On 05.08.2014, at 22:41, Simeon Ott simeon.ott@onnet.ch wrote:
On 05.08.2014, at 18:03, Dieter Klünter dieter@dkluenter.de wrote:
As postmaster I'm still able to add objects to it's domain. But I'm also able to add other objectclasses and attributes.
I think I mess around with the attributes entry and children – anyone help me cleaning up? :-)
run slapd in debugging mode acl and watch the rule number applied to a write operation.
Okay, this didn't really help, but thanks anyway. I'm not familiar with reading those logs. i adjusted the loglevel to 128 to see the acl processing. but it's still a huge amount of log lines when adding such an ldif. i thought it's gonna be an easy task.
I am talking about debugging, not logging! man slapd(8)
can you help me finding the applied rule during the write process of an object with uid=1234? i used other objectclasses and attributes, which are not in the allowed attribute list. the debugging output is attached to this email. the current acl set is listed below.
access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=userPassword by dn.base="cn=admin,dc=mydomain" write by self write by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by anonymous auth by * none
access to attrs=userPassword by dn.base="cn=admin,dc=mydomain" write by self write by anonymous auth by * none
access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=@CourierMailAccount,@inetOrgPerson,@top,@Vacation,entry,cn,sn,homeDirectory,vacationActive,vacationInfo,vacationForward,smtpRelayFlag,description,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title by self write by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by * read
access to dn.regex="^ou=(.+),ou=domains,dc=mydomain$" attrs=children by dn.base,expand="cn=postmaster,ou=$1,ou=domains,dc=mydomain" write by * read
access to * by dn.base="cn=admin,dc=mydomain" write by * read
appreciate your help! simeon
<debug_output_write.txt>
the filter statement below actually did the trick.
access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=userPassword by dn.base="cn=admin,dc=mydomain" write by self write by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by anonymous auth by * none
access to attrs=userPassword by dn.base="cn=admin,dc=mydomain" write by self write by anonymous auth by * none
access to dn.regex="^ou=(.+),ou=domains,dc=mydomain$" attrs=children by dn.base,expand="cn=postmaster,ou=$1,ou=domains,dc=mydomain" write by * read
access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=entry,cn,uidNumber,gidNumber,sn,homeDirectory,vacationActive,vacationInfo,vacationForward,smtpRelayFlag,description,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title filter="(&(objectClass=CourierMailAccount)(objectClass=inetOrgPerson)(objectClass=top)(objectClass=Vacation))" by self write by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by * read
access to * by dn.base="cn=admin,dc=mydomain" write by * read