[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SyncRepl Chaining

To: espeake@oreillyauto.com
Subject: Re: SyncRepl Chaining
From: Quanah Gibson-Mount <quanah@zimbra.com>
Date: Fri, 06 Sep 2013 10:29:32 -0700
Cc: openldap-technical@openldap.org
Content-disposition: inline
Dkim-filter: OpenDKIM Filter v2.8.4 edge01-zcs.vmware.com B8781BF3
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zimbra.com; s=C2AA288C-EE47-11E2-9BB0-E820BDD9BDBF; t=1378488575; bh=OIpGHxiMd1rtobwYTMLAB0B0zA6HtX82EVreHh4DFNE=; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type: Content-Transfer-Encoding; b=lB+qlIytE8v8MePfgGJcb5fEjl3ESdKmP1WJ/3L55b0Ih9CTXVOM35Rf9aUWW9jaa C8RJ+MER/9SU+onRkb0ZdmrcP3XdrpFNqyfmNsQxUSA1WQNLth0HP7/WeWPmbKqvaT 6k2yc7zqVXgFiBWv/kfNd4VD0XQxruJbg8GkQPVQ=
In-reply-to: <OF2D376A8F.A82D6F6F-ON86257BDE.005EE463-86257BDE.005F4978@LocalDomain>
References: <OF6221F983.DA1F8092-ON86257BCC.004EF16C-86257BCC.00512A01@LocalDomain> <6CA876FB752413CB29E2EA6B@[192.168.1.22]> <OF025EAA37.81DCFA28-ON86257BDE.00508792-86257BDE.00513044@LocalDomain> <C0B20AD5CD5F41CE59386554@[192.168.1.22]> <OF5A07E42A.4C217BE1-ON86257BDE.0055CC85-86257BDE.0055F196@LocalDomain> <2B0E0E65085221BA0FB7BE66@[192.168.1.22]> <OF654A949D.245F7EA3-ON86257BDE.005A7A63-86257BDE.005B103D@LocalDomain> <0E60476DA07A935954D7321C@[192.168.1.22]> <OFB198C1DA.D982C580-ON86257BDE.005C9E55-86257BDE.005CA25B@LocalDomain> <EC203715A4563EB989A9F6B0@[192.168.1.22]> <OF2D376A8F.A82D6F6F-ON86257BDE.005EE463-86257BDE.005F4978@LocalDomain>

--On Friday, September 06, 2013 12:21 PM -0500 espeake@oreillyauto.comwrote:

add: olcAccess
olcAccess: {0}to *
    by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read
    by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read
    by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write
    by dn.base="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write
    by dn.base="uid=passwordAdmin,ou=System,dc=oreillyauto,dc=com" write
    break


This should be "by * break" not "break"

I confirmed the changes by looking at the LDIF that the changes were made.
Even though it's not supposed to be needed, I restarted the slapd service.
TO me it looks like it is reading the break and moving to rule {2} but
still no love or authentication.

Sep  6 12:12:46 tntest-ldap-1 slapd[22140]: => acl_mask: access to entry
"uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com", attr "userPassword"
requested
Sep  6 12:12:46 tntest-ldap-1 slapd[22140]: => acl_mask: to value by "",
(=0)
Sep  6 12:12:46 tntest-ldap-1 slapd[22140]: <= acl_mask: no more <who>
clauses, returning =0 (stop)


As noted in the SLAPD.ACCESS(5) man page:

The search operation, requires search (=s) privileges on theentrypseudo-attribute of the searchBase (NOTE: this was introducedwithOpenLDAP 2.4). Then, for each entry, it requires search (=s)privi-leges on the attributes that are defined in the filter. Theresultingentries are finally tested for read (=r) privileges on thepseudo-attribute entry (for read access to the entry itself) and for read(=r)access on each value of each attribute that is requested. Also,foreach referral object used in generating continuation references,theoperation requires read (=r) access on the pseudo-attribute entry(forread access to the referral object itself), as well as read (=r)accessto the attribute holding the referral information (generally theref

      attribute).

You have no ACL granting access to the pseudo-attribute "entry".

I personally have as my last ACL:

olcAccess: {10}to attrs=entry by dn.children="cn=admins,cn=zimbra" writeby *

 read

--Quanah

--

Quanah Gibson-Mount
Lead Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

Follow-Ups:
- Re: SyncRepl Chaining
  - From: espeake@oreillyauto.com
- Antw: Re: SyncRepl Chaining
  - From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>

References:
- SyncRepl Chaining
  - From: espeake@oreillyauto.com
- Re: SyncRepl Chaining
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: SyncRepl Chaining
  - From: espeake@oreillyauto.com
- Re: SyncRepl Chaining
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: SyncRepl Chaining
  - From: espeake@oreillyauto.com
- Re: SyncRepl Chaining
  - From: Quanah Gibson-Mount <quanah@zimbra.com>
- Re: SyncRepl Chaining
  - From: espeake@oreillyauto.com

Prev by Date: Re: SyncRepl Chaining
Next by Date: Re: Antw: Re: Log service time?
Index(es):
- Chronological
- Thread