Hi !
I need some help with a pair of ACIs I have prepared (using openldap 2.4.7 in a SuSE9 server)
I have created a DIT where several subscribers were provisioned. Under each subscriber entry there are two different entries ("application=data1" and "application=data2"):
application=data1,subscriberId=<xxx>,ou=subscribers,dc=company,dc=com application=data2,subscriberId=<xxx>,ou=subscribers,dc=company,dc=com
And I have defined four different users (to bind to the system .. apart from the "rootdn", of course)
- uid=data1owner,ou=users,dc=company,dc=com Can read and modify attribute values in "application=data1, ..." entries
- uid=data2owner,ou=users,dc=company,dc=com Can read and modify attribute values in "application=data2, ..." entries
- uid=data1checker,ou=users,dc=company,dc=com Can read attribute values in "application=data1, ..." entries but can NOT modify them
- uid=admin,ou=users,dc=company,dc=com Can read and modify attribute values in "application=data1, ..." and "application=data2, ..." entries
I have included the following ACIs in "slapd.conf" file (to get the behaviour explained above)
## ## Policy Rule [1] ## Access to "application=data1,,..." entries ## access to dn.regex="appName=data1,.+$" by dn.exact="uid=data1owner,ou=users,dc=company,dc=com" write stop by dn.exact="uid=data1checker,ou=users,dc=company,dc=com" read stop by dn.exact="uid=admin,ou=users,dc=company,dc=com" manage stop
## ## Policy Rule [2] ## Access to "application=data2,..." entries ## access to dn.regex="application=data2,.+$" by dn.exact="uid=data2owner,ou=users,dc=company,dc=com" write stop by dn.exact="uid=admin,ou=users,dc=company,dc=com" manage stop
I am getting the desired behaviour except for the "uid=data1checker" user. He only see "application=data1" entries ("application=data2" are not visible for him) but he can ALSO modify attribute values in "application=data1" entries (i.e. it is exactely the same behaviour as "uid=data1owner" in spite of the first one having ONLY "read" access privileges and the second one "write" access privileges for the "application=data1, ..." entries (????)
Please, could you any of you help me with this issue.
Thanks in advance
BR / Antonio
Antonio Alonso Alarcón
CUDB System Engineer/Technical Product Manager
Ericsson España, S.A. Phone: +34 91339 3085
Via de los Poblados 13 Mobile: +34 609640579 (66215) 28033 Madrid, Spain Fax: +34 91339 1636 E-mail: Antonio.Alonso@ericsson.com
Hi,
"Antonio Alonso" antonio.alonso@ericsson.com writes:
Hi !
I need some help with a pair of ACIs I have prepared (using openldap 2.4.7 in a SuSE9 server)
I have created a DIT where several subscribers were provisioned. Under each subscriber entry there are two different entries ("application=data1" and "application=data2"):
application=data1,subscriberId=<xxx>,ou=subscribers,dc=company,dc=com application=data2,subscriberId=<xxx>,ou=subscribers,dc=company,dc=comAnd I have defined four different users (to bind to the system .. apart from the "rootdn", of course)
- uid=data1owner,ou=users,dc=company,dc=com Can read and modify attribute values in "application=data1,..." entries
- uid=data2owner,ou=users,dc=company,dc=com Can read and modify attribute values in "application=data2,..." entries
- uid=data1checker,ou=users,dc=company,dc=com Can read attribute values in "application=data1, ..." entriesbut can NOT modify them
- uid=admin,ou=users,dc=company,dc=com Can read and modify attribute values in "application=data1,..." and "application=data2, ..." entries
I have included the following ACIs in "slapd.conf" file (to get the behaviour explained above)
## ## Policy Rule [1] ## Access to "application=data1,,..." entries ## access to dn.regex="appName=data1,.+$" by dn.exact="uid=data1owner,ou=users,dc=company,dc=com" write stop by dn.exact="uid=data1checker,ou=users,dc=company,dc=com" read stop by dn.exact="uid=admin,ou=users,dc=company,dc=com" manage stop
## ## Policy Rule [2] ## Access to "application=data2,..." entries ## access to dn.regex="application=data2,.+$" by dn.exact="uid=data2owner,ou=users,dc=company,dc=com" write stop by dn.exact="uid=admin,ou=users,dc=company,dc=com" manage stop
I am getting the desired behaviour except for the "uid=data1checker" user. He only see "application=data1" entries ("application=data2" are not visible for him) but he can ALSO modify attribute values in "application=data1" entries (i.e. it is exactely the same behaviour as "uid= data1owner" in spite of the first one having ONLY "read" access privileges and the second one "write" access privileges for the "application=data1, ..." entries (????)
