[Date Prev][Date Next] [Chronological] [Thread] [Top]

Groups in ACLs on MDB

To: johannes@kyriasis.com
Subject: Groups in ACLs on MDB
From: Johannes Löthberg <johannes@kyriasis.com>
Date: Mon, 4 Aug 2014 17:10:31 +0200
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=kyriasis.com; h= resent-from:resent-date:resent-message-id:resent-to:date:from:to :subject:message-id:mime-version:content-type; s=theos; bh=AWBOy dCPqPqQ3ALqazKwXBJ5+Z0=; b=dL7qj3o4NGLi9s9l80y74wI6LBFVe9KvD4GhV dVUk2B7AcJEs3i90L19kBzW5hHoNgibf8tyA1Tw0IFz3s5BUP9T/y9lbTE5QyE1E FCt6Gr4URu4vyVtcBm4TAUCqNuLYigyCa5y6nof958RSWbcHgeBhGrypi7vpJeyc pdO4/o=
Domainkey-signature: a=rsa-sha1; c=nofws; d=kyriasis.com; h=resent-from :resent-date:resent-message-id:resent-to:date:from:to:subject :message-id:mime-version:content-type; q=dns; s=theos; b=P9hjABA x3Q3sfA1vHSiLIpWHkX7pUeqiqaTJ8uW1HtC/APH4RdW5jADTZxSFIqx9m1IAwXh hmJLqbIYw6C+Z1cVQ1dsElRHEppBAD2C05um7ccyqvZUpll3Z2Fjwk+OQ4hwWNR4 sC1gGp8m2dw7zDx5TVr1SjYrSIAOxZ5u+plk=
Resent-date: Tue, 5 Aug 2014 12:19:36 +0200
Resent-from: Johannes Löthberg <johannes@kyriasis.com>
Resent-message-id: <20140805101936.GA31268@leeloo.kyriasis.com>
Resent-to: openldap-technical@openldap.org
User-agent: Mutt/1.5.22.1 (2013-10-16)

Hello,

I've been trying to get using groups working in ACLs, but no matter whatI do the group ACL isn't applied. It seems it might be a LMDB bug, andI'm planning on switching to hdb to see if it works there when I get thetime.


I've attached the olcAccess.ldif that doesn't work and the output of

	slapacl -D uid=kyrias,ou=users,dc=kyriasis,dc=com \
	-b ou=users,dc=kyriasis,dc=com -dacl

which shows that the group ACL isn't applied to the useruid=kyrias,ou=users,dc=kyriasis,dc=com even tho it is a member of thecn=admins,ou=security,dc=kyriasis,dc=com group and that the 'to *' ACLis above the other ones.


--
Sincerely,
 Johannes Löthberg
 PGP Key ID: 3A9D0BB5

53df9d87 => access_allowed: search access to "cn=config" "objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
53df9d87 => access_allowed: search access to "cn=schema,cn=config" "objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
53df9d87 => access_allowed: search access to "cn={0}core,cn=schema,cn=config" "objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
53df9d87 => access_allowed: search access to "cn={1}cosine,cn=schema,cn=config" "objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
53df9d87 => access_allowed: search access to "cn={2}inetorgperson,cn=schema,cn=config" "objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
53df9d87 => access_allowed: search access to "cn={3}nis,cn=schema,cn=config" "objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
53df9d87 => access_allowed: search access to "cn={4}kerberos,cn=schema,cn=config" "objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
53df9d87 => access_allowed: search access to "cn={5}ldapns,cn=schema,cn=config" "objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
53df9d87 => access_allowed: search access to "cn={6}kyriasis,cn=schema,cn=config" "objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
53df9d87 => access_allowed: search access to "olcDatabase={-1}frontend,cn=config" "objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
Backend ACL: access to dn.base=""
	by self write
	by * read

Backend ACL: access to dn.base="cn=subschema"
	by * read

53df9d87 => access_allowed: search access to "olcDatabase={0}config,cn=config" "objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
Backend ACL: access to *
	by * none

53df9d87 /etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context
53df9d87 => access_allowed: search access to "olcDatabase={1}mdb,cn=config" "objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
Backend ACL: access to *
	by group/groupOfNames/member.exact="cn=admins,ou=security,dc=kyriasis,dc=com" manage
	by * read

53df9d87 /etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context
Backend ACL: access to attrs=uid,uidNumber,gidNumber,homeDirectory,krbPrincipalName,objectClass,structuralObjectClass,entryUUID,entryCSN,creatorsName,createTimestamp,modifiersName,modifyTimestamp
	by * read

53df9d87 /etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context
Backend ACL: access to attrs=userPassword,userPKCS12,shadowLastChange
	by self write
	by * auth

