Hi Ondřej, Hi Dieter,
Thanks for your replies! The basic links I've had already found and read through carefully and didn't find a correct solution for my problem =(
The olcAccess statements out of the trials were all placed in front of the asterisk * one. So the order should not be the problem =(
Within the little bash script, the LDIF-parts from the different trials are always replacing this block:
######## ## LDIF blocks from below ########
With slapacl I don’t really get a clue – I’ll attach one result below, that I would interpret like that my l.dap user is not allowed to change the description of entity e1 … but if I use JXplorer to connect to the directory as l.dap, I can – even submit. Is it wrong how I’m using slapacl? Or isn’t it reliable since I’m using RegEx?
Thank you for your help! Cheers, Martin
$ slapacl -v -U "uid=l.dap,ou=people,dc=example,dc=com" -b "o=e1,ou=entities,dc=example,dc=com" -d acl "description/write"
5d5db13a => access_allowed: search access to "cn=config" "objectClass" requested 5d5db13a <= root access granted 5d5db13a => access_allowed: search access granted by manage(=mwrscxd) 5d5db13a => access_allowed: search access to "cn=module{0},cn=config" "objectClass" requested 5d5db13a <= root access granted 5d5db13a => access_allowed: search access granted by manage(=mwrscxd) 5d5db13a => access_allowed: search access to "cn=schema,cn=config" "objectClass" requested 5d5db13a <= root access granted 5d5db13a => access_allowed: search access granted by manage(=mwrscxd) 5d5db13a => access_allowed: search access to "cn={0}core,cn=schema,cn=config" "objectClass" requested 5d5db13a <= root access granted 5d5db13a => access_allowed: search access granted by manage(=mwrscxd) 5d5db13a => access_allowed: search access to "cn={1}cosine,cn=schema,cn=config" "objectClass" requested 5d5db13a <= root access granted 5d5db13a => access_allowed: search access granted by manage(=mwrscxd) 5d5db13a => access_allowed: search access to "cn={2}nis,cn=schema,cn=config" "objectClass" requested 5d5db13a <= root access granted 5d5db13a => access_allowed: search access granted by manage(=mwrscxd) 5d5db13a => access_allowed: search access to "cn={3}inetorgperson,cn=schema,cn=config" "objectClass" requested 5d5db13a <= root access granted 5d5db13a => access_allowed: search access granted by manage(=mwrscxd) 5d5db13a => access_allowed: search access to "cn={4}ppolicy,cn=schema,cn=config" "objectClass" requested 5d5db13a <= root access granted 5d5db13a => access_allowed: search access granted by manage(=mwrscxd) 5d5db13a => access_allowed: search access to "cn={5}dhcp,cn=schema,cn=config" "objectClass" requested 5d5db13a <= root access granted 5d5db13a => access_allowed: search access granted by manage(=mwrscxd) 5d5db13a => access_allowed: search access to "cn={6}dnszone,cn=schema,cn=config" "objectClass" requested 5d5db13a <= root access granted 5d5db13a => access_allowed: search access granted by manage(=mwrscxd) 5d5db13a => access_allowed: search access to "cn={7}mail,cn=schema,cn=config" "objectClass" requested 5d5db13a <= root access granted 5d5db13a => access_allowed: search access granted by manage(=mwrscxd) 5d5db13a => access_allowed: search access to "cn={8}mmc,cn=schema,cn=config" "objectClass" requested 5d5db13a <= root access granted 5d5db13a => access_allowed: search access granted by manage(=mwrscxd) 5d5db13a => access_allowed: search access to "cn={9}openssh-lpk,cn=schema,cn=config" "objectClass" requested 5d5db13a <= root access granted 5d5db13a => access_allowed: search access granted by manage(=mwrscxd) 5d5db13a => access_allowed: search access to "cn={10}quota,cn=schema,cn=config" "objectClass" requested 5d5db13a <= root access granted 5d5db13a => access_allowed: search access granted by manage(=mwrscxd) 5d5db13a => access_allowed: search access to "cn={11}radius,cn=schema,cn=config" "objectClass" requested 5d5db13a <= root access granted 5d5db13a => access_allowed: search access granted by manage(=mwrscxd) 5d5db13a => access_allowed: search access to "cn={12}samba,cn=schema,cn=config" "objectClass" requested 5d5db13a <= root access granted 5d5db13a => access_allowed: search access granted by manage(=mwrscxd) 5d5db13a => access_allowed: search access to "cn={13}zarafa,cn=schema,cn=config" "objectClass" requested 5d5db13a <= root access granted 5d5db13a => access_allowed: search access granted by manage(=mwrscxd) 5d5db13a => access_allowed: search access to "olcBackend={0}mdb,cn=config" "objectClass" requested 5d5db13a <= root access granted 5d5db13a => access_allowed: search access granted by manage(=mwrscxd) 5d5db13a => access_allowed: search access to "olcDatabase={-1}frontend,cn=config" "objectClass" requested 5d5db13a <= root access granted 5d5db13a => access_allowed: search access granted by manage(=mwrscxd) Backend ACL: access to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * +0 break
Backend ACL: access to dn.base="" by * read
Backend ACL: access to dn.base="cn=subschema" by * read
5d5db13a => access_allowed: search access to "olcDatabase={0}config,cn=config" "objectClass" requested 5d5db13a <= root access granted 5d5db13a => access_allowed: search access granted by manage(=mwrscxd) Backend ACL: access to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * +0 break
