[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL for object creation in subtree with specific attributes and object classes

On 05.08.2014, at 18:03, Dieter Klünter <dieter@dkluenter.de> wrote:
>>>> 
>>>> As postmaster I'm still able to add objects to it's domain. But I'm
>>>> also able to add other objectclasses and attributes.
>>>> 
>>>> I think I mess around with the attributes entry and children  –
>>>> anyone help me cleaning up? :-)
>>> 
>>> run slapd in debugging mode acl and watch the rule number applied
>>> to a write operation.
>>> 
>> 
>> Okay, this didn't really help, but thanks anyway. I'm not familiar
>> with reading those logs. i adjusted the loglevel to 128 to see the
>> acl processing. but it's still a huge amount of log lines when adding
>> such an ldif. i thought it's gonna be an easy task.
> 
> I am talking about debugging, not logging!
> man slapd(8)
> 

can you help me finding the applied rule during the write process of an object with uid=1234? i used other objectclasses and attributes, which are not in the allowed attribute list. the debugging output is attached to this email. the current acl set is listed below.

access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=userPassword
	by dn.base="cn=admin,dc=mydomain" write
	by self write
	by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write
	by anonymous auth
	by * none

access to attrs=userPassword
	by dn.base="cn=admin,dc=mydomain" write
	by self write
	by anonymous auth
	by * none

access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=@CourierMailAccount,@inetOrgPerson,@top,@Vacation,entry,cn,sn,homeDirectory,vacationActive,vacationInfo,vacationForward,smtpRelayFlag,description,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title
	by self write
	by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write
	by * read

access to dn.regex="^ou=(.+),ou=domains,dc=mydomain$" attrs=children
	by dn.base,expand="cn=postmaster,ou=$1,ou=domains,dc=mydomain" write
	by * read

