[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL for object creation in subtree with specific attributes and object classes



On 05.08.2014, at 22:41, Simeon Ott <simeon.ott@onnet.ch> wrote:
> On 05.08.2014, at 18:03, Dieter Klünter <dieter@dkluenter.de> wrote:
>>>>> 
>>>>> As postmaster I'm still able to add objects to it's domain. But I'm
>>>>> also able to add other objectclasses and attributes.
>>>>> 
>>>>> I think I mess around with the attributes entry and children  –
>>>>> anyone help me cleaning up? :-)
>>>> 
>>>> run slapd in debugging mode acl and watch the rule number applied
>>>> to a write operation.
>>>> 
>>> 
>>> Okay, this didn't really help, but thanks anyway. I'm not familiar
>>> with reading those logs. i adjusted the loglevel to 128 to see the
>>> acl processing. but it's still a huge amount of log lines when adding
>>> such an ldif. i thought it's gonna be an easy task.
>> 
>> I am talking about debugging, not logging!
>> man slapd(8)
>> 
> 
> can you help me finding the applied rule during the write process of an object with uid=1234? i used other objectclasses and attributes, which are not in the allowed attribute list. the debugging output is attached to this email. the current acl set is listed below.
> 
> access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=userPassword
> 	by dn.base="cn=admin,dc=mydomain" write
> 	by self write
> 	by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write
> 	by anonymous auth
> 	by * none
> 
> access to attrs=userPassword
> 	by dn.base="cn=admin,dc=mydomain" write
> 	by self write
> 	by anonymous auth
> 	by * none
> 
> access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=@CourierMailAccount,@inetOrgPerson,@top,@Vacation,entry,cn,sn,homeDirectory,vacationActive,vacationInfo,vacationForward,smtpRelayFlag,description,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title
> 	by self write
> 	by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write
> 	by * read
> 
> access to dn.regex="^ou=(.+),ou=domains,dc=mydomain$" attrs=children
> 	by dn.base,expand="cn=postmaster,ou=$1,ou=domains,dc=mydomain" write
> 	by * read
> 
> access to *
> 	by dn.base="cn=admin,dc=mydomain" write
> 	by * read
> 
> appreciate your help!
> simeon
> 
> <debug_output_write.txt>

the filter statement below actually did the trick.

access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=userPassword
	by dn.base="cn=admin,dc=mydomain" write
	by self write
	by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write
	by anonymous auth
	by * none

access to attrs=userPassword  by dn.base="cn=admin,dc=mydomain" write
	by self write
	by anonymous auth
	by * none

access to dn.regex="^ou=(.+),ou=domains,dc=mydomain$" attrs=children
	by dn.base,expand="cn=postmaster,ou=$1,ou=domains,dc=mydomain" write
	by * read

access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=entry,cn,uidNumber,gidNumber,sn,homeDirectory,vacationActive,vacationInfo,vacationForward,smtpRelayFlag,description,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title
	filter="(&(objectClass=CourierMailAccount)(objectClass=inetOrgPerson)(objectClass=top)(objectClass=Vacation))" 
	by self write
	by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write
	by * read

access to *
	by dn.base="cn=admin,dc=mydomain" write
	by * read