[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#7346) ACL processing: additive privs (using control continue)
- To: openldap-its@OpenLDAP.org
- Subject: (ITS#7346) ACL processing: additive privs (using control continue)
- From: daniel@pluta.biz
- Date: Sat, 4 Aug 2012 16:24:14 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Full_Name: Daniel Pluta
Version: MASTER
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (84.167.55.212)
For further explainations please vistit this technical-posting:
http://www.openldap.org/lists/openldap-technical/201208/msg00025.html
Testbed containing slapd.conf, data, ldapsearch-queries and 128-logs are given
below.
Thanks a lot
------8<--------- slapd.conf --------8<---------
include /opt/openldap-HEAD/etc/openldap/schema/core.schema
pidfile /opt/openldap-HEAD/var/run/slapd.pid
argsfile /opt/openldap-HEAD/var/run/slapd.args
access to *
by self write
by users read
by anonymous auth
database mdb
suffix "o=test"
rootdn "cn=Manager,o=test"
rootpw secret
directory /opt/openldap-HEAD/var/openldap-data/test
index objectClass eq
access to dn.subtree="o=test" attrs=sn
by users =s continue
by group/groupOfNames/member="cn=readers,ou=groups,o=test" +r
------8<--------- sample data --------8<---------
version: 1
dn: o=test
objectClass: organization
objectClass: top
o: test
dn: ou=groups,o=test
objectClass: organizationalUnit
objectClass: top
ou: groups
dn: ou=persons,o=test
objectClass: organizationalUnit
objectClass: top
ou: persons
dn: cn=PersonA,ou=persons,o=test
objectClass: person
objectClass: top
cn: PersonA
sn: PersonA
userPassword:: UGVyc29uQQ==
dn: cn=PersonB,ou=persons,o=test
objectClass: person
objectClass: top
cn: PersonB
sn: PersonB
userPassword:: UGVyc29uQg==
dn: cn=readers,ou=groups,o=test
objectClass: groupOfNames
objectClass: top
cn: readers
member: cn=PersonA,ou=persons,o=test
------8<---------Tests using ldapsearch--------8<---------
#Test 1 seem to work as intended:
# bindDn "cn=PersonA,..." is member of group "cn=readers,..."
# filter: sn=*
# search succeeds (that's ok)
# read succeeds (that's ok, too)
deepee@test:~$ ldapsearch -x -H "ldap://localhost:1389/"; -D
"cn=PersonA,ou=persons,o=test" -w PersonA -b "ou=persons,o=test" '(sn=*)' sn cn
# extended LDIF
#
# LDAPv3
# base <ou=persons,o=test> with scope subtree
# filter: (sn=*)
# requesting: sn cn
#
# PersonA, persons, test
dn: cn=PersonA,ou=persons,o=test
sn: PersonA
cn: PersonA
# PersonB, persons, test
dn: cn=PersonB,ou=persons,o=test
cn: PersonB
sn: PersonB
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
#slapd's log (level 128):
501be157 => access_allowed: result not in cache (userPassword)
501be157 => access_allowed: auth access to "cn=PersonA,ou=persons,o=test"
"userPassword" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [2] attr userPassword
501be157 => acl_mask: access to entry "cn=PersonA,ou=persons,o=test", attr
"userPassword" requested
501be157 => acl_mask: to value by "", (=0)
501be157 <= check a_dn_pat: self
501be157 <= check a_dn_pat: users
501be157 <= check a_dn_pat: anonymous
501be157 <= acl_mask: [3] applying auth(=xd) (stop)
501be157 <= acl_mask: [3] mask: auth(=xd)
501be157 => slap_access_allowed: auth access granted by auth(=xd)
501be157 => access_allowed: auth access granted by auth(=xd)
501be157 => access_allowed: search access to "ou=persons,o=test" "entry"
requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [2] attr entry
501be157 => acl_mask: access to entry "ou=persons,o=test", attr "entry"
requested
501be157 => acl_mask: to all values by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: self
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [2] applying read(=rscxd) (stop)
501be157 <= acl_mask: [2] mask: read(=rscxd)
501be157 => slap_access_allowed: search access granted by read(=rscxd)
501be157 => access_allowed: search access granted by read(=rscxd)
501be157 => access_allowed: search access to "ou=persons,o=test" "sn" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [1] attr sn
501be157 => acl_mask: access to entry "ou=persons,o=test", attr "sn" requested
501be157 => acl_mask: to all values by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [1] applying =s (continue)
501be157 <= acl_mask: [1] mask: =s
501be157 <= check a_group_pat: cn=readers,ou=groups,o=test
501be157 => mdb_entry_get: found entry: "cn=readers,ou=groups,o=test"
501be157 <= acl_mask: [2] applying +r (stop)
501be157 <= acl_mask: [2] mask: =rs
501be157 => slap_access_allowed: search access granted by =rs
501be157 => access_allowed: search access granted by =rs
501be157 => access_allowed: search access to "cn=PersonA,ou=persons,o=test" "sn"
requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [1] attr sn
501be157 => acl_mask: access to entry "cn=PersonA,ou=persons,o=test", attr "sn"
requested
501be157 => acl_mask: to all values by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [1] applying =s (continue)
