--On Friday, January 12, 2007 8:49 PM +0100 Pierangelo Masarati ando@sys-net.it wrote:
Quanah Gibson-Mount wrote:
My intention is to be able to do something like:
access to dn.exact="cn=groupa,cn=groups,dc=stanford,dc=edu"
This should read:
access to dn.exact="cn=groupa,cn=groups,dc=stanford,dc=edu" attrs=member
Try this patch (to HEAD as of now).
No go... I have:
access to dn.exact="cn=registry-consult,cn=groups,cn=applications,dc=stanford,dc=edu" attrs=member by dn.base="uid=cadabra,cn=accounts,dc=stanford,dc=edu" read by * none
(cadabra is my test account)
I get nothing back.
If I change it to:
access to dn.exact="cn=registry-consult,cn=groups,cn=applications,dc=stanford,dc=edu" by dn.base="uid=cadabra,cn=accounts,dc=stanford,dc=edu" sasl_ssf=56 read by * none
I can see:
dn: cn=registry-consult,cn=groups,cn=applications,dc=stanford,dc=edu objectClass: groupOfURLs cn: registry-consult memberURL: ldap:///cn=people,dc=stanford,dc=edu??sub?(suprivilegegroup=registr y:consult)
(notice no membership)
If I search this with my normal id (quanah) which has full access, I get the listing + members.
debug level -1 shows:
[snip]
<==slap_sasl2dn: Converted SASL name to uid=cadabra,cn=accounts,dc=stanford,dc=edu slap_sasl_getdn: dn:id converted to uid=cadabra,cn=accounts,dc=stanford,dc=edu SASL Canonicalize [conn=0]: slapAuthcDN="uid=cadabra,cn=accounts,dc=stanford,dc=edu" SASL proxy authorize [conn=0]: authcid="cadabra@stanford.edu" authzid="cadabra@stanford.edu" conn=0 op=3 BIND authcid="cadabra@stanford.edu" authzid="cadabra@stanford.edu" SASL Authorize [conn=0]: proxy authorization allowed authzDN="" send_ldap_sasl: err=0 len=-1 conn=0 op=3 BIND dn="uid=cadabra,cn=accounts,dc=stanford,dc=edu" mech=GSSAPI ssf=56
conn=0 op=4 SRCH base="cn=groups,cn=applications,dc=stanford,dc=edu" scope=2 deref=0 filter="(cn=registry-consult)"
=> access_allowed: search access to "cn=registry-consult,cn=groups,cn=applications,dc=stanford,dc=edu" "cn" requested
=> acl_mask: access to entry "cn=registry-consult,cn=groups,cn=applications,dc=stanford,dc=edu", attr "cn" requested => acl_mask: to value by "uid=cadabra,cn=accounts,dc=stanford,dc=edu", (=0) <= check a_dn_pat: uid=cadabra,cn=accounts,dc=stanford,dc=edu <= check a_authz.sai_sasl_ssf: ACL 56 > OP 56 <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => slap_access_allowed: search access granted by read(=rscxd) => access_allowed: search access granted by read(=rscxd) <= test_filter 6 ldap_url_parse_ext(ldap:///cn=people,dc=stanford,dc=edu??sub?(suprivilegegroup=registry:consult))
dnPrettyNormal: <cn=people,dc=stanford,dc=edu>
=> ldap_bv2dn(cn=people,dc=stanford,dc=edu,0) <= ldap_bv2dn(cn=people,dc=stanford,dc=edu)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=people,dc=stanford,dc=edu)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=people,dc=stanford,dc=edu)=0 <<< dnPrettyNormal: <cn=people,dc=stanford,dc=edu>, <cn=people,dc=stanford,dc=edu> str2filter "(&(!(objectClass=groupOfURLs))(suprivilegegroup=registry:consult))" put_filter: "(&(!(objectClass=groupOfURLs))(suprivilegegroup=registry:consult))" put_filter: AND put_filter_list "(!(objectClass=groupOfURLs))(suprivilegegroup=registry:consult)" put_filter: "(!(objectClass=groupOfURLs))" put_filter: NOT put_filter_list "(objectClass=groupOfURLs)" put_filter: "(objectClass=groupOfURLs)" put_filter: simple put_simple_filter: "objectClass=groupOfURLs" put_filter: "(suprivilegegroup=registry:consult)" put_filter: simple put_simple_filter: "suprivilegegroup=registry:consult" begin get_filter AND begin get_filter_list begin get_filter NOT begin get_filter EQUALITY
search_candidates: base="cn=people,dc=stanford,dc=edu" (0x00000006) scope=2
Most importantly, as you can see here:
=> acl_mask: access to entry "suRegID=000648cb784048849a1573566ffe0ef8,cn=people,dc=stanford,dc=edu", attr "objectClass" requested => acl_mask: to value by "uid=cadabra,cn=accounts,dc=stanford,dc=edu", (=0)
[snip]
<= acl_mask: no more <who> clauses, returning =0 (stop) => slap_access_allowed: search access denied by =0 => access_allowed: no more rules
It is still using the "cadabra" credentials to find membership in the group, and not the internal rootdn.
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html