53df9d87 /etc/openldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context
Backend ACL: access to dn.subtree="cn=krbcontainer,ou=security,dc=kyriasis,dc=com"
	by dn.base="cn=kdc,ou=security,dc=kyriasis,dc=com" read
	by dn.base="cn=kadmin,ou=security,dc=kyriasis,dc=com" write
	by * none

Backend ACL: access to dn.regex="^uid=([^,]+),ou=users,dc=kyriasis,dc=com$"
	by dn.base,expand="uid=$1,ou=users,dc=kyriasis,dc=com" write
	by dn.base="cn=kadmin,ou=security,dc=kyriasis,dc=com" write
	by * read

Backend ACL: access to dn.subtree="ou=hosts,dc=kyriasis,dc=com"
	by dn.base="cn=kadmin,ou=security,dc=kyriasis,dc=com" write
	by * read

53df9d87 mdb_monitor_db_open: monitoring disabled; configure monitor database to enable
Backend ACL: access to *
	by * none

53df9d87 config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context
authcDN: "uid=kyrias,ou=users,dc=kyriasis,dc=com"
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "entry" requested
53df9d87 => acl_get: [1] attr entry
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "entry" requested
53df9d87 => acl_mask: to all values by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 mdb_opinfo_get: err MDB_BAD_RSLOT: Invalid reuse of reader locktable slot(-30783)
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
entry: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "children" requested
53df9d87 => acl_get: [1] attr children
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "children" requested
53df9d87 => acl_mask: to all values by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
children: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "ou" requested
53df9d87 => acl_get: [1] attr ou
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "ou" requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
ou=users: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "objectClass" requested
53df9d87 => acl_get: [1] attr objectClass
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "objectClass" requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
objectClass=top: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "objectClass" requested
53df9d87 => acl_get: [1] attr objectClass
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "objectClass" requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
objectClass=organizationalUnit: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "structuralObjectClass" requested
53df9d87 => acl_get: [1] attr structuralObjectClass
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "structuralObjectClass" requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
structuralObjectClass=organizationalUnit: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "entryUUID" requested
53df9d87 => acl_get: [1] attr entryUUID
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "entryUUID" requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
entryUUID=02cdf845-c212-41a7-8984-948c1ccb3e50: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "creatorsName" requested
53df9d87 => acl_get: [1] attr creatorsName
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "creatorsName" requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
creatorsName=cn=Manager,dc=kyriasis,dc=com: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "createTimestamp" requested
53df9d87 => acl_get: [1] attr createTimestamp
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "createTimestamp" requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
createTimestamp=20140507152708Z: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "entryCSN" requested
53df9d87 => acl_get: [1] attr entryCSN
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "entryCSN" requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
entryCSN=20140507152708.194854Z#000000#000#000000: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "modifiersName" requested
53df9d87 => acl_get: [1] attr modifiersName
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "modifiersName" requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
modifiersName=cn=Manager,dc=kyriasis,dc=com: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "modifyTimestamp" requested
53df9d87 => acl_get: [1] attr modifyTimestamp
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "modifyTimestamp" requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0) 
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
modifyTimestamp=20140507152708Z: read(=rscxd)

dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to *
  by group.exact="cn=admins,ou=security,dc=kyriasis,dc=com" manage
  by * read
olcAccess: to attrs=uid,uidNumber,gidNumber,homeDirectory,
 krbPrincipalName,objectClass,structuralObjectClass,entryUUID,
 entryCSN,creatorsName,createTimestamp,modifiersName,modifyTimestamp
  by * read
olcAccess: to attrs=userPassword,userPKCS12,shadowLastChange
  by self write
  by * auth
olcAccess: to dn.subtree="cn=krbcontainer,ou=security,dc=kyriasis,dc=com"
  by dn.exact="cn=kdc,ou=security,dc=kyriasis,dc=com" read
  by dn.exact="cn=kadmin,ou=security,dc=kyriasis,dc=com" write
  by * none
olcAccess: to dn.regex="^uid=([^,]+),ou=users,dc=kyriasis,dc=com$"
  by dn.exact,expand="uid=$1,ou=users,dc=kyriasis,dc=com" write
  by dn.exact="cn=kadmin,ou=security,dc=kyriasis,dc=com" write
  by * read
olcAccess: to dn.subtree="ou=hosts,dc=kyriasis,dc=com"
  by dn.exact="cn=kadmin,ou=security,dc=kyriasis,dc=com" write
  by * read
#olcAccess: to *
  by self write
  by * read
-

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcAccess
olcAccess: to dn.base=""
  by self write
  by * read
olcAccess: to dn.base="cn=Subschema"
  by * read

Attachment: pgp9uvRj9bIt8.pgp
Description: PGP signature

Prev by Date: Re: ACL for object creation in subtree with specific attributes and object classes
Next by Date: Re: ACL for object creation in subtree with specific attributes and object classes
Index(es):
- Chronological
- Thread