[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL with val.regex expression

To: openldap-technical@openldap.org
Subject: Re: ACL with val.regex expression
From: Mark Dieterich <mkd@cs.brown.edu>
Date: Wed, 16 Oct 2013 14:38:54 -0400
In-reply-to: <20131012085830.25b519dc@pink.avci.de>
References: <52586116.40101@cs.brown.edu> <20131012085830.25b519dc@pink.avci.de>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0.1

> You should probably check with slapacl(8).

Thanks Dieter, this might prove to be helpful.  Investigating with
slapacl, I see some interesting behavior.  Without the
"val.exact=/bin/bash" requirement, the user is allowed write access and
the relevant portions of the ACL trace looks like:

525edc6e => acl_mask: access to entry
"uid=testmkd,ou=people,dc=cs,dc=brown,dc=edu", attr "loginShell" requested
525edc6e => acl_mask: to all values by
"uid=testmkd,ou=people,dc=cs,dc=brown,dc=edu", (=0)
525edc6e <= check a_dn_pat: uid=.*/admin,cn=cs.brown.edu,cn=GSSAPI,cn=auth
525edc6e => acl_string_expand: pattern:
uid=.*/admin,cn=cs.brown.edu,cn=GSSAPI,cn=auth
525edc6e => acl_string_expand: expanded:
uid=.*/admin,cn=cs.brown.edu,cn=GSSAPI,cn=auth
525edc6e <= check a_dn_pat: cn=replica,dc=cs,dc=brown,dc=edu
525edc6e <= check a_dn_pat: self
525edc6e <= check a_authz.sai_ssf: ACL 128 > OP 128
525edc6e <= acl_mask: [3] applying write(=wrscxd) (stop)
525edc6e <= acl_mask: [3] mask: write(=wrscxd)
525edc6e => slap_access_allowed: write access granted by write(=wrscxd)
525edc6e => access_allowed: write access granted by write(=wrscxd)
write access to loginShell: ALLOWED

and with the "val.exact=/bin/bash" requirement, it looks like:

525ed68a => acl_mask: access to entry
"uid=user,ou=people,dc=cs,dc=brown,dc=edu", attr "loginShell" requested
525ed68a => acl_mask: to all values by
"uid=user,ou=people,dc=cs,dc=brown,dc=edu", (=0)
525ed68a <= check a_dn_pat: uid=.*/admin,cn=cs.brown.edu,cn=GSSAPI,cn=auth
525ed68a => acl_string_expand: pattern:
uid=.*/admin,cn=cs.brown.edu,cn=GSSAPI,cn=auth
525ed68a => acl_string_expand: expanded:
uid=.*/admin,cn=cs.brown.edu,cn=GSSAPI,cn=auth
525ed68a <= check a_dn_pat: cn=replica,dc=cs,dc=brown,dc=edu
525ed68a <= check a_dn_pat:
uid=.*,ou=people,dc=cs,dc=brown,dc=edu,cn=gssapi,cn=auth
525ed68a <= check a_dn_pat: *
525ed68a <= acl_mask: [4] applying read(=rscxd) (stop)
525ed68a <= acl_mask: [4] mask: read(=rscxd)
525ed68a => slap_access_allowed: write access denied by read(=rscxd)
525ed68a => access_allowed: no more rules
write access to loginShell: DENIED

Note the difference in the line following "cn=replica,dc=cs..."  Again,
the entire ACL stanza in question is:

access to dn.subtree="ou=people,dc=cs,dc=brown,dc=edu" attrs=loginShell
val.exact="/bin/bash"
  by ssf=128 dn.regex="uid=.*/admin,cn=cs.brown.edu,cn=GSSAPI,cn=auth" write
  by ssf=128 dn="cn=replica,dc=cs,dc=brown,dc=edu" write
  by ssf=128 self write
  by * read

I'm at a loss as to why adding the "val.exact=/bin/bash" requirement
changes the acl trace from doing:

525edc6e <= check a_dn_pat: cn=replica,dc=cs,dc=brown,dc=edu
525edc6e <= check a_dn_pat: self

to

525ed68a <= check a_dn_pat: cn=replica,dc=cs,dc=brown,dc=edu
525ed68a <= check a_dn_pat:
uid=.*,ou=people,dc=cs,dc=brown,dc=edu,cn=gssapi,cn=auth

with the val.exact statement, it doesn't even seem to evaluate the
"self" permissions.  Am I missing something fundamental here?

Thanks!

Mark

Follow-Ups:
- Re: ACL with val.regex expression
  - From: Pierangelo Masarati <pierangelo.masarati@polimi.it>

References:
- ACL with val.regex expression
  - From: Mark Dieterich <mkd@cs.brown.edu>
- Re: ACL with val.regex expression
  - From: Dieter KlÃnter <dieter@dkluenter.de>

Prev by Date: Re: Berkeley DB backend - exact version check
Next by Date: Does MDB backend shrinks on disk files after delete operation?
Index(es):
- Chronological
- Thread