access to *
	by dn.base="cn=admin,dc=mydomain" write
	by * read

appreciate your help!
simeon


=> slap_access_allowed: auth access granted by auth(=xd)
=> access_allowed: auth access granted by auth(=xd)
=> access_allowed: disclose access to "ou=onnet.ch,ou=domains,dc=mydomain" "entry" requested
=> dnpat: [1] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [1] matched
=> dnpat: [3] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [3] matched
=> acl_get: [3] attr entry
=> match[dn0]: 0 46 ou=onnet.ch,ou=domains,dc=mydomain
=> acl_mask: access to entry "ou=onnet.ch,ou=domains,dc=mydomain", attr "entry" requested
=> acl_mask: to all values by "cn=postmaster,ou=onnet.ch,ou=domains,dc=mydomain", (=0) 
<= check a_dn_pat: self
<= check a_dn_pat: cn=postmaster,ou=$2,ou=domains,dc=mydomain
=> acl_string_expand: pattern:  cn=postmaster,ou=$2,ou=domains,dc=mydomain
=> acl_string_expand: expanded: cn=postmaster,ou=onnet.ch,ou=domains,dc=mydomain
<= acl_mask: [2] applying write(=wrscxd) (stop)
<= acl_mask: [2] mask: write(=wrscxd)
=> slap_access_allowed: disclose access granted by write(=wrscxd)
=> access_allowed: disclose access granted by write(=wrscxd)
=> access_allowed: add access to "ou=onnet.ch,ou=domains,dc=mydomain" "children" requested
=> dnpat: [1] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [1] matched
=> dnpat: [3] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [3] matched
=> dnpat: [4] ^ou=(.+),ou=domains,dc=mydomain$ nsub: 1
=> acl_get: [4] matched
=> acl_get: [4] attr children
=> match[dn0]: 0 46 ou=onnet.ch,ou=domains,dc=mydomain
=> match[dn1]: 3 11 onnet.ch
=> acl_mask: access to entry "ou=onnet.ch,ou=domains,dc=mydomain", attr "children" requested
=> acl_mask: to all values by "cn=postmaster,ou=onnet.ch,ou=domains,dc=mydomain", (=0) 
<= check a_dn_pat: cn=postmaster,ou=$1,ou=domains,dc=mydomain
=> acl_string_expand: pattern:  cn=postmaster,ou=$1,ou=domains,dc=mydomain
=> acl_string_expand: expanded: cn=postmaster,ou=onnet.ch,ou=domains,dc=mydomain
<= acl_mask: [1] applying write(=wrscxd) (stop)
<= acl_mask: [1] mask: write(=wrscxd)
=> slap_access_allowed: add access granted by write(=wrscxd)
=> access_allowed: add access granted by write(=wrscxd)
=> access_allowed: add access to "uid=1234,ou=onnet.ch,ou=domains,dc=mydomain" "entry" requested
=> dnpat: [1] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [1] matched
=> dnpat: [3] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [3] matched
=> acl_get: [3] attr entry
=> match[dn0]: 0 55 uid=1234,ou=onnet.ch,ou=domains,dc=mydomain
=> match[dn1]: 0 9 uid=1234,
=> match[dn2]: 12 20 onnet.ch
=> acl_mask: access to entry "uid=1234,ou=onnet.ch,ou=domains,dc=mydomain", attr "entry" requested
=> acl_mask: to all values by "cn=postmaster,ou=onnet.ch,ou=domains,dc=mydomain", (=0) 
<= check a_dn_pat: self
<= check a_dn_pat: cn=postmaster,ou=$2,ou=domains,dc=mydomain
=> acl_string_expand: pattern:  cn=postmaster,ou=$2,ou=domains,dc=mydomain
=> acl_string_expand: expanded: cn=postmaster,ou=onnet.ch,ou=domains,dc=mydomain
<= acl_mask: [2] applying write(=wrscxd) (stop)
<= acl_mask: [2] mask: write(=wrscxd)
=> slap_access_allowed: add access granted by write(=wrscxd)
=> access_allowed: add access granted by write(=wrscxd)
=> access_allowed: search access to "uid=1234,ou=onnet.ch,ou=domains,dc=mydomain" "entry" requested
=> dnpat: [1] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [1] matched
=> dnpat: [3] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [3] matched
=> acl_get: [3] attr entry
=> match[dn0]: 0 55 uid=1234,ou=onnet.ch,ou=domains,dc=mydomain
=> match[dn1]: 0 9 uid=1234,
=> match[dn2]: 12 20 onnet.ch
=> acl_mask: access to entry "uid=1234,ou=onnet.ch,ou=domains,dc=mydomain", attr "entry" requested
=> acl_mask: to all values by "cn=postmaster,ou=onnet.ch,ou=domains,dc=mydomain", (=0) 
