slapd 2.4.12 acl problem with multiple groups - openldap-software

13 Oct 2009


      hi,
I have a problem with acls on openldap. one defined group does not match any of 
its members. specifically, when i add an entry in ou=people,dc=... as member of 
cn=studadm,ou=group,dc=... (uid=florek) it works and i get in slapd's log 
(shortened):
slapd[29022]: => access_allowed: add access to 
"ou=people,DC=mathematik,DC=hu-berlin,DC=de" "children" requested
slapd[29022]: => dn: [1] 
cn=krbcontainer,ou=kerberos,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => dn: [6] ou=autofs,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => dn: [7] ou=group,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => dn: [8] ou=people,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => acl_get: [8] matched
slapd[29022]: => acl_get: [8] attr children
slapd[29022]: => acl_mask: access to entry 
"ou=people,DC=mathematik,DC=hu-berlin,DC=de", attr "children" requested
slapd[29022]: => acl_mask: to all values by 
"uid=florek,ou=people,DC=mathematik,DC=hu-berlin,DC=de", (=0)
slapd[29022]: <= check a_group_pat: 
cn=adm,ou=group,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => bdb_entry_get: found entry: 
"cn=adm,ou=group,DC=mathematik,DC=hu-berlin,DC=de"
slapd[29022]: <= check a_group_pat: 
cn=studadm,ou=group,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => bdb_entry_get: found entry: 
"cn=studadm,ou=group,DC=mathematik,DC=hu-berlin,DC=de"
slapd[29022]: <= acl_mask: [2] applying manage(=mwrscxd) (stop)
slapd[29022]: <= acl_mask: [2] mask: manage(=mwrscxd)
slapd[29022]: => slap_access_allowed: add access granted by manage(=mwrscxd)
slapd[29022]: => access_allowed: add access granted by manage(=mwrscxd)
[...]
as member of cn=adm,ou=group,dc=... (uid=musch) it does not and i get:
slapd[29022]: => access_allowed: add access to 
"ou=people,DC=mathematik,DC=hu-berlin,DC=de" "children" requested
slapd[29022]: => dn: [1] 
cn=krbcontainer,ou=kerberos,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => dn: [6] ou=autofs,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => dn: [7] ou=group,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => dn: [8] ou=people,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => acl_get: [8] matched
slapd[29022]: => acl_get: [8] attr children
slapd[29022]: => acl_mask: access to entry 
"ou=people,DC=mathematik,DC=hu-berlin,DC=de", attr "children" requested
slapd[29022]: => acl_mask: to all values by 
"uid=musch,ou=people,DC=mathematik,DC=hu-berlin,DC=de", (=0)
slapd[29022]: <= check a_group_pat: 
cn=adm,ou=group,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => bdb_entry_get: found entry: 
"cn=adm,ou=group,DC=mathematik,DC=hu-berlin,DC=de"
slapd[29022]: <= check a_group_pat: 
cn=studadm,ou=group,DC=mathematik,DC=hu-berlin,DC=de
slapd[29022]: => bdb_entry_get: found entry: 
"cn=studadm,ou=group,DC=mathematik,DC=hu-berlin,DC=de"
slapd[29022]: <= check a_peername_path: 141.20.50.0%255.255.254.0
slapd[29022]: <= check a_peername_path: 141.20.52.0%255.255.252.0
slapd[29022]: <= acl_mask: [4] applying read(=rscxd) (stop)
slapd[29022]: <= acl_mask: [4] mask: read(=rscxd)
slapd[29022]: => slap_access_allowed: add access denied by read(=rscxd)
slapd[29022]: => access_allowed: no more rules
i am using openldap 2.4.12 from sles11 (rpm-version 2.4.12-7.18.1) with the 
following acls (added linebreaks to ease reading) (attribute olcAccess in 
olcDatabase={1}hdb,cn=config)
{0} to 
