hi,
I have a problem with acls on openldap. one defined group does not match any of
its members. specifically, when i add an entry in ou=people,dc=... as member of
cn=studadm,ou=group,dc=... (uid=florek) it works and i get in slapd's log
(shortened):
slapd[29022]: => access_allowed: add access to
"ou=people,DC=mathematik,DC=hu-berlin,DC=de" "children" requested
slapd[29022]: => dn: [1]
cn=krbcontainer,ou=kerberos,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => dn: [6] ou=autofs,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => dn: [7] ou=group,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => dn: [8] ou=people,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => acl_get: [8] matched
slapd[29022]: => acl_get: [8] attr children
slapd[29022]: => acl_mask: access to entry
"ou=people,DC=mathematik,DC=hu-berlin,DC=de", attr "children" requested
slapd[29022]: => acl_mask: to all values by
"uid=florek,ou=people,DC=mathematik,DC=hu-berlin,DC=de", (=0)
slapd[29022]: <= check a_group_pat:
cn=adm,ou=group,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => bdb_entry_get: found entry:
"cn=adm,ou=group,DC=mathematik,DC=hu-berlin,DC=de"
slapd[29022]: <= check a_group_pat:
cn=studadm,ou=group,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => bdb_entry_get: found entry:
"cn=studadm,ou=group,DC=mathematik,DC=hu-berlin,DC=de"
slapd[29022]: <= acl_mask: [2] applying manage(=mwrscxd) (stop)
slapd[29022]: <= acl_mask: [2] mask: manage(=mwrscxd)
slapd[29022]: => slap_access_allowed: add access granted by manage(=mwrscxd)
slapd[29022]: => access_allowed: add access granted by manage(=mwrscxd)
[...]
as member of cn=adm,ou=group,dc=... (uid=musch) it does not and i get:
slapd[29022]: => access_allowed: add access to
"ou=people,DC=mathematik,DC=hu-berlin,DC=de" "children" requested
slapd[29022]: => dn: [1]
cn=krbcontainer,ou=kerberos,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => dn: [6] ou=autofs,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => dn: [7] ou=group,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => dn: [8] ou=people,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => acl_get: [8] matched
slapd[29022]: => acl_get: [8] attr children
slapd[29022]: => acl_mask: access to entry
"ou=people,DC=mathematik,DC=hu-berlin,DC=de", attr "children" requested
slapd[29022]: => acl_mask: to all values by
"uid=musch,ou=people,DC=mathematik,DC=hu-berlin,DC=de", (=0)
slapd[29022]: <= check a_group_pat:
cn=adm,ou=group,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => bdb_entry_get: found entry:
"cn=adm,ou=group,DC=mathematik,DC=hu-berlin,DC=de"
slapd[29022]: <= check a_group_pat:
cn=studadm,ou=group,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => bdb_entry_get: found entry:
"cn=studadm,ou=group,DC=mathematik,DC=hu-berlin,DC=de"
slapd[29022]: <= check a_peername_path: 141.20.50.0%255.255.254.0
slapd[29022]: <= check a_peername_path: 141.20.52.0%255.255.252.0
slapd[29022]: <= acl_mask: [4] applying read(=rscxd) (stop)
slapd[29022]: <= acl_mask: [4] mask: read(=rscxd)
slapd[29022]: => slap_access_allowed: add access denied by read(=rscxd)
slapd[29022]: => access_allowed: no more rules
i am using openldap 2.4.12 from sles11 (rpm-version 2.4.12-7.18.1) with the
following acls (added linebreaks to ease reading) (attribute olcAccess in
olcDatabase={1}hdb,cn=config)
{0} to
dn.subtree="cn=krbContainer,ou=kerberos,DC=mathematik,DC=hu-berlin,DC=de"
by dn.base="cn=kdc,ou=kerberos,DC=mathematik,DC=hu-berlin,DC=de" read
by dn="cn=kadmin,ou=kerberos,DC=mathematik,DC=hu-berlin,DC=de" manage
by * none
{1} to attrs=userPassword,userPKCS12
by self write
by * auth
{2} to attrs=shadowLastChange
by self write
by * read
{3} to attrs=uidNumber,gidNumber,homeDirectory
by group="cn=adm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
by group="cn=studadm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
by peername.ip=141.20.50.0%255.255.254.0 read
by peername.ip=141.20.52.0%255.255.252.0 read
by * none
{4} to attrs=sambaNTPassword,sambaLMPassword
by * none
{5} to dn.subtree="ou=autofs,DC=mathematik,DC=hu-berlin,DC=de"
by group="cn=adm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
by group="cn=studadm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
by peername.ip=141.20.50.0%255.255.254.0 read
by peername.ip=141.20.52.0%255.255.252.0 read
by * none
{6} to dn.subtree="ou=group,DC=mathematik,DC=hu-berlin,DC=de"
by group="cn=adm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
by group="cn=studadm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
by peername.ip=141.20.50.0%255.255.254.0 read
by peername.ip=141.20.52.0%255.255.252.0 read
by * none
{7} to dn.subtree="ou=people,DC=mathematik,DC=hu-berlin,DC=de"
by group="cn=adm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
by group="cn=studadm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
by peername.ip=141.20.50.0%255.255.254.0 read
by peername.ip=141.20.52.0%255.255.252.0 read
by * none
{8} to dn.subtree="ou=ethers,DC=mathematik,DC=hu-berlin,DC=de"
by group="cn=adm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
by group="cn=studadm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
by peername.ip=141.20.50.0%255.255.254.0 read
by peername.ip=141.20.52.0%255.255.252.0 read
by * none
{9} to *
by * read
groups are defined as follows:
dn: cn=studadm,ou=group,DC=mathematik,DC=hu-berlin,DC=de
gidNumber: 1300
memberUid: petrov
memberUid: florek
description: studentische Administratoren der Rechentechnik
cn: studadm
member: uid=petrov,ou=people,DC=mathematik,DC=hu-berlin,DC=de
member: uid=florek,ou=people,DC=mathematik,DC=hu-berlin,DC=de
objectClass: top
objectClass: posixGroup
objectClass: namedObject
objectClass: groupOfNames
dn: cn=adm,ou=group,DC=mathematik,DC=hu-berlin,DC=de
cn: adm
gidNumber: 1303
memberUid: gehne
memberUid: rmielke
memberUid: musch
description: Administratoren der Rechentechnik
member: uid=gehne,ou=people,DC=mathematik,DC=hu-berlin.de
member: uid=rmielke,ou=people,DC=mathematik,DC=hu-berlin.de
member: uid=musch,ou=people,DC=mathematik,DC=hu-berlin.de
objectClass: top
objectClass: posixGroup
objectClass: namedObject
objectClass: groupOfNames
and users like this:
dn: uid=musch,ou=people,DC=mathematik,DC=hu-berlin,DC=de
uid: musch
uidNumber: 3001
gidNumber: 3000
cn: Andre Musch
objectClass: top
objectClass: account
objectClass: posixAccount
loginShell: /bin/bash
homeDirectory: /home_s/musch
dn: uid=florek,ou=people,DC=mathematik,DC=hu-berlin,DC=de
uid: florek
uidNumber: 32839
gidNumber: 32003
cn: Tobias Florek
homeDirectory: /u/florek
objectClass: top
objectClass: account
objectClass: posixAccount
loginShell: /bin/zsh
any ideas?
Tobias Florek