Full_Name: Russell Mosemann Version: 2.4.36 OS: Debian 6 and 7 URL: Submission from: (NULL) (192.160.64.50)
Including rwm directives causes ACL evaluation to be incorrectly performed. rwm plays no role in rewriting any part of the incoming query or outgoing results. Simply commenting the rwm lines without making any other configuration changes permits the query to succeed. The query is coming from an authenticated entry that is allowed to search the subtree.
# rwm configuration - Commenting the follow lines allows the query to succeed.
overlay rwm rwm-rewriteEngine on rwm-rewriteMap slapd flt2dn "ldap:///ou=accounts,o=cune?dn?sub" rwm-rewriteContext bindDN rwm-rewriteRule "^(mail=[a-z0-9-]+\.[a-z0-9-]+@cune\.org),ou=People,o=cune$" "${flt2dn((&($1)(accountStatus=active)(userClass=stu)))}" ":@I"
# There are only 4 ACLs.
# Allow authentication access to dn.subtree="ou=accounts,o=cune" attrs=userPassword by self write by peername.ip=127.0.0.0%255.255.255.0 search by peername.ip=10.0.0.0%255.255.192.0 search by anonymous auth
# Allow reading of certain attributes. access to dn.subtree="ou=accounts,o=cune" filter=(&(userClass=stu)(accountStatus=active)) attrs=cn,entry,mail,objectClass,sn,uid,userClass,accountStatus by dn="qmailGID=306,ou=accounts,o=cune" read by peername.ip=127.0.0.0%255.255.255.0 read by peername.ip=10.0.0.0%255.255.192.0 read by * none
# Search access to the base is required to search children. access to dn.base="ou=accounts,o=cune" by dn="qmailGID=306,ou=accounts,o=cune" search by peername.ip=127.0.0.0%255.255.255.0 read by peername.ip=10.0.0.0%255.255.192.0 read by * none
# No access to other parts. access to dn.subtree="o=cune" by dn="qmailGID=306,ou=accounts,o=cune" none by peername.ip=127.0.0.0%255.255.255.0 read by peername.ip=10.0.0.0%255.255.192.0 read by * none
The query is from the authenticated entry "qmailGID=306,ou=accounts,o=cune" searching the base "ou=accounts,o=cune" with the filter "(uid=Test.Entry)". This is the debugging output when the rwm lines above are commented. The query succeeds.
521cdb75 => send_search_entry: conn 1001 dn="qmailUID=2,ou=accounts,o=cune" 521cdb75 => access_allowed: read access to "qmailUID=2,ou=accounts,o=cune" "entry" requested 521cdb75 => dn: [1] ou=accounts,o=cune 521cdb75 => acl_get: [1] matched 521cdb75 => dn: [2] ou=accounts,o=cune 521cdb75 => acl_get: [2] matched 521cdb75 => test_filter 521cdb75 AND 521cdb75 => test_filter_and 521cdb75 => test_filter 521cdb75 EQUALITY 521cdb75 => access_allowed: search access to "qmailUID=2,ou=accounts,o=cune" "userClass" requested 521cdb75 <= test_filter 6 521cdb75 => test_filter 521cdb75 EQUALITY 521cdb75 => access_allowed: search access to "qmailUID=2,ou=accounts,o=cune" "accountStatus" requested 521cdb75 <= test_filter 6 521cdb75 <= test_filter_and 6 521cdb75 <= test_filter 6 521cdb75 => acl_get: [2] attr entry 521cdb75 => acl_mask: access to entry "qmailUID=2,ou=accounts,o=cune", attr "entry" requested 521cdb75 => acl_mask: to all values by "qmailGID=306,ou=accounts,o=cune", (=0) 521cdb75 <= check a_dn_pat: qmailGID=306,ou=accounts,o=cune 521cdb75 <= acl_mask: [1] applying read(=rscxd) (stop) 521cdb75 <= acl_mask: [1] mask: read(=rscxd) 521cdb75 => slap_access_allowed: read access granted by read(=rscxd) 521cdb75 => access_allowed: read access granted by read(=rscxd) ber_flush2: 40 bytes to sd 22 0000: 30 26 02 01 02 64 21 04 1d 71 6d 61 69 6c 55 49 0&...d!..qmailUI 0010: 44 3d 32 2c 6f 75 3d 61 63 63 6f 75 6e 74 73 2c D=2,ou=accounts, 0020: 6f 3d 63 75 6e 65 30 00 o=cune0. ldap_write: want=40, written=40 0000: 30 26 02 01 02 64 21 04 1d 71 6d 61 69 6c 55 49 0&...d!..qmailUI 0010: 44 3d 32 2c 6f 75 3d 61 63 63 6f 75 6e 74 73 2c D=2,ou=accounts, 0020: 6f 3d 63 75 6e 65 30 00 o=cune0. 521cdb75 <= send_search_entry: conn 1001 exit. 521cdb75 send_ldap_result: conn=1001 op=1 p=3 521cdb75 send_ldap_result: err=0 matched="" text="" 521cdb75 send_ldap_response: msgid=2 tag=101 err=0
This is the debugging output after uncommenting the rwm lines and making no other configuration changes. Search access allowed in the second ACL is not found, and it proceeds to the fourth ACL where all access is denied.
521cdd96 => send_search_entry: conn 1004 dn="qmailUID=2,ou=accounts,o=cune" 521cdd96 => access_allowed: read access to "qmailUID=2,ou=accounts,o=cune" "entry" requested 521cdd96 => dn: [1] ou=accounts,o=cune 521cdd96 => acl_get: [1] matched 521cdd96 => dn: [2] ou=accounts,o=cune 521cdd96 => acl_get: [2] matched 521cdd96 => test_filter 521cdd96 AND 521cdd96 => test_filter_and 521cdd96 => test_filter 521cdd96 EQUALITY 521cdd96 => access_allowed: search access to "qmailUID=2,ou=accounts,o=cune" "userClass" requested 521cdd96 <= test_filter 5 521cdd96 <= test_filter_and 5 521cdd96 <= test_filter 5 521cdd96 => dn: [3] ou=accounts,o=cune 521cdd96 => dn: [4] o=cune 521cdd96 => acl_get: [4] matched 521cdd96 => acl_get: [4] attr entry 521cdd96 => acl_mask: access to entry "qmailUID=2,ou=accounts,o=cune", attr "entry" requested 521cdd96 => acl_mask: to all values by "qmailGID=306,ou=accounts,o=cune", (=0) 521cdd96 <= check a_dn_pat: qmailGID=306,ou=accounts,o=cune 521cdd96 <= acl_mask: [1] applying none(=0) (stop) 521cdd96 <= acl_mask: [1] mask: none(=0) 521cdd96 => slap_access_allowed: read access denied by none(=0) 521cdd96 => access_allowed: no more rules 521cdd96 send_search_entry: conn 1004 access to entry (qmailUID=2,ou=accounts,o=cune) not allowed 521cdd96 send_ldap_result: conn=1004 op=1 p=3 521cdd96 send_ldap_result: err=0 matched="" text="" 521cdd96 send_ldap_response: msgid=2 tag=101 err=0
There is nothing special about the LDAP entry for Test.Entry.
dn: qmailUID=2,ou=accounts,o=cune objectClass: pilotPerson objectClass: qmailUser objectClass: PureFTPdUser cn: Test Entry sn: Entry uid: Test.Entry qmailUID: 2 accountStatus: active mail: test.entry@cune.org userClass: stu
Please let me know if you require any other information. Thank you.
Russell Mosemann