  by dn="mail=john@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
> write break
> #  by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US"
> write break
> access to attr=userPassword
>  by self write
>  by anonymous auth
>  by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
> read
>  by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US"
> read
>  by * none
> access to attrs=sambaLMPassword,sambaNTPassword
>  by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
> read
>  by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US"
> read
>  by self write
>  by * none
> access to *
>  by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
> write
>  by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US"
> write
>  by dnattr=manager write
>  by self write
>  by users read
>  by * none
>
> My problem is the top commented lines, these rules are to allow sara
> and john to administer all
> "mail=.*.managed" users. This worked fine in the past because no read
> queries hit the master, but now with multi-master
> "mail=.*.managed" users have no access to the directory. The old rule was
>
> #  by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US"
> write stop
>
> I also tried
>
> #  by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US"
> write break
>
> Which I was under the impression that "write break" would continue
> evaluation, but I do not understand how this is working. Can anyone
> help me with a suggestion for fixing this?
>
> Thank you!
>

Hey all,


I know this is somewhat of an RTFM question, but I did RTFM and I dont
understand
why how BREAK is interpreted.

man slapd.access
....
 The other two forms are used to keep on processing access clauses.   In
 detail,  the  continue  form allows for other <who> clauses in the same
 <access> clause to be considered, so that they may result in  incremen-
 tally  altering  the  privileges, while the break form allows for other
 <access> clauses that match the same target to be processed.   Consider
 the (silly) example

      access to dn.subtree="dc=example,dc=com" attrs=cn
           by * =cs break

      access to dn.subtree="ou=People,dc=example,dc=com"
           by * +r

do I need?

 access to dn.regex="mail=.*.managed@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
 attrs=userPassword,accountstatus
 by dn="mail=john@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
 write break
 by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US"
write break
 by * break

?

We have a pretty large LDAP deployment with lots of application using
it. Every time I get this rule wrong I manage to block someones
access. I know its not your problem, but please throw me a bone here
:)