<= check a_dn_pat: self
<= check a_dn_pat: cn=postmaster,ou=$2,ou=domains,dc=mydomain
=> acl_string_expand: pattern:  cn=postmaster,ou=$2,ou=domains,dc=mydomain
=> acl_string_expand: expanded: cn=postmaster,ou=onnet.ch,ou=domains,dc=mydomain
<= acl_mask: [2] applying write(=wrscxd) (stop)
<= acl_mask: [2] mask: write(=wrscxd)
=> slap_access_allowed: search access granted by write(=wrscxd)
=> access_allowed: search access granted by write(=wrscxd)
=> access_allowed: search access to "uid=1234,ou=onnet.ch,ou=domains,dc=mydomain" "objectClass" requested
=> dnpat: [1] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [1] matched
=> dnpat: [3] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [3] matched
=> acl_get: [3] attr objectClass
=> match[dn0]: 0 55 uid=1234,ou=onnet.ch,ou=domains,dc=mydomain
=> match[dn1]: 0 9 uid=1234,
=> match[dn2]: 12 20 onnet.ch
=> acl_mask: access to entry "uid=1234,ou=onnet.ch,ou=domains,dc=mydomain", attr "objectClass" requested
=> acl_mask: to all values by "cn=postmaster,ou=onnet.ch,ou=domains,dc=mydomain", (=0) 
<= check a_dn_pat: self
<= check a_dn_pat: cn=postmaster,ou=$2,ou=domains,dc=mydomain
=> acl_string_expand: pattern:  cn=postmaster,ou=$2,ou=domains,dc=mydomain
=> acl_string_expand: expanded: cn=postmaster,ou=onnet.ch,ou=domains,dc=mydomain
<= acl_mask: [2] applying write(=wrscxd) (stop)
<= acl_mask: [2] mask: write(=wrscxd)
=> slap_access_allowed: search access granted by write(=wrscxd)
=> access_allowed: search access granted by write(=wrscxd)
=> access_allowed: read access to "uid=1234,ou=onnet.ch,ou=domains,dc=mydomain" "entry" requested
=> dnpat: [1] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [1] matched
=> dnpat: [3] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [3] matched
=> acl_get: [3] attr entry
=> match[dn0]: 0 55 uid=1234,ou=onnet.ch,ou=domains,dc=mydomain
=> match[dn1]: 0 9 uid=1234,
=> match[dn2]: 12 20 onnet.ch
=> acl_mask: access to entry "uid=1234,ou=onnet.ch,ou=domains,dc=mydomain", attr "entry" requested
=> acl_mask: to all values by "cn=postmaster,ou=onnet.ch,ou=domains,dc=mydomain", (=0) 
<= check a_dn_pat: self
<= check a_dn_pat: cn=postmaster,ou=$2,ou=domains,dc=mydomain
=> acl_string_expand: pattern:  cn=postmaster,ou=$2,ou=domains,dc=mydomain
=> acl_string_expand: expanded: cn=postmaster,ou=onnet.ch,ou=domains,dc=mydomain
<= acl_mask: [2] applying write(=wrscxd) (stop)
<= acl_mask: [2] mask: write(=wrscxd)
=> slap_access_allowed: read access granted by write(=wrscxd)
=> access_allowed: read access granted by write(=wrscxd)
=> access_allowed: result not in cache (objectClass)
=> access_allowed: read access to "uid=1234,ou=onnet.ch,ou=domains,dc=mydomain" "objectClass" requested
=> dnpat: [1] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [1] matched
=> dnpat: [3] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [3] matched
=> acl_get: [3] attr objectClass
=> match[dn0]: 0 55 uid=1234,ou=onnet.ch,ou=domains,dc=mydomain
=> match[dn1]: 0 9 uid=1234,
=> match[dn2]: 12 20 onnet.ch
=> acl_mask: access to entry "uid=1234,ou=onnet.ch,ou=domains,dc=mydomain", attr "objectClass" requested
=> acl_mask: to value by "cn=postmaster,ou=onnet.ch,ou=domains,dc=mydomain", (=0) 
<= check a_dn_pat: self
<= check a_dn_pat: cn=postmaster,ou=$2,ou=domains,dc=mydomain
=> acl_string_expand: pattern:  cn=postmaster,ou=$2,ou=domains,dc=mydomain
=> acl_string_expand: expanded: cn=postmaster,ou=onnet.ch,ou=domains,dc=mydomain
<= acl_mask: [2] applying write(=wrscxd) (stop)
<= acl_mask: [2] mask: write(=wrscxd)
=> slap_access_allowed: read access granted by write(=wrscxd)
=> access_allowed: read access granted by write(=wrscxd)
=> access_allowed: result was in cache (objectClass)
=> access_allowed: result was in cache (objectClass)
=> access_allowed: result not in cache (hasSubordinates)
