Dear collected list wisdom,
I'm trying to set up access control using membership in a dynamic list.I've activated the dynlist overlay and configured it like this:
olcDlAttrSet: groupOfURLs memberURL member
and installed an ACL:
olcAccess: to dn.regex=".+,<some base>" by self read by group/groupOfURLs/member="<group DN>" search
Browsing the directory I can see the member attributes being added to the group, but testing access with slapacl I encounter the following error:54ef3976 => bdb_entry_get: found entry: "<group DN>" 54ef3976 <= bdb_entry_get: failed to find attribute member
What am I doing wrong? N.B.: I _did_ add member to the list of allowed attributes for a groupOfURLs ...
TIA Ralf Mattes
Mattes wrote:
Dear collected list wisdom,
I'm trying to set up access control using membership in a dynamic list.I've activated the dynlist overlay and configured it like this:
olcDlAttrSet: groupOfURLs memberURL member
and installed an ACL:
olcAccess: to dn.regex=".+,<some base>" by self read by group/groupOfURLs/member="<group DN>" search
Browsing the directory I can see the member attributes being added to the group, but testing access with slapacl I encounter the following error:54ef3976 => bdb_entry_get: found entry: "<group DN>" 54ef3976 <= bdb_entry_get: failed to find attribute member
What am I doing wrong? N.B.: I _did_ add member to the list of allowed attributes for a groupOfURLs ...
It's important to understand that dynlist overlay generates attribute 'member' on the fly when it's read. Did you read section AUTHORIZATION in slapo-dynlist(5)?
Maybe running this as a CRON job is better for your needs:
http://www.stroeder.com/pylib/update_memberurl_groups.py
Ciao, Michael.
-- E-Mail: michael@stroeder.com http://www.stroeder.com
Michael Ströder wrote:
Mattes wrote:
Dear collected list wisdom,
I'm trying to set up access control using membership in a dynamic list.I've activated the dynlist overlay and configured it like this:
olcDlAttrSet: groupOfURLs memberURL member
and installed an ACL:
olcAccess: to dn.regex=".+,<some base>" by self read by group/groupOfURLs/member="<group DN>" search
Browsing the directory I can see the member attributes being added to the group, but testing access with slapacl I encounter the following error:54ef3976 => bdb_entry_get: found entry: "<group DN>" 54ef3976 <= bdb_entry_get: failed to find attribute member
What am I doing wrong?
In general, overlays don't take effect for the offline tools, they only function in slapd itself.
N.B.: I _did_ add member to the list of allowed attributes for a groupOfURLs ...
It's important to understand that dynlist overlay generates attribute 'member' on the fly when it's read. Did you read section AUTHORIZATION in slapo-dynlist(5)?
Maybe running this as a CRON job is better for your needs:
http://www.stroeder.com/pylib/update_memberurl_groups.py
Ciao, Michael.
-- E-Mail: michael@stroeder.com http://www.stroeder.com
Am Montag, 02. März 2015 21:55 CET, Howard Chu hyc@symas.com schrieb:
Michael Ströder wrote:
Mattes wrote:
Dear collected list wisdom,
I'm trying to set up access control using membership in a dynamic list.I've activated the dynlist overlay and configured it like this:
olcDlAttrSet: groupOfURLs memberURL member
and installed an ACL:
olcAccess: to dn.regex=".+,<some base>" by self read by group/groupOfURLs/member="<group DN>" search
Browsing the directory I can see the member attributes being added to the group, but testing access with slapacl I encounter the following error:54ef3976 => bdb_entry_get: found entry: "<group DN>" 54ef3976 <= bdb_entry_get: failed to find attribute member
What am I doing wrong?
In general, overlays don't take effect for the offline tools, they only function in slapd itself.
O.k., thanks, that makes a lot of sense. So, slapacl can only take static entries into consideration. That leaves me with the following question: what tool to use to debug ACLs?
