On Thu, Oct 15, 2009 at 11:22 AM, Edward Capriolo edlinuxguru@gmail.com wrote:
Hello all,
We are currently migrating from a master-slave, to a multi-master setup. All went well except for the fact that the access on the old master node was more liberal then the access on the slave node. As a result some applications were able to use this to their advantage and now are not working quite correctly when each node is a read write master.
here is my configuration:
#access to dn.regex="mail=.*.managed@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" # attrs=userPassword,accountstatus # by dn="mail=john@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" write break # by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US" write break access to attr=userPassword by self write by anonymous auth by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" read by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US" read by * none access to attrs=sambaLMPassword,sambaNTPassword by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" read by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US" read by self write by * none access to * by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" write by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US" write by dnattr=manager write by self write by users read by * none
My problem is the top commented lines, these rules are to allow sara and john to administer all "mail=.*.managed" users. This worked fine in the past because no read queries hit the master, but now with multi-master "mail=.*.managed" users have no access to the directory. The old rule was
# by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US" write stop
I also tried
# by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US" write break
Which I was under the impression that "write break" would continue evaluation, but I do not understand how this is working. Can anyone help me with a suggestion for fixing this?
Thank you!
Hey all,
I know this is somewhat of an RTFM question, but I did RTFM and I dont understand why how BREAK is interpreted.
man slapd.access .... The other two forms are used to keep on processing access clauses. In detail, the continue form allows for other <who> clauses in the same <access> clause to be considered, so that they may result in incremen- tally altering the privileges, while the break form allows for other <access> clauses that match the same target to be processed. Consider the (silly) example
access to dn.subtree="dc=example,dc=com" attrs=cn by * =cs break
access to dn.subtree="ou=People,dc=example,dc=com" by * +r
do I need?
access to dn.regex="mail=.*.managed@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" attrs=userPassword,accountstatus by dn="mail=john@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" write break by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US" write break by * break
?
We have a pretty large LDAP deployment with lots of application using it. Every time I get this rule wrong I manage to block someones access. I know its not your problem, but please throw me a bone here :)