=> access_allowed: read access to "uid=1234,ou=onnet.ch,ou=domains,dc=mydomain" "hasSubordinates" requested
=> dnpat: [1] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [1] matched
=> dnpat: [3] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [3] matched
=> dnpat: [4] ^ou=(.+),ou=domains,dc=mydomain$ nsub: 1
=> acl_get: [5] attr hasSubordinates
=> acl_mask: access to entry "uid=1234,ou=onnet.ch,ou=domains,dc=mydomain", attr "hasSubordinates" requested
=> acl_mask: to all values by "cn=postmaster,ou=onnet.ch,ou=domains,dc=mydomain", (=0) 
<= check a_dn_pat: cn=admin,dc=mydomain
<= check a_dn_pat: *
<= acl_mask: [2] applying read(=rscxd) (stop)
<= acl_mask: [2] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result was in cache (hasSubordinates)
=> access_allowed: search access to "uid=1234,ou=onnet.ch,ou=domains,dc=mydomain" "entry" requested
=> dnpat: [1] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [1] matched
=> dnpat: [3] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [3] matched
=> acl_get: [3] attr entry
=> match[dn0]: 0 55 uid=1234,ou=onnet.ch,ou=domains,dc=mydomain
=> match[dn1]: 0 9 uid=1234,
=> match[dn2]: 12 20 onnet.ch
=> acl_mask: access to entry "uid=1234,ou=onnet.ch,ou=domains,dc=mydomain", attr "entry" requested
=> acl_mask: to all values by "cn=postmaster,ou=onnet.ch,ou=domains,dc=mydomain", (=0) 
<= check a_dn_pat: self
<= check a_dn_pat: cn=postmaster,ou=$2,ou=domains,dc=mydomain
=> acl_string_expand: pattern:  cn=postmaster,ou=$2,ou=domains,dc=mydomain
=> acl_string_expand: expanded: cn=postmaster,ou=onnet.ch,ou=domains,dc=mydomain
<= acl_mask: [2] applying write(=wrscxd) (stop)
<= acl_mask: [2] mask: write(=wrscxd)
=> slap_access_allowed: search access granted by write(=wrscxd)
=> access_allowed: search access granted by write(=wrscxd)
=> access_allowed: search access to "uid=1234,ou=onnet.ch,ou=domains,dc=mydomain" "objectClass" requested
=> dnpat: [1] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [1] matched
=> dnpat: [3] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [3] matched
=> acl_get: [3] attr objectClass
=> match[dn0]: 0 55 uid=1234,ou=onnet.ch,ou=domains,dc=mydomain
=> match[dn1]: 0 9 uid=1234,
=> match[dn2]: 12 20 onnet.ch
=> acl_mask: access to entry "uid=1234,ou=onnet.ch,ou=domains,dc=mydomain", attr "objectClass" requested
=> acl_mask: to all values by "cn=postmaster,ou=onnet.ch,ou=domains,dc=mydomain", (=0) 
<= check a_dn_pat: self
<= check a_dn_pat: cn=postmaster,ou=$2,ou=domains,dc=mydomain
=> acl_string_expand: pattern:  cn=postmaster,ou=$2,ou=domains,dc=mydomain
=> acl_string_expand: expanded: cn=postmaster,ou=onnet.ch,ou=domains,dc=mydomain
<= acl_mask: [2] applying write(=wrscxd) (stop)
<= acl_mask: [2] mask: write(=wrscxd)
=> slap_access_allowed: search access granted by write(=wrscxd)
=> access_allowed: search access granted by write(=wrscxd)
=> access_allowed: read access to "uid=1234,ou=onnet.ch,ou=domains,dc=mydomain" "entry" requested
=> dnpat: [1] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [1] matched
=> dnpat: [3] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [3] matched
=> acl_get: [3] attr entry
=> match[dn0]: 0 55 uid=1234,ou=onnet.ch,ou=domains,dc=mydomain
=> match[dn1]: 0 9 uid=1234,
=> match[dn2]: 12 20 onnet.ch
=> acl_mask: access to entry "uid=1234,ou=onnet.ch,ou=domains,dc=mydomain", attr "entry" requested
=> acl_mask: to all values by "cn=postmaster,ou=onnet.ch,ou=domains,dc=mydomain", (=0) 
<= check a_dn_pat: self
<= check a_dn_pat: cn=postmaster,ou=$2,ou=domains,dc=mydomain
=> acl_string_expand: pattern:  cn=postmaster,ou=$2,ou=domains,dc=mydomain
=> acl_string_expand: expanded: cn=postmaster,ou=onnet.ch,ou=domains,dc=mydomain
<= acl_mask: [2] applying write(=wrscxd) (stop)
<= acl_mask: [2] mask: write(=wrscxd)
=> slap_access_allowed: read access granted by write(=wrscxd)
