[Date Prev][Date Next] [Chronological] [Thread] [Top]
(ITS#7346) ACL processing: additive privs (using control continue)

To: openldap-its@OpenLDAP.org
Subject: (ITS#7346) ACL processing: additive privs (using control continue)
From: daniel@pluta.biz
Date: Sat, 4 Aug 2012 16:24:14 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)
Full_Name: Daniel Pluta
Version: MASTER
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (84.167.55.212)


For further explainations please vistit this technical-posting:

http://www.openldap.org/lists/openldap-technical/201208/msg00025.html

Testbed containing slapd.conf, data, ldapsearch-queries and 128-logs are given
below.

Thanks a lot


------8<---------    slapd.conf    --------8<---------


include         /opt/openldap-HEAD/etc/openldap/schema/core.schema

pidfile         /opt/openldap-HEAD/var/run/slapd.pid
argsfile        /opt/openldap-HEAD/var/run/slapd.args

access to *
 by self write
 by users read
 by anonymous auth

database        mdb
suffix          "o=test"
rootdn          "cn=Manager,o=test"
rootpw          secret
directory       /opt/openldap-HEAD/var/openldap-data/test
index   objectClass     eq

access to dn.subtree="o=test" attrs=sn
 by users =s continue
 by group/groupOfNames/member="cn=readers,ou=groups,o=test" +r


------8<---------      sample data     --------8<---------


version: 1

dn: o=test
objectClass: organization
objectClass: top
o: test

dn: ou=groups,o=test
objectClass: organizationalUnit
objectClass: top
ou: groups

dn: ou=persons,o=test
objectClass: organizationalUnit
objectClass: top
ou: persons

dn: cn=PersonA,ou=persons,o=test
objectClass: person
objectClass: top
cn: PersonA
sn: PersonA
userPassword:: UGVyc29uQQ==

dn: cn=PersonB,ou=persons,o=test
objectClass: person
objectClass: top
cn: PersonB
sn: PersonB
userPassword:: UGVyc29uQg==

dn: cn=readers,ou=groups,o=test
objectClass: groupOfNames
objectClass: top
cn: readers
member: cn=PersonA,ou=persons,o=test


------8<---------Tests using ldapsearch--------8<---------


#Test 1 seem to work as intended:
#  bindDn "cn=PersonA,..." is member of group "cn=readers,..."
#  filter: sn=*
#  search succeeds (that's ok)
#  read succeeds (that's ok, too)

deepee@test:~$ ldapsearch -x -H "ldap://localhost:1389/";; -D
"cn=PersonA,ou=persons,o=test" -w PersonA -b "ou=persons,o=test" '(sn=*)' sn cn
# extended LDIF
#
# LDAPv3
# base <ou=persons,o=test> with scope subtree
# filter: (sn=*)
# requesting: sn cn
#

# PersonA, persons, test
dn: cn=PersonA,ou=persons,o=test
sn: PersonA
cn: PersonA

# PersonB, persons, test
dn: cn=PersonB,ou=persons,o=test
cn: PersonB
sn: PersonB

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2


#slapd's log (level 128):

