[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: acl bug?



> On 26 Jan 2016, at 12:23 , Michael Ströder <michael@stroeder.com> wrote:
> 
> BÖSCH Christian wrote:
>> i’m using this acl:
>> 
>> {0}to filter=(objectclass=person) attrs=Hidden by group.exact=“cn=group,ou=groups,o=abc.net” none
>> 
>> but members of the group can still access the attribute Hidden.
>> with any filter it does not work. 
>> if i use a single dn it works. 
>> 
>> seems to me filters do not work?
> 
> ..or there is another ACL applied before reaching this ACL.

no, it’s the first acl entry.

> 
> Debug this with log level "acl”.

below is the debug. do you see something suspicious?
thanks, christian

Jan 26 12:35:46 openldap1 slapd[84283]: => mdb_entry_get: found entry: "uid=user1,ou=people,o=abc.net"
Jan 26 12:35:46 openldap1 slapd[84283]: => mdb_entry_get: found entry: "cn=default,ou=ppolicies,o=abc.net"
Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: result not in cache (userPassword)
Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: auth access to "uid=user1,ou=people,o=abc.net" "userPassword" requested
Jan 26 12:35:46 openldap1 slapd[84283]: => acl_get: [3] attr userPassword
Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: access to entry "uid=user1,ou=people,o=abc.net", attr "userPassword" requested
Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: to value by "", (=0)
Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_dn_pat: self
Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_dn_pat: anonymous
Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [2] applying auth(=xd) (stop)
Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [2] mask: auth(=xd)
Jan 26 12:35:46 openldap1 slapd[84283]: => slap_access_allowed: auth access granted by auth(=xd)
Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: auth access granted by auth(=xd)
Jan 26 12:35:46 openldap1 slapd[84283]: => mdb_entry_get: found entry: "uid=user1,ou=people,o=abc.net"
Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: search access to "o=abc.net" "entry" requested
Jan 26 12:35:46 openldap1 slapd[84283]: => acl_get: [4] attr entry
Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: access to entry "o=abc.net", attr "entry" requested
Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: to all values by "uid=user1,ou=people,o=abc.net", (=0)
Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_dn_pat: *
Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] applying read(=rscxd) (stop)
Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] mask: read(=rscxd)
Jan 26 12:35:46 openldap1 slapd[84283]: => slap_access_allowed: search access granted by read(=rscxd)
Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: search access granted by read(=rscxd)
Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: search access to "uid=user2,ou=people,o=abc.net" "uid" requested
Jan 26 12:35:46 openldap1 slapd[84283]: => acl_get: [4] attr uid
Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: access to entry "uid=user2,ou=people,o=abc.net", attr "uid" requested
Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: to value by "uid=user1,ou=people,o=abc.net", (=0)
Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_dn_pat: *
Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] applying read(=rscxd) (stop)
Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] mask: read(=rscxd)
Jan 26 12:35:46 openldap1 slapd[84283]: => slap_access_allowed: search access granted by read(=rscxd)
Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: search access granted by read(=rscxd)
Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: read access to "uid=user2,ou=people,o=abc.net" "entry" requested
Jan 26 12:35:46 openldap1 slapd[84283]: => acl_get: [4] attr entry
Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: access to entry "uid=user2,ou=people,o=abc.net", attr "entry" requested
Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: to all values by "uid=user1,ou=people,o=abc.net", (=0)
Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_dn_pat: *
Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] applying read(=rscxd) (stop)
Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] mask: read(=rscxd)
Jan 26 12:35:46 openldap1 slapd[84283]: => slap_access_allowed: read access granted by read(=rscxd)
Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: read access granted by read(=rscxd)
Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: result not in cache (Hidden)
Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: read access to "uid=user2,ou=people,o=abc.net" "Hidden" requested
Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: search access to "uid=user2,ou=people,o=abc.net" "objectClass" requested
Jan 26 12:35:46 openldap1 slapd[84283]: => acl_get: [2] attr Hidden
Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: access to entry "uid=user2,ou=people,o=abc.net", attr "Hidden" requested
Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: to value by "uid=user1,ou=people,o=abc.net", (=0)
Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_group_pat: cn=group,ou=groups,o=abc.net
Jan 26 12:35:46 openldap1 slapd[84283]: => mdb_entry_get: found entry: "cn=group,ou=groups,o=abc.net"
Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_authz.sai_ssf: ACL 128 > OP 256
Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] applying read(=rscxd) (stop)
Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] mask: read(=rscxd)
Jan 26 12:35:46 openldap1 slapd[84283]: => slap_access_allowed: read access granted by read(=rscxd)
Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: read access granted by read(=rscxd)
Jan 26 12:35:46 openldap1 slapd[84283]: connection_read(36): no connection!


> 
> Ciao, Michael.
> 

Attachment: smime.p7s
Description: S/MIME cryptographic signature