501be157 <= acl_mask: [1] mask: =s
501be157 <= check a_group_pat: cn=readers,ou=groups,o=test
501be157 <= acl_mask: [2] applying +r (stop)
501be157 <= acl_mask: [2] mask: =rs
501be157 => slap_access_allowed: search access granted by =rs
501be157 => access_allowed: search access granted by =rs
501be157 => access_allowed: read access to "cn=PersonA,ou=persons,o=test"
"entry" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [2] attr entry
501be157 => acl_mask: access to entry "cn=PersonA,ou=persons,o=test", attr
"entry" requested
501be157 => acl_mask: to all values by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: self
501be157 <= acl_mask: [1] applying write(=wrscxd) (stop)
501be157 <= acl_mask: [1] mask: write(=wrscxd)
501be157 => slap_access_allowed: read access granted by write(=wrscxd)
501be157 => access_allowed: read access granted by write(=wrscxd)
501be157 => access_allowed: result not in cache (sn)
501be157 => access_allowed: read access to "cn=PersonA,ou=persons,o=test" "sn"
requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [1] attr sn
501be157 => acl_mask: access to entry "cn=PersonA,ou=persons,o=test", attr "sn"
requested
501be157 => acl_mask: to value by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [1] applying =s (continue)
501be157 <= acl_mask: [1] mask: =s
501be157 <= check a_group_pat: cn=readers,ou=groups,o=test
501be157 <= acl_mask: [2] applying +r (stop)
501be157 <= acl_mask: [2] mask: =rs
501be157 => slap_access_allowed: read access granted by =rs
501be157 => access_allowed: read access granted by =rs
501be157 => access_allowed: result not in cache (cn)
501be157 => access_allowed: read access to "cn=PersonA,ou=persons,o=test" "cn"
requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [2] attr cn
501be157 => acl_mask: access to entry "cn=PersonA,ou=persons,o=test", attr "cn"
requested
501be157 => acl_mask: to value by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: self
501be157 <= acl_mask: [1] applying write(=wrscxd) (stop)
501be157 <= acl_mask: [1] mask: write(=wrscxd)
501be157 => slap_access_allowed: read access granted by write(=wrscxd)
501be157 => access_allowed: read access granted by write(=wrscxd)
501be157 => access_allowed: search access to "cn=PersonB,ou=persons,o=test" "sn"
requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [1] attr sn
501be157 => acl_mask: access to entry "cn=PersonB,ou=persons,o=test", attr "sn"
requested
501be157 => acl_mask: to all values by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [1] applying =s (continue)
501be157 <= acl_mask: [1] mask: =s
501be157 <= check a_group_pat: cn=readers,ou=groups,o=test
501be157 <= acl_mask: [2] applying +r (stop)
501be157 <= acl_mask: [2] mask: =rs
501be157 => slap_access_allowed: search access granted by =rs
501be157 => access_allowed: search access granted by =rs
501be157 => access_allowed: read access to "cn=PersonB,ou=persons,o=test"
"entry" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [2] attr entry
501be157 => acl_mask: access to entry "cn=PersonB,ou=persons,o=test", attr
"entry" requested
501be157 => acl_mask: to all values by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: self
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [2] applying read(=rscxd) (stop)
501be157 <= acl_mask: [2] mask: read(=rscxd)
501be157 => slap_access_allowed: read access granted by read(=rscxd)
501be157 => access_allowed: read access granted by read(=rscxd)
501be157 => access_allowed: result not in cache (cn)
501be157 => access_allowed: read access to "cn=PersonB,ou=persons,o=test" "cn"
requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [2] attr cn
501be157 => acl_mask: access to entry "cn=PersonB,ou=persons,o=test", attr "cn"
requested
501be157 => acl_mask: to value by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: self
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [2] applying read(=rscxd) (stop)
501be157 <= acl_mask: [2] mask: read(=rscxd)
501be157 => slap_access_allowed: read access granted by read(=rscxd)
501be157 => access_allowed: read access granted by read(=rscxd)
501be157 => access_allowed: result not in cache (sn)
501be157 => access_allowed: read access to "cn=PersonB,ou=persons,o=test" "sn"
requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [1] attr sn
501be157 => acl_mask: access to entry "cn=PersonB,ou=persons,o=test", attr "sn"
requested
501be157 => acl_mask: to value by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [1] applying =s (continue)
501be157 <= acl_mask: [1] mask: =s
501be157 <= check a_group_pat: cn=readers,ou=groups,o=test
501be157 <= acl_mask: [2] applying +r (stop)
501be157 <= acl_mask: [2] mask: =rs
501be157 => slap_access_allowed: read access granted by =rs
501be157 => access_allowed: read access granted by =rs
#Test 2 does not seem to work as intended (at least to me):