501be157 => access_allowed: result not in cache (userPassword)
501be157 => access_allowed: auth access to "cn=PersonA,ou=persons,o=test"
"userPassword" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [2] attr userPassword
501be157 => acl_mask: access to entry "cn=PersonA,ou=persons,o=test", attr
"userPassword" requested
501be157 => acl_mask: to value by "", (=0)
501be157 <= check a_dn_pat: self
501be157 <= check a_dn_pat: users
501be157 <= check a_dn_pat: anonymous
501be157 <= acl_mask: [3] applying auth(=xd) (stop)
501be157 <= acl_mask: [3] mask: auth(=xd)
501be157 => slap_access_allowed: auth access granted by auth(=xd)
501be157 => access_allowed: auth access granted by auth(=xd)
501be157 => access_allowed: search access to "ou=persons,o=test" "entry"
requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [2] attr entry
501be157 => acl_mask: access to entry "ou=persons,o=test", attr "entry"
requested
501be157 => acl_mask: to all values by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: self
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [2] applying read(=rscxd) (stop)
501be157 <= acl_mask: [2] mask: read(=rscxd)
501be157 => slap_access_allowed: search access granted by read(=rscxd)
501be157 => access_allowed: search access granted by read(=rscxd)
501be157 => access_allowed: search access to "ou=persons,o=test" "sn" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [1] attr sn
501be157 => acl_mask: access to entry "ou=persons,o=test", attr "sn" requested
501be157 => acl_mask: to all values by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [1] applying =s (continue)
501be157 <= acl_mask: [1] mask: =s
501be157 <= check a_group_pat: cn=readers,ou=groups,o=test
501be157 => mdb_entry_get: found entry: "cn=readers,ou=groups,o=test"
501be157 <= acl_mask: [2] applying +r (stop)
501be157 <= acl_mask: [2] mask: =rs
501be157 => slap_access_allowed: search access granted by =rs
501be157 => access_allowed: search access granted by =rs
501be157 => access_allowed: search access to "cn=PersonA,ou=persons,o=test" "sn"
requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [1] attr sn
501be157 => acl_mask: access to entry "cn=PersonA,ou=persons,o=test", attr "sn"
requested
501be157 => acl_mask: to all values by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [1] applying =s (continue)
501be157 <= acl_mask: [1] mask: =s
501be157 <= check a_group_pat: cn=readers,ou=groups,o=test
501be157 <= acl_mask: [2] applying +r (stop)
501be157 <= acl_mask: [2] mask: =rs
501be157 => slap_access_allowed: search access granted by =rs
501be157 => access_allowed: search access granted by =rs
501be157 => access_allowed: read access to "cn=PersonA,ou=persons,o=test"
"entry" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [2] attr entry
501be157 => acl_mask: access to entry "cn=PersonA,ou=persons,o=test", attr
"entry" requested
501be157 => acl_mask: to all values by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: self
501be157 <= acl_mask: [1] applying write(=wrscxd) (stop)
501be157 <= acl_mask: [1] mask: write(=wrscxd)
501be157 => slap_access_allowed: read access granted by write(=wrscxd)
501be157 => access_allowed: read access granted by write(=wrscxd)
501be157 => access_allowed: result not in cache (sn)
501be157 => access_allowed: read access to "cn=PersonA,ou=persons,o=test" "sn"
requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [1] attr sn
501be157 => acl_mask: access to entry "cn=PersonA,ou=persons,o=test", attr "sn"
requested
501be157 => acl_mask: to value by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [1] applying =s (continue)
501be157 <= acl_mask: [1] mask: =s
501be157 <= check a_group_pat: cn=readers,ou=groups,o=test
501be157 <= acl_mask: [2] applying +r (stop)
501be157 <= acl_mask: [2] mask: =rs
501be157 => slap_access_allowed: read access granted by =rs
501be157 => access_allowed: read access granted by =rs
501be157 => access_allowed: result not in cache (cn)
501be157 => access_allowed: read access to "cn=PersonA,ou=persons,o=test" "cn"
requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [2] attr cn
501be157 => acl_mask: access to entry "cn=PersonA,ou=persons,o=test", attr "cn"
requested
501be157 => acl_mask: to value by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: self
501be157 <= acl_mask: [1] applying write(=wrscxd) (stop)
501be157 <= acl_mask: [1] mask: write(=wrscxd)
501be157 => slap_access_allowed: read access granted by write(=wrscxd)
501be157 => access_allowed: read access granted by write(=wrscxd)
501be157 => access_allowed: search access to "cn=PersonB,ou=persons,o=test" "sn"
requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [1] attr sn
501be157 => acl_mask: access to entry "cn=PersonB,ou=persons,o=test", attr "sn"
requested
501be157 => acl_mask: to all values by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [1] applying =s (continue)
501be157 <= acl_mask: [1] mask: =s
501be157 <= check a_group_pat: cn=readers,ou=groups,o=test
501be157 <= acl_mask: [2] applying +r (stop)
501be157 <= acl_mask: [2] mask: =rs
501be157 => slap_access_allowed: search access granted by =rs
501be157 => access_allowed: search access granted by =rs
501be157 => access_allowed: read access to "cn=PersonB,ou=persons,o=test"
"entry" requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [2] attr entry
501be157 => acl_mask: access to entry "cn=PersonB,ou=persons,o=test", attr
"entry" requested
501be157 => acl_mask: to all values by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: self
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [2] applying read(=rscxd) (stop)
501be157 <= acl_mask: [2] mask: read(=rscxd)
501be157 => slap_access_allowed: read access granted by read(=rscxd)
501be157 => access_allowed: read access granted by read(=rscxd)
501be157 => access_allowed: result not in cache (cn)
501be157 => access_allowed: read access to "cn=PersonB,ou=persons,o=test" "cn"
requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [2] attr cn
501be157 => acl_mask: access to entry "cn=PersonB,ou=persons,o=test", attr "cn"
requested
501be157 => acl_mask: to value by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: self
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [2] applying read(=rscxd) (stop)
501be157 <= acl_mask: [2] mask: read(=rscxd)
501be157 => slap_access_allowed: read access granted by read(=rscxd)
501be157 => access_allowed: read access granted by read(=rscxd)
501be157 => access_allowed: result not in cache (sn)
501be157 => access_allowed: read access to "cn=PersonB,ou=persons,o=test" "sn"
requested
501be157 => dn: [1] o=test
501be157 => acl_get: [1] matched
501be157 => acl_get: [1] attr sn
501be157 => acl_mask: access to entry "cn=PersonB,ou=persons,o=test", attr "sn"
requested
501be157 => acl_mask: to value by "cn=persona,ou=persons,o=test", (=0)
501be157 <= check a_dn_pat: users
501be157 <= acl_mask: [1] applying =s (continue)
501be157 <= acl_mask: [1] mask: =s
501be157 <= check a_group_pat: cn=readers,ou=groups,o=test
501be157 <= acl_mask: [2] applying +r (stop)
501be157 <= acl_mask: [2] mask: =rs
501be157 => slap_access_allowed: read access granted by =rs
501be157 => access_allowed: read access granted by =rs