TIA Ralf Mattes
Am Tue, 03 Mar 2015 17:43:06 +0100 schrieb "Mattes" rm@mh-freiburg.de:
Am Montag, 02. März 2015 21:55 CET, Howard Chu hyc@symas.com schrieb:
Michael Ströder wrote:
Mattes wrote:
Dear collected list wisdom,
I'm trying to set up access control using membership in a dynamic list.I've activated the dynlist overlay and configured it like this:
olcDlAttrSet: groupOfURLs memberURL member
and installed an ACL:
olcAccess: to dn.regex=".+,<some base>" by self read by group/groupOfURLs/member="<group DN>" search
Browsing the directory I can see the member attributes being added to the group, but testing access with slapacl I encounter the following error:54ef3976 => bdb_entry_get: found entry: "<group DN>" 54ef3976 <= bdb_entry_get: failed to find attribute member
What am I doing wrong?
In general, overlays don't take effect for the offline tools, they only function in slapd itself.
O.k., thanks, that makes a lot of sense. So, slapacl can only take static entries into consideration. That leaves me with the following question: what tool to use to debug ACLs?
set slapd in debug mode 128.
-Dieter
Am Montag, 02. März 2015 18:49 CET, Michael Ströder michael@stroeder.com schrieb:
Mattes wrote:
Dear collected list wisdom,
I'm trying to set up access control using membership in a dynamic list.I've activated the dynlist overlay and configured it like this:
olcDlAttrSet: groupOfURLs memberURL member
and installed an ACL:
olcAccess: to dn.regex=".+,<some base>" by self read by group/groupOfURLs/member="<group DN>" search
Browsing the directory I can see the member attributes being added to the group, but testing access with slapacl I encounter the following error:54ef3976 => bdb_entry_get: found entry: "<group DN>" 54ef3976 <= bdb_entry_get: failed to find attribute member
What am I doing wrong? N.B.: I _did_ add member to the list of allowed attributes for a groupOfURLs ...
It's important to understand that dynlist overlay generates attribute 'member' on the fly when it's read.
I understand. But, to my understanding, both group/objectclass/attrname acls and set/... acls need to fetch the attributes to do the comparison/set intersection.
Did you read section AUTHORIZATION in slapo-dynlist(5)?
Yes, I did read that manpage. What are you hinting at? The attribute used to in the filter part of the ldap url to populate the dyngroup is readable by all (veryfied with slapacl).
Maybe running this as a CRON job is better for your needs:
Hmm - why. What does this script that the autogroup can't handle?
Thanks, Ralf Mattes
Ciao, Michael.
-- E-Mail: michael@stroeder.com http://www.stroeder.com
Mattes wrote:
Am Montag, 02. März 2015 18:49 CET, Michael Ströder michael@stroeder.com schrieb:
Maybe running this as a CRON job is better for your needs:
Hmm - why. What does this script that the autogroup can't handle?
It maintains real group entries with indexable and replicated 'member' attribute also usable with slapo-memberof.
Ciao, Michael.
Michael Ströder wrote:
Mattes wrote:
Am Montag, 02. März 2015 18:49 CET, Michael Ströder michael@stroeder.com schrieb:
Maybe running this as a CRON job is better for your needs:
Hmm - why. What does this script that the autogroup can't handle?
It maintains real group entries with indexable and replicated 'member' attribute also usable with slapo-memberof.
The autogroup overlay does that, in realtime. And, due to a Symas customer paying for it to be worked on last week, it actually works as advertised now in RE24. It works well enough now to even be promoted from contrib to mainline.
Howard Chu wrote:
Michael Ströder wrote:
Mattes wrote:
Am Montag, 02. März 2015 18:49 CET, Michael Ströder michael@stroeder.com schrieb:
Maybe running this as a CRON job is better for your needs:
Hmm - why. What does this script that the autogroup can't handle?
It maintains real group entries with indexable and replicated 'member' attribute also usable with slapo-memberof.
The autogroup overlay does that, in realtime. And, due to a Symas customer paying for it to be worked on last week, it actually works as advertised now in RE24. It works well enough now to even be promoted from contrib to mainline.
Good news.
I'm not keen on running this kind of CRON jobs But up to now it it was a reasonable compromise.
I will test slapo-autogroup in RE24.
Ciao, Michael.
openldap-technical@openldap.org
-
Dieter Klünter -
Howard Chu -
Mattes -
Michael Ströder