Hello all,
We are currently migrating from a master-slave, to a multi-master setup. All went well except for the fact that the access on the old master node was more liberal then the access on the slave node. As a result some applications were able to use this to their advantage and now are not working quite correctly when each node is a read write master.
here is my configuration:
#access to dn.regex="mail=.*.managed@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" # attrs=userPassword,accountstatus # by dn="mail=john@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" write break # by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US" write break access to attr=userPassword by self write by anonymous auth by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" read by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US" read by * none access to attrs=sambaLMPassword,sambaNTPassword by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" read by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US" read by self write by * none access to * by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" write by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US" write by dnattr=manager write by self write by users read by * none
My problem is the top commented lines, these rules are to allow sara and john to administer all "mail=.*.managed" users. This worked fine in the past because no read queries hit the master, but now with multi-master "mail=.*.managed" users have no access to the directory. The old rule was
# by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US" write stop
I also tried
# by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US" write break
Which I was under the impression that "write break" would continue evaluation, but I do not understand how this is working. Can anyone help me with a suggestion for fixing this?
Thank you!
On Thu, Oct 15, 2009 at 11:22 AM, Edward Capriolo edlinuxguru@gmail.com wrote:
Hello all,
We are currently migrating from a master-slave, to a multi-master setup. All went well except for the fact that the access on the old master node was more liberal then the access on the slave node. As a result some applications were able to use this to their advantage and now are not working quite correctly when each node is a read write master.
here is my configuration:
#access to dn.regex="mail=.*.managed@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" # attrs=userPassword,accountstatus # by dn="mail=john@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" write break # by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US" write break access to attr=userPassword by self write by anonymous auth by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" read by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US" read by * none access to attrs=sambaLMPassword,sambaNTPassword by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" read by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US" read by self write by * none access to * by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" write by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US" write by dnattr=manager write by self write by users read by * none
My problem is the top commented lines, these rules are to allow sara and john to administer all "mail=.*.managed" users. This worked fine in the past because no read queries hit the master, but now with multi-master "mail=.*.managed" users have no access to the directory. The old rule was
# by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US" write stop
I also tried
# by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US" write break
Which I was under the impression that "write break" would continue evaluation, but I do not understand how this is working. Can anyone help me with a suggestion for fixing this?
Thank you!
Hey all,
I know this is somewhat of an RTFM question, but I did RTFM and I dont understand why how BREAK is interpreted.
man slapd.access .... The other two forms are used to keep on processing access clauses. In detail, the continue form allows for other <who> clauses in the same <access> clause to be considered, so that they may result in incremen- tally altering the privileges, while the break form allows for other <access> clauses that match the same target to be processed. Consider the (silly) example
access to dn.subtree="dc=example,dc=com" attrs=cn by * =cs break
access to dn.subtree="ou=People,dc=example,dc=com" by * +r
do I need?
access to dn.regex="mail=.*.managed@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" attrs=userPassword,accountstatus by dn="mail=john@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" write break by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US" write break by * break
?
We have a pretty large LDAP deployment with lots of application using it. Every time I get this rule wrong I manage to block someones access. I know its not your problem, but please throw me a bone here :)
I know this is somewhat of an RTFM question, but I did RTFM and I dont understand why how BREAK is interpreted.
"stop" means do not process any more "access" rules "break" means do not process any more "by" clauses within this "access" rule; continue processing from next "access" rule. "stop" is the default.
p.
slapd -d acl (or the same through loglevel directives) is really helpful if you're not already using that...
First off, "attr=" is not preferred, please see slapd.access man page. This should be logged at LDAP_DEBUG_ANY; are you reading your startup logs? You might as well do a "slaptest -d config" while you're at it, to make sure everything is clean.
So when you uncomment your first stanza and consider the second stanza too:
access to dn.regex="mail=.*.managed@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" attrs=userPassword,accountstatus by dn="mail=john@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" write break by dn="mail=sara@jointhegrid.com,ou=user,ou=jointhegrid,o=jointhegrid,c=US" write break access to attr=userPassword by self write by anonymous auth by dn="mail=samba@jointhegrid.com,ou=user,ou=jointhegrid.com,o=jointhegrid,c=US" read by dn="mail=samba@jointhegrid-inc.com,ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US" read by * none
you're not giving john@ and sara@ your desired write access? I think that although rule #1 may will fire and grant them write, rule #2 has "to *" as the implicit target (IMO a best practice is to write these out), so it will fire as well. The first four <by> will not apply to john@ and sara@, so the final <by> will fire ... by * none. ACL #1 giveth, ACL #2 taketh away. I think a first consideration would be giving john@ and sara@ "write stop" instead of "write break" -- the break means to continue evaluation, whereas "stop" will not let ACL #2 remove the effect of ACL #1.
by * break
Also IMO best practice, "by * none break" (or whatever level you want) to make the level explicit. And you'll obviously need to keep this; otherwise .*managed will never be able to auth (they have to get to ACL #2 <by> #2 by means of a "break" or ACL reordering).
openldap-software@openldap.org
-
Aaron Richton -
Edward Capriolo -
masarati@aero.polimi.it