[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: acl problem

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: RE: acl problem
From: "Mundry, Marvin" <Marvin.Mundry@uni-hamburg.de>
Date: Mon, 30 Dec 2013 09:03:17 +0000
Accept-language: en-GB, de-DE, en-US
Content-language: de-DE
In-reply-to: <ed0446630848969e61e534a47863cc88@ulrik.uio.no>
References: <83F4AF6808820F419C8919CC1356D0E11D7E5484@HVN-VSRV-MBX2.HVN.uni-hamburg.de> <20131228093657.42485651@rubin.fritz.box> <ed0446630848969e61e534a47863cc88@ulrik.uio.no>
Thread-index: Ac8DJEE7f0kLCfN8Tn61kScPav19HwAe1TeAAAS4CgAAYZiEEA==
Thread-topic: acl problem

>> by dn.base="cn=replication_low_security,dc=organisation,dc=com" none
>> by * break
>>
>> the break rule will be ignored, as 'none' is the implicit last rule.
>
> No, "none" does not imply "this is the last rule".  OTOH there is an implicit last "by *
> none", hidden by the "by * break".


to me it seems that if a "by * break" appears
* in the database acls, in my case slapd does not continue looking for global access directives in the frontend.
* in the frontend acls, slapd continues evaluating statements from the global access directives


http://www.openldap.org/doc/admin24/access-control.html
states "For each entry, access controls provided in the database which holds the entry [...] apply first, followed by the global 
access directives"

so my understanding is that what I am observing should not happen

>> run slapd with -dacl
the interesting line here should be "52c12415 => slap_access_allowed: no more rules" (although there are more in the frontend)


dn: ACCESSLOG_DB
olcAccess: {0}to dn.subtree="cn=accesslog"
attrs=reqMod val.regex="^topSecretAttribute:.*"
by dn.base="cn=replicationuser,dc=organisation,dc=com" read
by dn.base="cn=replication_low_security,dc=organisation,dc=com" none
by * break

dn: ACCESSLOG_DB
olcAccess: {1}to dn.subtree="cn=accesslog"
by dn.base="cn=replicationuser,dc=organisation,dc=com" read
by dn.base="cn=replication_low_security,dc=organisation,dc=com" read
by * break

dn: FRONTEND
olcAccess: {0}to dn.subtree="cn=accesslog"
by dn.base="cn=provisioninguser,dc=organisation,dc=com" read
by * none


52c12415 => access_allowed: read access to "reqStart=20131227145130.000001Z,cn=accesslog" "reqMod" requested
52c12415 => dn: [1] cn=accesslog
52c12415 => acl_get: [1] matched
52c12415 acl_get: valpat ^topSecretAttribute:.*
52c12415 => dn: [2] cn=accesslog
52c12415 => acl_get: [2] matched
52c12415 => acl_get: [2] attr reqMod
52c12415 => acl_mask: access to entry "reqStart=20131227145130.000001Z,cn=accesslog", attr "reqMod" requested
52c12415 => acl_mask: to value by "cn=provisioninguser,dc=organisation,dc=com", (=0)
52c12415 <= check a_dn_pat: cn=replicationuser,dc=organisation,dc=com
52c12415 <= check a_dn_pat: cn=replication_public_user,dc=organisation,dc=com
52c12415 <= check a_dn_pat: *
52c12415 <= acl_mask: [3] applying +0 (break)
52c12415 <= acl_mask: [3] mask: =0
52c12415 <= acl_get: done.
52c12415 => slap_access_allowed: no more rules
52c12415 => access_allowed: no more rules
52c12415 send_search_entry: conn 1002 access to attribute reqMod, value #6 not allowed

###############################################################################
dn: FRONTEND
olcAccess: {0}to dn.subtree="cn=accesslog"
attrs=reqMod val.regex="^topSecretAttribute:.*"
by dn.base="cn=replicationuser,dc=organisation,dc=com" read
by dn.base="cn=replication_low_security,dc=organisation,dc=com" none
by * break

dn: FRONTEND
olcAccess: {1}to dn.subtree="cn=accesslog"
by dn.base="cn=replicationuser,dc=organisation,dc=com" read
by dn.base="cn=replication_low_security,dc=organisation,dc=com" read
by * break

dn: FRONTEND
olcAccess: {0}to dn.subtree="cn=accesslog"
by dn.base="cn=provisioninguser,dc=organisation,dc=com" read
by * none

52c12bbf => access_allowed: read access to "reqStart=20131227145130.000001Z,cn=accesslog" "reqMod" requested
52c12bbf => dn: [24] cn=accesslog
52c12bbf => acl_get: [24] matched
52c12bbf acl_get: valpat ^topSecretAttribute:.*
52c12bbf => dn: [25] cn=accesslog
52c12bbf => acl_get: [25] matched
52c12bbf => acl_get: [25] attr reqMod
52c12bbf => acl_mask: access to entry "reqStart=20131227145130.000001Z,cn=accesslog", attr "reqMod" requested
52c12bbf => acl_mask: to value by "cn=provisioninguser,dc=organisation,dc=com", (=0)
52c12bbf <= check a_dn_pat: cn=replicationuser,dc=organisation,dc=com
52c12bbf <= check a_dn_pat: cn=replication_public_user,dc=organisation,dc=com
52c12bbf <= check a_dn_pat: *
52c12bbf <= acl_mask: [3] applying +0 (break)
52c12bbf <= acl_mask: [3] mask: =0
52c12bbf => dn: [26] cn=accesslog
52c12bbf => acl_get: [26] matched
52c12bbf => acl_get: [26] attr reqMod
52c12bbf => acl_mask: access to entry "reqStart=20131227145130.000001Z,cn=accesslog", attr "reqMod" requested
52c12bbf => acl_mask: to value by "cn=provisioninguser,dc=organisation,dc=com", (=0)
52c12bbf <= check a_dn_pat: cn=provisioninguser,dc=organisation,dc=com
52c12bbf <= acl_mask: [1] applying read(=rscxd) (stop)
52c12bbf <= acl_mask: [1] mask: read(=rscxd)
52c12bbf => slap_access_allowed: read access granted by read(=rscxd)
52c12bbf => access_allowed: read access granted by read(=rscxd)

Attachment: smime.p7s
Description: S/MIME cryptographic signature

References:
- acl problem
  - From: "Mundry, Marvin" <Marvin.Mundry@uni-hamburg.de>
- Re: acl problem
  - From: Dieter KlÃnter <dieter@dkluenter.de>
- Re: acl problem
  - From: Hallvard Breien Furuseth <h.b.furuseth@usit.uio.no>

Prev by Date: Re: "LDAP Injection" attacks
Next by Date: slapd "olcreadonly" and syncrepl
Index(es):
- Chronological
- Thread