#Test 2 does not seem to work as intended (at least to me):
#  bindDn "cn=PersonB,..." not a member of group "cn=readers,..."
#  filter: sn=*
#  read fails (that's ok)
#  search fails (but why is the privilege "=s" reset?)

deepee@test:~$ ldapsearch -x -H "ldap://localhost:1389/";; -D
"cn=PersonB,ou=persons,o=test" -w PersonB -b "ou=persons,o=test" '(sn=*)' sn cn
# extended LDIF
#
# LDAPv3
# base <ou=persons,o=test> with scope subtree
# filter: (sn=*)
# requesting: sn cn
#

# search result
search: 2
result: 0 Success

# numResponses: 1


#slapd's log (level 128):

501be196 => access_allowed: result not in cache (userPassword)
501be196 => access_allowed: auth access to "cn=PersonB,ou=persons,o=test"
"userPassword" requested
501be196 => dn: [1] o=test
501be196 => acl_get: [1] matched
501be196 => acl_get: [2] attr userPassword
501be196 => acl_mask: access to entry "cn=PersonB,ou=persons,o=test", attr
"userPassword" requested
501be196 => acl_mask: to value by "", (=0)
501be196 <= check a_dn_pat: self
501be196 <= check a_dn_pat: users
501be196 <= check a_dn_pat: anonymous
501be196 <= acl_mask: [3] applying auth(=xd) (stop)
501be196 <= acl_mask: [3] mask: auth(=xd)
501be196 => slap_access_allowed: auth access granted by auth(=xd)
501be196 => access_allowed: auth access granted by auth(=xd)
501be196 => access_allowed: search access to "ou=persons,o=test" "entry"
requested
501be196 => dn: [1] o=test
501be196 => acl_get: [1] matched
501be196 => acl_get: [2] attr entry
501be196 => acl_mask: access to entry "ou=persons,o=test", attr "entry"
requested
501be196 => acl_mask: to all values by "cn=personb,ou=persons,o=test", (=0)
501be196 <= check a_dn_pat: self
501be196 <= check a_dn_pat: users
501be196 <= acl_mask: [2] applying read(=rscxd) (stop)
501be196 <= acl_mask: [2] mask: read(=rscxd)
501be196 => slap_access_allowed: search access granted by read(=rscxd)
501be196 => access_allowed: search access granted by read(=rscxd)
501be196 => access_allowed: search access to "ou=persons,o=test" "sn" requested
501be196 => dn: [1] o=test
501be196 => acl_get: [1] matched
501be196 => acl_get: [1] attr sn
501be196 => acl_mask: access to entry "ou=persons,o=test", attr "sn" requested
501be196 => acl_mask: to all values by "cn=personb,ou=persons,o=test", (=0)
501be196 <= check a_dn_pat: users
501be196 <= acl_mask: [1] applying =s (continue)
501be196 <= acl_mask: [1] mask: =s
501be196 <= check a_group_pat: cn=readers,ou=groups,o=test
501be196 => mdb_entry_get: found entry: "cn=readers,ou=groups,o=test"
501be196 <= acl_mask: no more <who> clauses, returning =0 (stop)
501be196 => slap_access_allowed: search access denied by =0
501be196 => access_allowed: no more rules
501be196 => access_allowed: search access to "cn=PersonA,ou=persons,o=test" "sn"
requested
501be196 => dn: [1] o=test
501be196 => acl_get: [1] matched
501be196 => acl_get: [1] attr sn
501be196 => acl_mask: access to entry "cn=PersonA,ou=persons,o=test", attr "sn"
requested
501be196 => acl_mask: to all values by "cn=personb,ou=persons,o=test", (=0)
501be196 <= check a_dn_pat: users
501be196 <= acl_mask: [1] applying =s (continue)
501be196 <= acl_mask: [1] mask: =s
501be196 <= check a_group_pat: cn=readers,ou=groups,o=test
501be196 <= acl_mask: no more <who> clauses, returning =0 (stop)
501be196 => slap_access_allowed: search access denied by =0
501be196 => access_allowed: no more rules
501be196 => access_allowed: search access to "cn=PersonB,ou=persons,o=test" "sn"
requested
501be196 => dn: [1] o=test
501be196 => acl_get: [1] matched
501be196 => acl_get: [1] attr sn
501be196 => acl_mask: access to entry "cn=PersonB,ou=persons,o=test", attr "sn"
requested
501be196 => acl_mask: to all values by "cn=personb,ou=persons,o=test", (=0)
501be196 <= check a_dn_pat: users
501be196 <= acl_mask: [1] applying =s (continue)
501be196 <= acl_mask: [1] mask: =s
501be196 <= check a_group_pat: cn=readers,ou=groups,o=test
501be196 <= acl_mask: no more <who> clauses, returning =0 (stop)
501be196 => slap_access_allowed: search access denied by =0
501be196 => access_allowed: no more rules
Prev by Date: (ITS#7345) New Feature : Add Connection Information in Access Log Entries
Next by Date: Re: (ITS#7346) ACL processing: additive privs (using control continue)
Index(es):
- Chronological
- Thread