=> access_allowed: read access granted by write(=wrscxd)
=> access_allowed: result not in cache (uid)
=> access_allowed: read access to "uid=1234,ou=onnet.ch,ou=domains,dc=mydomain" "uid" requested
=> dnpat: [1] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [1] matched
=> dnpat: [3] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [3] matched
=> acl_get: [3] attr uid
=> match[dn0]: 0 55 uid=1234,ou=onnet.ch,ou=domains,dc=mydomain
=> match[dn1]: 0 9 uid=1234,
=> match[dn2]: 12 20 onnet.ch
=> acl_mask: access to entry "uid=1234,ou=onnet.ch,ou=domains,dc=mydomain", attr "uid" requested
=> acl_mask: to value by "cn=postmaster,ou=onnet.ch,ou=domains,dc=mydomain", (=0) 
<= check a_dn_pat: self
<= check a_dn_pat: cn=postmaster,ou=$2,ou=domains,dc=mydomain
=> acl_string_expand: pattern:  cn=postmaster,ou=$2,ou=domains,dc=mydomain
=> acl_string_expand: expanded: cn=postmaster,ou=onnet.ch,ou=domains,dc=mydomain
<= acl_mask: [2] applying write(=wrscxd) (stop)
<= acl_mask: [2] mask: write(=wrscxd)
=> slap_access_allowed: read access granted by write(=wrscxd)
=> access_allowed: read access granted by write(=wrscxd)
=> access_allowed: result not in cache (virtualdomainuser)
=> access_allowed: read access to "uid=1234,ou=onnet.ch,ou=domains,dc=mydomain" "virtualdomainuser" requested
=> dnpat: [1] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [1] matched
=> dnpat: [3] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [3] matched
=> dnpat: [4] ^ou=(.+),ou=domains,dc=mydomain$ nsub: 1
=> acl_get: [5] attr virtualdomainuser
=> acl_mask: access to entry "uid=1234,ou=onnet.ch,ou=domains,dc=mydomain", attr "virtualdomainuser" requested
=> acl_mask: to value by "cn=postmaster,ou=onnet.ch,ou=domains,dc=mydomain", (=0) 
<= check a_dn_pat: cn=admin,dc=mydomain
<= check a_dn_pat: *
<= acl_mask: [2] applying read(=rscxd) (stop)
<= acl_mask: [2] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (virtualdomain)
=> access_allowed: read access to "uid=1234,ou=onnet.ch,ou=domains,dc=mydomain" "virtualdomain" requested
=> dnpat: [1] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [1] matched
=> dnpat: [3] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [3] matched
=> dnpat: [4] ^ou=(.+),ou=domains,dc=mydomain$ nsub: 1
=> acl_get: [5] attr virtualdomain
=> acl_mask: access to entry "uid=1234,ou=onnet.ch,ou=domains,dc=mydomain", attr "virtualdomain" requested
=> acl_mask: to value by "cn=postmaster,ou=onnet.ch,ou=domains,dc=mydomain", (=0) 
<= check a_dn_pat: cn=admin,dc=mydomain
<= check a_dn_pat: *
<= acl_mask: [2] applying read(=rscxd) (stop)
<= acl_mask: [2] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result not in cache (objectClass)
=> access_allowed: read access to "uid=1234,ou=onnet.ch,ou=domains,dc=mydomain" "objectClass" requested
=> dnpat: [1] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [1] matched
=> dnpat: [3] ^(.+,)?ou=(.+),ou=domains,dc=mydomain$ nsub: 2
=> acl_get: [3] matched
=> acl_get: [3] attr objectClass
=> match[dn0]: 0 55 uid=1234,ou=onnet.ch,ou=domains,dc=mydomain
=> match[dn1]: 0 9 uid=1234,
=> match[dn2]: 12 20 onnet.ch
=> acl_mask: access to entry "uid=1234,ou=onnet.ch,ou=domains,dc=mydomain", attr "objectClass" requested
=> acl_mask: to value by "cn=postmaster,ou=onnet.ch,ou=domains,dc=mydomain", (=0) 
<= check a_dn_pat: self
<= check a_dn_pat: cn=postmaster,ou=$2,ou=domains,dc=mydomain
=> acl_string_expand: pattern:  cn=postmaster,ou=$2,ou=domains,dc=mydomain
=> acl_string_expand: expanded: cn=postmaster,ou=onnet.ch,ou=domains,dc=mydomain
<= acl_mask: [2] applying write(=wrscxd) (stop)
<= acl_mask: [2] mask: write(=wrscxd)
=> slap_access_allowed: read access granted by write(=wrscxd)
=> access_allowed: read access granted by write(=wrscxd)
=> access_allowed: result was in cache (objectClass)
=> access_allowed: result was in cache (objectClass)