dn.subtree="cn=krbContainer,ou=kerberos,DC=mathematik,DC=hu-berlin,DC=de"
      by dn.base="cn=kdc,ou=kerberos,DC=mathematik,DC=hu-berlin,DC=de" read
      by dn="cn=kadmin,ou=kerberos,DC=mathematik,DC=hu-berlin,DC=de" manage
      by * none
{1} to attrs=userPassword,userPKCS12
      by self write
      by * auth
{2} to attrs=shadowLastChange
      by self write
      by * read
{3} to attrs=uidNumber,gidNumber,homeDirectory
      by group="cn=adm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
      by group="cn=studadm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
      by peername.ip=141.20.50.0%255.255.254.0 read
      by peername.ip=141.20.52.0%255.255.252.0 read
      by * none
{4} to attrs=sambaNTPassword,sambaLMPassword
     by * none
{5} to dn.subtree="ou=autofs,DC=mathematik,DC=hu-berlin,DC=de"
     by group="cn=adm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
     by group="cn=studadm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
     by peername.ip=141.20.50.0%255.255.254.0 read
     by peername.ip=141.20.52.0%255.255.252.0 read
     by * none
{6} to dn.subtree="ou=group,DC=mathematik,DC=hu-berlin,DC=de"
     by group="cn=adm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
     by group="cn=studadm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
     by peername.ip=141.20.50.0%255.255.254.0 read
     by peername.ip=141.20.52.0%255.255.252.0 read
     by * none
{7} to dn.subtree="ou=people,DC=mathematik,DC=hu-berlin,DC=de"
     by group="cn=adm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
     by group="cn=studadm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
     by peername.ip=141.20.50.0%255.255.254.0 read
     by peername.ip=141.20.52.0%255.255.252.0 read
     by * none
{8} to dn.subtree="ou=ethers,DC=mathematik,DC=hu-berlin,DC=de"
     by group="cn=adm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
     by group="cn=studadm,ou=group,dc=mathematik,dc=hu-berlin,dc=de" manage
     by peername.ip=141.20.50.0%255.255.254.0 read
     by peername.ip=141.20.52.0%255.255.252.0 read
     by * none
{9} to *
     by * read
groups are defined as follows:
dn: cn=studadm,ou=group,DC=mathematik,DC=hu-berlin,DC=de
gidNumber: 1300
memberUid: petrov
memberUid: florek
description: studentische Administratoren der Rechentechnik
cn: studadm
member: uid=petrov,ou=people,DC=mathematik,DC=hu-berlin,DC=de
member: uid=florek,ou=people,DC=mathematik,DC=hu-berlin,DC=de
objectClass: top
objectClass: posixGroup
objectClass: namedObject
objectClass: groupOfNames
dn: cn=adm,ou=group,DC=mathematik,DC=hu-berlin,DC=de
cn: adm
gidNumber: 1303
memberUid: gehne
memberUid: rmielke
memberUid: musch
description: Administratoren der Rechentechnik
member: uid=gehne,ou=people,DC=mathematik,DC=hu-berlin.de
member: uid=rmielke,ou=people,DC=mathematik,DC=hu-berlin.de
member: uid=musch,ou=people,DC=mathematik,DC=hu-berlin.de
objectClass: top
objectClass: posixGroup
objectClass: namedObject
objectClass: groupOfNames
and users like this:
dn: uid=musch,ou=people,DC=mathematik,DC=hu-berlin,DC=de
uid: musch
uidNumber: 3001
gidNumber: 3000
cn: Andre Musch
objectClass: top
objectClass: account
objectClass: posixAccount
loginShell: /bin/bash
homeDirectory: /home_s/musch
dn: uid=florek,ou=people,DC=mathematik,DC=hu-berlin,DC=de
uid: florek
uidNumber: 32839
gidNumber: 32003
cn: Tobias Florek
homeDirectory: /u/florek
objectClass: top
objectClass: account
objectClass: posixAccount
loginShell: /bin/zsh
any ideas?
Tobias Florek