On Thu, Aug 22, 2019 at 09:10:24AM +0200, Martin W. wrote:
Hi Ondřej, Hi Dieter,
Thanks for your replies! The basic links I've had already found and read through carefully and didn't find a correct solution for my problem =(
The olcAccess statements out of the trials were all placed in front of the asterisk * one. So the order should not be the problem =(
Hi Martin, there are several olcAccess clauses (olcAccess attribute values) with several directives each.
With slapacl I don’t really get a clue – I’ll attach one result below, that I would interpret like that my l.dap user is not allowed to change the description of entity e1 … but if I use JXplorer to connect to the directory as l.dap, I can – even submit. Is it wrong how I’m using slapacl? Or isn’t it reliable since I’m using RegEx?
$ slapacl -v -U "uid=l.dap,ou=people,dc=example,dc=com" -b "o=e1,ou=entities,dc=example,dc=com" -d acl "description/write"
This is the relevant snippet from the output:
authcDN: "uid=uid\3Dl.dap\2Cou\3Dpeople\2Cdc\3dexample\2Cdc\3Dcom,cn=auth" 5d5db13a => access_allowed: write access to "o=jpbay,ou=lve,dc=example,dc=com" "description" requested 5d5db13a => acl_get: [2] attr description 5d5db13a => acl_mask: access to entry "o=jpbay,ou=lve,dc=example,dc=com", attr "description" requested 5d5db13a => acl_mask: to all values by "uid=uid\3Dl.dap\2Cou\3Dpeople\2Cdc\3dexample\2Cdc\3Dcom,cn=auth", (=0) 5d5db13a <= check a_dn_pat: self 5d5db13a <= check a_dn_pat: cn=admin,dc=example,dc=com 5d5db13a <= check a_set_pat: [cn=ldapadmins,ou=groups,dc=example,dc=com]/member* & user 5d5db13a => mdb_entry_get: found entry: "cn=ldapadmins,ou=groups,dc=example,dc=com" 5d5db13a ACL set[0]=cn=globaladmins,ou=groups,dc=example,dc=com 5d5db13a => mdb_entry_get: found entry: "cn=globaladmins,ou=groups,dc=example,dc=com" 5d5db13a ACL set[0]=cn=globaladmins,ou=groups,dc=example,dc=com 5d5db13a ACL set[1]=cn=admin,dc=example,dc=com 5d5db13a ACL set[2]=uid=l.dap,ou=people,dc=example,dc=com 5d5db13a => mdb_entry_get: found entry: "cn=admin,dc=example,dc=com" 5d5db13a <= mdb_entry_get: failed to find attribute member 5d5db13a => mdb_entry_get: found entry: "uid=l.dap,ou=people,dc=example,dc=com" 5d5db13a <= mdb_entry_get: failed to find attribute member 5d5db13a ACL set: empty 5d5db13a <= check a_dn_pat: users 5d5db13a <= acl_mask: [4] applying read(=rscxd) (stop) 5d5db13a <= acl_mask: [4] mask: read(=rscxd) 5d5db13a => slap_access_allowed: write access denied by read(=rscxd) 5d5db13a => access_allowed: no more rules write access to description: DENIED
Which seems to correspond to your first olcAccess clause only:
olcAccess: to * by self write by dn="cn=admin,dc=example,dc=com" write by set="[cn=ldapadmins,ou=groups,dc=example,dc=com]/member* & user" write by users read by * none
It shows that "by users read" matches and processing stops. If you want processing to continue past this clause, you will either have to reorganise the structure and ordering of your rules or (to get you started for now) use "break" at the end of certain directives (most likely the last two: "by users read" and "by * none").
Hopefully with this and man slapd.access in mind, you should be able to find a way to describe what you need.
With more complex ACLs, it is also useful to maintain a test suite using slapacl or sample DBs so you can refactor them with confidence later.
Regards,