# bindDn "cn=PersonB,..." not a member of group "cn=readers,..."
# filter: sn=*
# read fails (that's ok)
# search fails (but why is the privilege "=s" reset?)
deepee@test:~$ ldapsearch -x -H "ldap://localhost:1389/"; -D
"cn=PersonB,ou=persons,o=test" -w PersonB -b "ou=persons,o=test" '(sn=*)' sn cn
# extended LDIF
#
# LDAPv3
# base <ou=persons,o=test> with scope subtree
# filter: (sn=*)
# requesting: sn cn
#
# search result
search: 2
result: 0 Success
# numResponses: 1
#slapd's log (level 128):
501be196 => access_allowed: result not in cache (userPassword)
501be196 => access_allowed: auth access to "cn=PersonB,ou=persons,o=test"
"userPassword" requested
501be196 => dn: [1] o=test
501be196 => acl_get: [1] matched
501be196 => acl_get: [2] attr userPassword
501be196 => acl_mask: access to entry "cn=PersonB,ou=persons,o=test", attr
"userPassword" requested
501be196 => acl_mask: to value by "", (=0)
501be196 <= check a_dn_pat: self
501be196 <= check a_dn_pat: users
501be196 <= check a_dn_pat: anonymous
501be196 <= acl_mask: [3] applying auth(=xd) (stop)
501be196 <= acl_mask: [3] mask: auth(=xd)
501be196 => slap_access_allowed: auth access granted by auth(=xd)
501be196 => access_allowed: auth access granted by auth(=xd)
501be196 => access_allowed: search access to "ou=persons,o=test" "entry"
requested
501be196 => dn: [1] o=test
501be196 => acl_get: [1] matched
501be196 => acl_get: [2] attr entry
501be196 => acl_mask: access to entry "ou=persons,o=test", attr "entry"
requested
501be196 => acl_mask: to all values by "cn=personb,ou=persons,o=test", (=0)
501be196 <= check a_dn_pat: self
501be196 <= check a_dn_pat: users
501be196 <= acl_mask: [2] applying read(=rscxd) (stop)
501be196 <= acl_mask: [2] mask: read(=rscxd)
501be196 => slap_access_allowed: search access granted by read(=rscxd)
501be196 => access_allowed: search access granted by read(=rscxd)
501be196 => access_allowed: search access to "ou=persons,o=test" "sn" requested
501be196 => dn: [1] o=test
501be196 => acl_get: [1] matched
501be196 => acl_get: [1] attr sn
501be196 => acl_mask: access to entry "ou=persons,o=test", attr "sn" requested
501be196 => acl_mask: to all values by "cn=personb,ou=persons,o=test", (=0)
501be196 <= check a_dn_pat: users
501be196 <= acl_mask: [1] applying =s (continue)
501be196 <= acl_mask: [1] mask: =s
501be196 <= check a_group_pat: cn=readers,ou=groups,o=test
501be196 => mdb_entry_get: found entry: "cn=readers,ou=groups,o=test"
501be196 <= acl_mask: no more <who> clauses, returning =0 (stop)
501be196 => slap_access_allowed: search access denied by =0
501be196 => access_allowed: no more rules
501be196 => access_allowed: search access to "cn=PersonA,ou=persons,o=test" "sn"
requested
501be196 => dn: [1] o=test
501be196 => acl_get: [1] matched
501be196 => acl_get: [1] attr sn
501be196 => acl_mask: access to entry "cn=PersonA,ou=persons,o=test", attr "sn"
requested
501be196 => acl_mask: to all values by "cn=personb,ou=persons,o=test", (=0)
501be196 <= check a_dn_pat: users
501be196 <= acl_mask: [1] applying =s (continue)
501be196 <= acl_mask: [1] mask: =s
501be196 <= check a_group_pat: cn=readers,ou=groups,o=test
501be196 <= acl_mask: no more <who> clauses, returning =0 (stop)
501be196 => slap_access_allowed: search access denied by =0
501be196 => access_allowed: no more rules
501be196 => access_allowed: search access to "cn=PersonB,ou=persons,o=test" "sn"
requested
501be196 => dn: [1] o=test
501be196 => acl_get: [1] matched
501be196 => acl_get: [1] attr sn
501be196 => acl_mask: access to entry "cn=PersonB,ou=persons,o=test", attr "sn"
requested
501be196 => acl_mask: to all values by "cn=personb,ou=persons,o=test", (=0)
501be196 <= check a_dn_pat: users
501be196 <= acl_mask: [1] applying =s (continue)
501be196 <= acl_mask: [1] mask: =s
501be196 <= check a_group_pat: cn=readers,ou=groups,o=test
501be196 <= acl_mask: no more <who> clauses, returning =0 (stop)
501be196 => slap_access_allowed: search access denied by =0
501be196 => access_allowed: no more rules