Please, could you any of you help me with this issue.
run slapacl(8) and set debug level to 128
-Dieter
Antonio Alonso wrote:
I need some help with a pair of ACIs I have prepared (using openldap 2.4.7 in a SuSE9 server)
Note that ACI support does not get this much attention by the developers like ACLs in slapd.conf. So I'd rather recommend to do want you want with ACLs. This definitely is possible. See examples for regex-based ACLs in the FAQ-O-MATIC:
http://www.openldap.org/faq/data/cache/973.html
Ciao, Michael.
--On Friday, March 14, 2008 1:41 PM +0100 Michael Ströder michael@stroeder.com wrote:
Antonio Alonso wrote:
I need some help with a pair of ACIs I have prepared (using openldap 2.4.7 in a SuSE9 server)
Note that ACI support does not get this much attention by the developers like ACLs in slapd.conf. So I'd rather recommend to do want you want with ACLs. This definitely is possible. See examples for regex-based ACLs in the FAQ-O-MATIC:
He was using ACLs. He just called them ACI's. You may want to read his entire email.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Hi !
First of all, thanks for the answers ;-))
Yes, it is true, I had a mistake with the nomenclature. The fact is that the problem is NOT (as far as I tested it) in the regular expressions I am using (I also checked it tracing the slapd execution with the "-d 128" option ... an checked the matching is ok).
I find the problem with the "read" access privilege for "data1checker" user.
## ## Policy Rule [1] ## Access to "application=data1,,..." entries ## access to dn.regex="appName=data1,.+$" by dn.exact="uid=data1owner,ou=users,dc=company,dc=com" write stop by dn.exact="uid=data1checker,ou=users,dc=company,dc=com" read stop by dn.exact="uid=admin,ou=users,dc=company,dc=com" manage stop
"uid=data1owner" is able to read an modify attributes values in entries matching this regular expression (it is ok) ... but it is exactely the same behaviour a "uid=data1checker" in spite this last one has ONLY read privileges (???)
I interpreted (after reading manual pages and openldap-related FAQs) that "read" privilege only allows to read (but NOT modify) attribute values for entries matching the rule .. but it is NOT what I am getting ...
Am I understanding "read" privilege worngly ?
Thanks in advance
BR / Antonio
P.S: I also tested with openLDAP3.2.8, but it is the same behaviour ... and I almost sure the error is NOT in the regexp being used (I was testing it in deep to be sure about that).
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@zimbra.com] Sent: viernes, 14 de marzo de 2008 21:46 To: Michael Ströder; Antonio Alonso Cc: openldap-software@openldap.org Subject: Re: ACIs problem when allowing "read" but restricting "updates" in specific entries
--On Friday, March 14, 2008 1:41 PM +0100 Michael Ströder michael@stroeder.com wrote:
Antonio Alonso wrote:
I need some help with a pair of ACIs I have prepared (using openldap 2.4.7 in a SuSE9 server)
Note that ACI support does not get this much attention by the developers like ACLs in slapd.conf. So I'd rather recommend to do want you want with ACLs. This definitely is possible. See examples for regex-based ACLs in the FAQ-O-MATIC:
He was using ACLs. He just called them ACI's. You may want to read his entire email.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
"Antonio Alonso" antonio.alonso@ericsson.com writes:
Hi !
First of all, thanks for the answers ;-))
Yes, it is true, I had a mistake with the nomenclature. The fact is that the problem is NOT (as far as I tested it) in the regular expressions I am using (I also checked it tracing the slapd execution with the "-d 128" option ... an checked the matching is ok).
I find the problem with the "read" access privilege for "data1checker" user.
## ## Policy Rule [1] ## Access to "application=data1,,..." entries ## access to dn.regex="appName=data1,.+$" by dn.exact="uid=data1owner,ou=users,dc=company,dc=com" write stop by dn.exact="uid=data1checker,ou=users,dc=company,dc=com" read stop by dn.exact="uid=admin,ou=users,dc=company,dc=com" manage stop
"uid=data1owner" is able to read an modify attributes values in entries matching this regular expression (it is ok) ... but it is exactely the same behaviour a "uid=data1checker" in spite this last one has ONLY read privileges (???)
I interpreted (after reading manual pages and openldap-related FAQs) that "read" privilege only allows to read (but NOT modify) attribute values for entries matching the rule .. but it is NOT what I am getting ...
Am I understanding "read" privilege worngly ?
No, read access only includes auth and compare but not modify and add. If you run slapd with -d 128 let uid=data1checker add ore modify an entry and follow the access rules parsing, this will show you the access rule that is applied to this write session.
-Dieter
openldap-software@openldap.org
-
Antonio Alonso -
Dieter Kluenter -
Michael Ströder -
Quanah Gibson-Mount