5d5db13a /etc/ldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context 5d5db13a => access_allowed: search access to "olcDatabase={1}mdb,cn=config" "objectClass" requested 5d5db13a <= root access granted 5d5db13a => access_allowed: search access granted by manage(=mwrscxd) Backend ACL: access to attrs=userPassword,shadowLastChange by self =wx by dn.base="cn=admin,dc=example,dc=com" =wx by set.exact="[cn=ldapadmins,ou=groups,dc=example,dc=com]/member* & user" =wx by anonymous auth by * none
5d5db13a /etc/ldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context Backend ACL: access to * by self write by dn.base="cn=admin,dc=example,dc=com" write by set.exact="[cn=ldapadmins,ou=groups,dc=example,dc=com]/member* & user" write by users read by * none
5d5db13a /etc/ldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context Backend ACL: access to dn.regex="([^,]+,)?o=([^,]+),ou=lve,dc=example,dc=com" by self write by dn.base="cn=admin,dc=example,dc=com" write by set.exact="[cn=ldapadmins,ou=groups,dc=example,dc=com]/member* & user" write by set.expand="[cn=admin,o=,ou=lve,dc=example,dc=com]/member* & user" write by set.exact="this/member* & user" read by * none
5d5db13a => access_allowed: search access to "olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config" "objectClass" requested 5d5db13a <= root access granted 5d5db13a => access_allowed: search access granted by manage(=mwrscxd) 5d5db13a => access_allowed: search access to "olcOverlay={1}refint,olcDatabase={1}mdb,cn=config" "objectClass" requested 5d5db13a <= root access granted 5d5db13a => access_allowed: search access granted by manage(=mwrscxd) Backend ACL: access to * by * none
5d5db13a config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context authcDN: "uid=uid\3Dl.dap\2Cou\3Dpeople\2Cdc\3dexample\2Cdc\3Dcom,cn=auth" 5d5db13a => access_allowed: write access to "o=jpbay,ou=lve,dc=example,dc=com" "description" requested 5d5db13a => acl_get: [2] attr description 5d5db13a => acl_mask: access to entry "o=jpbay,ou=lve,dc=example,dc=com", attr "description" requested 5d5db13a => acl_mask: to all values by "uid=uid\3Dl.dap\2Cou\3Dpeople\2Cdc\3dexample\2Cdc\3Dcom,cn=auth", (=0) 5d5db13a <= check a_dn_pat: self 5d5db13a <= check a_dn_pat: cn=admin,dc=example,dc=com 5d5db13a <= check a_set_pat: [cn=ldapadmins,ou=groups,dc=example,dc=com]/member* & user 5d5db13a => mdb_entry_get: found entry: "cn=ldapadmins,ou=groups,dc=example,dc=com" 5d5db13a ACL set[0]=cn=globaladmins,ou=groups,dc=example,dc=com 5d5db13a => mdb_entry_get: found entry: "cn=globaladmins,ou=groups,dc=example,dc=com" 5d5db13a ACL set[0]=cn=globaladmins,ou=groups,dc=example,dc=com 5d5db13a ACL set[1]=cn=admin,dc=example,dc=com 5d5db13a ACL set[2]=uid=l.dap,ou=people,dc=example,dc=com 5d5db13a => mdb_entry_get: found entry: "cn=admin,dc=example,dc=com" 5d5db13a <= mdb_entry_get: failed to find attribute member 5d5db13a => mdb_entry_get: found entry: "uid=l.dap,ou=people,dc=example,dc=com" 5d5db13a <= mdb_entry_get: failed to find attribute member 5d5db13a ACL set: empty 5d5db13a <= check a_dn_pat: users 5d5db13a <= acl_mask: [4] applying read(=rscxd) (stop) 5d5db13a <= acl_mask: [4] mask: read(=rscxd) 5d5db13a => slap_access_allowed: write access denied by read(=rscxd) 5d5db13a => access_allowed: no more rules write access to description: DENIED
On 21. Aug 2019, at 19:14, Dieter Klünter dieter@dkluenter.de wrote:
Am Wed, 21 Aug 2019 10:50:19 +0200 schrieb Ondřej Kuzník <ondra@mistotebe.net mailto:ondra@mistotebe.net>:
On Tue, Aug 20, 2019 at 10:22:56PM +0200, Martin W. wrote:
Dear OpenLDAP technical list,
I‘ve been running into a little problem with my permission structures – and was wondering if you could help me with it.
I want the members of a group to administer a tree structure, the group is member of it. I've tried some acl settings – I'll post my trials below the basic structure.
I've tried some different things ... and none Regex was successful :( Since I'll post some fragments, I put every LDIF fragment within such a bash fragment:
olcAccess: to * by self write by dn="cn=admin,dc=example,dc=com" write by set="[cn=ldapadmins,ou=groups,dc=example,dc=com]/member* & user" write by users read by * none
trial 1
olcAccess: to dn.regex="([^,]+,)?o=([^,]+),ou=entities,dc=example,dc=com" by self write by dn="cn=admin,dc=example,dc=com" write by set="[cn=ldapadmins,ou=groups,dc=example,dc=com]/member* & user" write by set.expand="[cn=admin,o=$2,ou=entities,dc=example,dc=com]/member* & user" write by set="this/member* & user" read by * none
The result is, that admin and any member of ldapadminscan edit, the members of specific entity admin subgroups cannot edit. The specific admin subgroups cannot even see the entities subtree.
Hi Martin, what is the order of the above two olcAccess statements? If they apply in the order above, it seems the first one will always apply and processing will stop there. In that case you either want to add a "break" in the first one or split/move it to be checked later.
I assume you also know and use the slapacl tool (and loglevel acl) to test with? Does it show any additional information that might be helpful in diagnosing the issue?
With regard to 'set' here is some basic information. http://www.openldap.org/faq/data/cache/1133.html http://www.openldap.org/faq/data/cache/1133.html http://www.openldap.org/faq/data/cache/1134.html http://www.openldap.org/faq/data/cache/1134.html
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de http://sys4.de/ GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E