openldap-2.3.38
I have this ACL:
access to dn.regex="^([^,]+,)?ou=sudoers,dc=example,dc=com$"
attrs=children,entry,@sudoRole
by group.exact="cn=Sudo Admins,ou=System Groups,dc=example,dc=com"
write
by * read
The group is:
dn: cn=Sudo Admins,ou=System Groups,dc=example,dc=com
cn: Sudo Admins
objectClass: groupOfNames
description: Members can administer ou=sudoers entries and attributes
owner: uid=Sudo Admin,ou=System Accounts,dc=example,dc=com
member: uid=Sudo Admin,ou=System Accounts,dc=example,dc=com
It works as expected if I place some user in the sudo admins group and
add an entry under ou=sudoers. If the user is not a member of this
group, the add operation fails.
Now I want to be able to use nested groups, so I follow the FAQ and do a
test with sets:
access to dn.regex="^([^,]+,)?ou=sudoers,dc=example,dc=com$"
attrs=children,entry,@sudoRole
by set="[cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member*"
write
by * read
Without changing anything in the sudo admins group entry, suddenly I can
create new entries under ou=sudoers as any authenticated user. That is,
the group still only has the "uid=sudo admin" member, but I can add a
new sudo entry as another user:
$ ldapadd -x -D uid=jsmith,ou=people,dc=example,dc=com -w jsmith < foo.ldif
adding new entry "cn=iurt,ou=sudoers,dc=example,dc=com"
The ACL logs show:
=> dnpat: [18] ^([^,]+,)?ou=sudoers,dc=example,dc=com$ nsub: 1
=> acl_get: [18] matched
=> acl_get: [18] attr children
=> acl_mask: access to entry "ou=sudoers,dc=example,dc=com", attr "children" requested
=> acl_mask: to all values by "uid=jsmith,ou=people,dc=example,dc=com", (=0)
<= check a_set_pat: [cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member*
=> bdb_entry_get: found entry: "cn=sudo admins,ou=system groups,dc=example,dc=com"
=> bdb_entry_get: found entry: "uid=sudo admin,ou=system accounts,dc=example,dc=com"
<= acl_mask: [1] applying write(=wrscxd) (stop)
<= acl_mask: [1] mask: write(=wrscxd)
=> access_allowed: add access granted by write(=wrscxd)
(...)
=> acl_mask: access to entry "cn=iurt,ou=sudoers,dc=example,dc=com", attr "entry" requested
=> acl_mask: to all values by "uid=jsmith,ou=people,dc=example,dc=com", (=0)
<= check a_set_pat: [cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member*
=> bdb_entry_get: found entry: "cn=sudo admins,ou=system groups,dc=example,dc=com"
=> bdb_entry_get: found entry: "uid=sudo admin,ou=system accounts,dc=example,dc=com"
<= acl_mask: [1] applying write(=wrscxd) (stop)
<= acl_mask: [1] mask: write(=wrscxd)
=> access_allowed: add access granted by write(=wrscxd)
So why was "jsmith" allowed to create a new entry under ou=sudoers? He
is not a member of any of the special groups, and I only changed the ACL
line from "by group" to "by set".
$ ldapsearch -x -LLL -h localhost member=uid=jsmith,ou=people,dc=example,dc=com cn
$