openldap-2.3.38
I have this ACL: access to dn.regex="^([^,]+,)?ou=sudoers,dc=example,dc=com$" attrs=children,entry,@sudoRole by group.exact="cn=Sudo Admins,ou=System Groups,dc=example,dc=com" write by * read
The group is: dn: cn=Sudo Admins,ou=System Groups,dc=example,dc=com cn: Sudo Admins objectClass: groupOfNames description: Members can administer ou=sudoers entries and attributes owner: uid=Sudo Admin,ou=System Accounts,dc=example,dc=com member: uid=Sudo Admin,ou=System Accounts,dc=example,dc=com
It works as expected if I place some user in the sudo admins group and add an entry under ou=sudoers. If the user is not a member of this group, the add operation fails.
Now I want to be able to use nested groups, so I follow the FAQ and do a test with sets:
access to dn.regex="^([^,]+,)?ou=sudoers,dc=example,dc=com$" attrs=children,entry,@sudoRole by set="[cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member*" write by * read
Without changing anything in the sudo admins group entry, suddenly I can create new entries under ou=sudoers as any authenticated user. That is, the group still only has the "uid=sudo admin" member, but I can add a new sudo entry as another user:
$ ldapadd -x -D uid=jsmith,ou=people,dc=example,dc=com -w jsmith < foo.ldif adding new entry "cn=iurt,ou=sudoers,dc=example,dc=com"
The ACL logs show: => dnpat: [18] ^([^,]+,)?ou=sudoers,dc=example,dc=com$ nsub: 1 => acl_get: [18] matched => acl_get: [18] attr children => acl_mask: access to entry "ou=sudoers,dc=example,dc=com", attr "children" requested => acl_mask: to all values by "uid=jsmith,ou=people,dc=example,dc=com", (=0) <= check a_set_pat: [cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member* => bdb_entry_get: found entry: "cn=sudo admins,ou=system groups,dc=example,dc=com" => bdb_entry_get: found entry: "uid=sudo admin,ou=system accounts,dc=example,dc=com" <= acl_mask: [1] applying write(=wrscxd) (stop) <= acl_mask: [1] mask: write(=wrscxd) => access_allowed: add access granted by write(=wrscxd) (...) => acl_mask: access to entry "cn=iurt,ou=sudoers,dc=example,dc=com", attr "entry" requested => acl_mask: to all values by "uid=jsmith,ou=people,dc=example,dc=com", (=0) <= check a_set_pat: [cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member* => bdb_entry_get: found entry: "cn=sudo admins,ou=system groups,dc=example,dc=com" => bdb_entry_get: found entry: "uid=sudo admin,ou=system accounts,dc=example,dc=com" <= acl_mask: [1] applying write(=wrscxd) (stop) <= acl_mask: [1] mask: write(=wrscxd) => access_allowed: add access granted by write(=wrscxd)
So why was "jsmith" allowed to create a new entry under ou=sudoers? He is not a member of any of the special groups, and I only changed the ACL line from "by group" to "by set".
$ ldapsearch -x -LLL -h localhost member=uid=jsmith,ou=people,dc=example,dc=com cn $