openldap-2.3.38
I have this ACL: access to dn.regex="^([^,]+,)?ou=sudoers,dc=example,dc=com$" attrs=children,entry,@sudoRole by group.exact="cn=Sudo Admins,ou=System Groups,dc=example,dc=com" write by * read
The group is: dn: cn=Sudo Admins,ou=System Groups,dc=example,dc=com cn: Sudo Admins objectClass: groupOfNames description: Members can administer ou=sudoers entries and attributes owner: uid=Sudo Admin,ou=System Accounts,dc=example,dc=com member: uid=Sudo Admin,ou=System Accounts,dc=example,dc=com
It works as expected if I place some user in the sudo admins group and add an entry under ou=sudoers. If the user is not a member of this group, the add operation fails.
Now I want to be able to use nested groups, so I follow the FAQ and do a test with sets:
access to dn.regex="^([^,]+,)?ou=sudoers,dc=example,dc=com$" attrs=children,entry,@sudoRole by set="[cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member*" write by * read
Without changing anything in the sudo admins group entry, suddenly I can create new entries under ou=sudoers as any authenticated user. That is, the group still only has the "uid=sudo admin" member, but I can add a new sudo entry as another user:
$ ldapadd -x -D uid=jsmith,ou=people,dc=example,dc=com -w jsmith < foo.ldif adding new entry "cn=iurt,ou=sudoers,dc=example,dc=com"
The ACL logs show: => dnpat: [18] ^([^,]+,)?ou=sudoers,dc=example,dc=com$ nsub: 1 => acl_get: [18] matched => acl_get: [18] attr children => acl_mask: access to entry "ou=sudoers,dc=example,dc=com", attr "children" requested => acl_mask: to all values by "uid=jsmith,ou=people,dc=example,dc=com", (=0) <= check a_set_pat: [cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member* => bdb_entry_get: found entry: "cn=sudo admins,ou=system groups,dc=example,dc=com" => bdb_entry_get: found entry: "uid=sudo admin,ou=system accounts,dc=example,dc=com" <= acl_mask: [1] applying write(=wrscxd) (stop) <= acl_mask: [1] mask: write(=wrscxd) => access_allowed: add access granted by write(=wrscxd) (...) => acl_mask: access to entry "cn=iurt,ou=sudoers,dc=example,dc=com", attr "entry" requested => acl_mask: to all values by "uid=jsmith,ou=people,dc=example,dc=com", (=0) <= check a_set_pat: [cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member* => bdb_entry_get: found entry: "cn=sudo admins,ou=system groups,dc=example,dc=com" => bdb_entry_get: found entry: "uid=sudo admin,ou=system accounts,dc=example,dc=com" <= acl_mask: [1] applying write(=wrscxd) (stop) <= acl_mask: [1] mask: write(=wrscxd) => access_allowed: add access granted by write(=wrscxd)
So why was "jsmith" allowed to create a new entry under ou=sudoers? He is not a member of any of the special groups, and I only changed the ACL line from "by group" to "by set".
$ ldapsearch -x -LLL -h localhost member=uid=jsmith,ou=people,dc=example,dc=com cn $
Em Sex, 2007-09-14 às 14:07 -0300, Andreas Hasenack escreveu:
So why was "jsmith" allowed to create a new entry under ou=sudoers? He is not a member of any of the special groups, and I only changed the ACL line from "by group" to "by set".
This is the right ACL. At least, this one works for me: access to dn.regex="^([^,]+,)?ou=sudoers,dc=example,dc=com$" attrs=children,entry,@sudoRole by set="[cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member* & user" write by * read
I was missing the "& user" part. And it works with nested groups now:
$ ldapsearch -x -LLL "cn=sudo admins" member dn: cn=Sudo Admins,ou=System Groups,dc=example,dc=com member: uid=Sudo Admin,ou=System Accounts,dc=example,dc=com member: cn=Account Admins,ou=System Groups,dc=example,dc=com
$ ldapsearch -x -LLL "cn=account admins" member dn: cn=Account Admins,ou=System Groups,dc=example,dc=com member: uid=Account Admin,ou=System Accounts,dc=example,dc=com member: uid=jsmith,ou=people,dc=example,dc=com
And jsmith can create/change sudo entries: $ ldapadd -x -D uid=jsmith,ou=people,dc=example,dc=com -w jsmith < foo.ldif adding new entry "cn=iurt,ou=sudoers,dc=example,dc=com"
$
Andreas Hasenack wrote:
Now I want to be able to use nested groups, so I follow the FAQ and do a test with sets:
access to dn.regex="^([^,]+,)?ou=sudoers,dc=example,dc=com$" attrs=children,entry,@sudoRole by set="[cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member*" write by * read
Without changing anything in the sudo admins group entry, suddenly I can create new entries under ou=sudoers as any authenticated user. That is, the group still only has the "uid=sudo admin" member, but I can add a new sudo entry as another user:
That's because sets grant permission as soon as the result of their evaluation is a non-empty set, and yours will always be non-empty.
You need to check whether the intersection between the nested group expansion and the user is not empty. Something like [any newlines added by the mailer]:
by set="[cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member* & user" write
should work.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Em Sáb, 2007-09-15 às 00:45 +0200, Pierangelo Masarati escreveu:
Andreas Hasenack wrote:
Now I want to be able to use nested groups, so I follow the FAQ and do a test with sets:
access to dn.regex="^([^,]+,)?ou=sudoers,dc=example,dc=com$" attrs=children,entry,@sudoRole by set="[cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member*" write by * read
Without changing anything in the sudo admins group entry, suddenly I can create new entries under ou=sudoers as any authenticated user. That is, the group still only has the "uid=sudo admin" member, but I can add a new sudo entry as another user:
That's because sets grant permission as soon as the result of their evaluation is a non-empty set, and yours will always be non-empty.
Ah, right, that was the missing piece.
You need to check whether the intersection between the nested group expansion and the user is not empty. Something like [any newlines added by the mailer]:
by set="[cn=Sudo Admins,ou=System Groups,dc=example,dc=com]/member* & user" write
should work.
Worked just fine, thanks!
Andreas Hasenack wrote:
openldap-2.3.38
BTW, 2.3.39 will fix a memory-related issue with sets; from CHANGES:
Fixed slapd ACL sets memory handling (ITS#4873)
If you really plan to use sets in production you might want to import that fix: 1.24.2.5 to 1.24.2.6.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
openldap-software@openldap.org
-
Andreas Hasenack -
Pierangelo Masarati