From listen@alexander.skwar.name Thu Apr  5 11:53:50 2007
From: Alexander Skwar <listen@alexander.skwar.name>
To: openldap-software@openldap.org
Subject: Access Control: Limiting based on regex
Date: Thu, 05 Apr 2007 13:53:37 +0200
Message-ID: <4614E341.204@alexander.skwar.name>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1804317830707404388=="

--===============1804317830707404388==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello.

Reading the OpenLDAP 2.3 documentation on http://www.openldap.org/doc/admin23=
/slapdconfig.html#Access%20Control,
I find the following:

         <access directive> ::=3D access to <what>
                 [by <who> <access> <control>]+
         <what> ::=3D * |
                 [dn[.<basic-style>]=3D<regex> | dn.<scope-style>=3D<DN>]
                 [filter=3D<ldapfilter>] [attrs=3D<attrlist>]
         <basic-style> ::=3D regex | exact
         <scope-style> ::=3D base | one | subtree | children
         <attrlist> ::=3D <attr> [val[.<basic-style>]=3D<regex>] | <attr> , <=
attrlist>
         <attr> ::=3D <attrname> | entry | children
         <who> ::=3D * | [anonymous | users | self
                         | dn[.<basic-style>]=3D<regex> | dn.<scope-style>=3D=
<DN>]
                 [dnattr=3D<attrname>]
                 [group[/<objectclass>[/<attrname>][.<basic-style>]]=3D<regex=
>]
                 [peername[.<basic-style>]=3D<regex>]
                 [sockname[.<basic-style>]=3D<regex>]
                 [domain[.<basic-style>]=3D<regex>]
                 [sockurl[.<basic-style>]=3D<regex>]
                 [set=3D<setspec>]
                 [aci=3D<attrname>]
         <access> ::=3D [self]{<level>|<priv>}
         <level> ::=3D none | auth | compare | search | read | write
         <priv> ::=3D {=3D|+|-}{w|r|s|c|x|0}+
         <control> ::=3D [stop | continue | break]


I'm particularly interested in the "what" clause:

         <what> ::=3D * |
                 [dn[.<basic-style>]=3D<regex> | dn.<scope-style>=3D<DN>]

I understand the term "dn[.<basic-style>]" so, that ".<basic-style>"
is optional and can be left out; ie. there's no need to write
".regex" or ".exact".

But when I write "access to dn=3D".*,dc=3Dmylan,dc=3Dnet" attr=3DuserPassword"
in my slapd.conf, I cannot start slapd:

Apr  5 13:09:51 winds06 slapd[11740]: [ID 702911 local4.debug] @(#) $OpenLDAP=
: slapd 2.3.28 (Nov 10 2006 21:08:47) $
Apr  5 13:09:51 winds06         asmoore(a)ra
Apr  5 13:09:51 winds06 slapd[11740]: [ID 933944 local4.debug] /opt/csw/etc/o=
penldap/slapd.conf: line 81: "attr" is deprecated (and undocumented); use "at=
trs" instead.
Apr  5 13:09:51 winds06 slapd[11740]: [ID 868080 local4.debug] /opt/csw/etc/o=
penldap/slapd.conf: line 81: bad DN ".*,dc=3Dmylan,dc=3Dnet" in to DN clause
Apr  5 13:09:51 winds06 slapd[11740]: [ID 583609 local4.debug] <access clause=
> ::=3D access to <what> [ by <who> [ <access> ] [ <control> ] ]+
Apr  5 13:09:51 winds06 unparseable log message: "<what> ::=3D * | dn[.<dnsty=
le>=3D<DN>] [filter=3D<filter>] [attrs=3D<attrspec>]"
Apr  5 13:09:51 winds06 unparseable log message: "<attrspec> ::=3D <attrname>=
 [val[/<matchingRule>][.<attrstyle>]=3D<value>] | <attrlist>"
Apr  5 13:09:51 winds06 unparseable log message: "<attrlist> ::=3D <attr> [ ,=
 <attrlist> ]"
Apr  5 13:09:51 winds06 unparseable log message: "<attr> ::=3D <attrname> | @=
<objectClass> | !<objectClass> | entry | children"
Apr  5 13:09:51 winds06 unparseable log message: "<who> ::=3D [ * | anonymous=
 | users | self | dn[.<dnstyle>]=3D<DN> ]"
Apr  5 13:09:51 winds06         [ realanonymous | realusers | realself | real=
dn[.<dnstyle>]=3D<DN> ]
Apr  5 13:09:51 winds06         [dnattr=3D<attrname>]
Apr  5 13:09:51 winds06         [realdnattr=3D<attrname>]
Apr  5 13:09:51 winds06         [group[/<objectclass>[/<attrname>]][.<style>]=
=3D<group>]
Apr  5 13:09:51 winds06         [peername[.<peernamestyle>]=3D<peer>] [sockna=
me[.<style>]=3D<name>]
Apr  5 13:09:51 winds06         [domain[.<domainstyle>]=3D<domain>] [sockurl[=
.<style>]=3D<url>]
Apr  5 13:09:51 winds06         [aci[=3D<attrname>]]
Apr  5 13:09:51 winds06         [ssf=3D<n>] [transport_ssf=3D<n>] [tls_ssf=3D=
<n>] [sasl_ssf=3D<n>]
Apr  5 13:09:51 winds06 unparseable log message: "<style> ::=3D exact | regex=
 | base(Object)"
Apr  5 13:09:51 winds06 unparseable log message: "<dnstyle> ::=3D base(Object=
) | one(level) | sub(tree) | children | exact | regex"
Apr  5 13:09:51 winds06 unparseable log message: "<attrstyle> ::=3D exact | r=
egex | base(Object) | on"
Apr  5 13:09:51 winds06 slapd[11740]: [ID 486161 local4.debug] slapd stopped.
Apr  5 13:09:51 winds06 slapd[11740]: [ID 432338 local4.debug] connections_de=
stroy: nothing to destroy.

It seems to me, that ".regex" or ".exact" is required, because when
I write "access to dn.regex=3D".*,dc=3Dmylan,dc=3Dnet" attr=3DuserPassword"
in my slapd.conf, I can start slapds just fine.

Is this intended?

I'm using OpenLDAP 2.3.31 on Solaris 10 (BTW: Why does the first quoted
line of the syslog excerpt say "@(#) $OpenLDAP: slapd 2.3.28 (Nov 10 2006 21:=
08:47) $"?)

Best regards,

Alexander Skwar

--===============1804317830707404388==--


From pkoelle@gmail.com Thu Apr  5 16:07:35 2007
From: paul =?utf-8?q?k=C3=B6lle?= <pkoelle@gmail.com>
To: openldap-software@openldap.org
Subject: Re: Access Control: Limiting based on regex
Date: Thu, 05 Apr 2007 18:07:31 +0200
Message-ID: <46151EC3.9060002@gmail.com>
In-Reply-To: <4614E341.204@alexander.skwar.name>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7680629450679052178=="

--===============7680629450679052178==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Alexander Skwar schrieb:
[snipp]

> It seems to me, that ".regex" or ".exact" is required, because when
> I write "access to dn.regex=".*,dc=mylan,dc=net" attr=userPassword"
> in my slapd.conf, I can start slapds just fine.
I guess this is expected behaviour. Since the default is dn.exact (when
no <dnstyle> is given) the string ".*,dc=mylan,dc=net" is not a valid DN.

cheers
 Paul

--===============7680629450679052178==--