OK thanks Quanah ! I removed the "*" on ACL except for the last rule. I don't understand : it is rejected by the last rule. Why does it not match rule #3 ? Normally it may stop at the first match ?
Here's my request and the ACL log : ldapsearch -x -H ldap://127.0.0.1 -b "dc=fr" -D "cn=supervision,ou=Comptes clients,dc=fr" -s base contextCSN
Oct 25 08:31:08 apsim-qualif slapd[27308]: => access_allowed: result not in cache (userPassword) Oct 25 08:31:08 apsim-qualif slapd[27308]: => access_allowed: auth access to "cn=supervision,ou=Comptes Clients,dc=fr" "userPassword" requested Oct 25 08:31:08 apsim-qualif slapd[27308]: => dn: [1] ou=comptes admin,dc=fr Oct 25 08:31:08 apsim-qualif slapd[27308]: => acl_get: [2] attr userPassword Oct 25 08:31:08 apsim-qualif slapd[27308]: => acl_mask: access to entry "cn=supervision,ou=Comptes Clients,dc=fr", attr "userPassword" requested Oct 25 08:31:08 apsim-qualif slapd[27308]: => acl_mask: to value by "", (=0) Oct 25 08:31:08 apsim-qualif slapd[27308]: <= check a_dn_pat: cn=admingdr,ou=comptes admin,dc=fr Oct 25 08:31:08 apsim-qualif slapd[27308]: <= check a_dn_pat: cn=ldapsynchro,ou=comptes admin,dc=fr Oct 25 08:31:08 apsim-qualif slapd[27308]: <= check a_dn_pat: users Oct 25 08:31:08 apsim-qualif slapd[27308]: <= check a_dn_pat: anonymous Oct 25 08:31:08 apsim-qualif slapd[27308]: <= acl_mask: [4] applying auth(=xd) (stop) Oct 25 08:31:08 apsim-qualif slapd[27308]: <= acl_mask: [4] mask: auth(=xd) Oct 25 08:31:08 apsim-qualif slapd[27308]: => slap_access_allowed: auth access granted by auth(=xd) Oct 25 08:31:08 apsim-qualif slapd[27308]: => access_allowed: auth access granted by auth(=xd) Oct 25 08:31:08 apsim-qualif slapd[27308]: => access_allowed: search access to "dc=fr" "entry" requested Oct 25 08:31:08 apsim-qualif slapd[27308]: => dn: [1] ou=comptes admin,dc=fr Oct 25 08:31:08 apsim-qualif slapd[27308]: => dn: [3] dc=fr Oct 25 08:31:08 apsim-qualif slapd[27308]: => acl_get: [3] matched Oct 25 08:31:08 apsim-qualif slapd[27308]: => acl_get: [3] attr entry Oct 25 08:31:08 apsim-qualif slapd[27308]: => acl_mask: access to entry "dc=fr", attr "entry" requested Oct 25 08:31:08 apsim-qualif slapd[27308]: => acl_mask: to all values by "cn=supervision,ou=comptes clients,dc=fr", (=0) Oct 25 08:31:08 apsim-qualif slapd[27308]: <= check a_dn_pat: cn=ldapsynchro,ou=comptes admin,dc=fr Oct 25 08:31:08 apsim-qualif slapd[27308]: <= check a_dn_pat: cn=supervision,ou=comptes clients,dc=fr Oct 25 08:31:08 apsim-qualif slapd[27308]: <= acl_mask: [2] applying read(=rscxd) (stop) Oct 25 08:31:08 apsim-qualif slapd[27308]: <= acl_mask: [2] mask: read(=rscxd) Oct 25 08:31:08 apsim-qualif slapd[27308]: => slap_access_allowed: search access granted by read(=rscxd) Oct 25 08:31:08 apsim-qualif slapd[27308]: => access_allowed: search access granted by read(=rscxd) Oct 25 08:31:08 apsim-qualif slapd[27308]: => access_allowed: search access to "dc=fr" "objectClass" requested Oct 25 08:31:08 apsim-qualif slapd[27308]: => dn: [1] ou=comptes admin,dc=fr Oct 25 08:31:08 apsim-qualif slapd[27308]: => dn: [3] dc=fr Oct 25 08:31:08 apsim-qualif slapd[27308]: => acl_get: [3] matched Oct 25 08:31:08 apsim-qualif slapd[27308]: => dn: [5] dc=gouv,dc=fr Oct 25 08:31:08 apsim-qualif slapd[27308]: => acl_get: [6] attr objectClass Oct 25 08:31:08 apsim-qualif slapd[27308]: => acl_mask: access to entry "dc=fr", attr "objectClass" requested Oct 25 08:31:08 apsim-qualif slapd[27308]: => acl_mask: to all values by "cn=supervision,ou=comptes clients,dc=fr", (=0) Oct 25 08:31:08 apsim-qualif slapd[27308]: <= check a_dn_pat: cn=root,dc=fr Oct 25 08:31:08 apsim-qualif slapd[27308]: <= check a_dn_pat: ou=comptes admin,dc=fr Oct 25 08:31:08 apsim-qualif slapd[27308]: <= check a_dn_pat: cn=ldapsynchro,ou=comptes admin,dc=fr Oct 25 08:31:08 apsim-qualif slapd[27308]: <= check a_dn_pat: self Oct 25 08:31:08 apsim-qualif slapd[27308]: <= check a_dn_pat: users Oct 25 08:31:08 apsim-qualif slapd[27308]: <= acl_mask: [5] applying none(=0) (stop) Oct 25 08:31:08 apsim-qualif slapd[27308]: <= acl_mask: [5] mask: none(=0) Oct 25 08:31:08 apsim-qualif slapd[27308]: => slap_access_allowed: search access denied by none(=0) Oct 25 08:31:08 apsim-qualif slapd[27308]: => access_allowed: no more rules
On Wed, Oct 24, 2018 at 5:15 PM Quanah Gibson-Mount quanah@symas.com wrote:
--On Wednesday, October 24, 2018 5:17 PM +0200 Lirien Maxime maxime.lirien@gmail.com wrote:
# 2) userPassword accessible by all access to * attrs=userPassword by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read by users auth by anonymous auth by * none
This should be just access to attrs=userPassword, no need for the *.
Similar comment for some of your other ACLs using the same format.
I would generaly advise enabling "acl" level logging to see how things are being processed so you can determine what additional access is needed or which rule(s) are blocking access.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Thursday, October 25, 2018 10:25 AM +0200 Lirien Maxime maxime.lirien@gmail.com wrote:
OK thanks Quanah ! I removed the "*" on ACL except for the last rule. I don't understand : it is rejected by the last rule. Why does it not match rule #3 ? Normally it may stop at the first match ?
Oct 25 08:31:08 apsim-qualif slapd[27308]: => acl_mask: access to entry "dc=fr", attr "objectClass" requested
Hi Lirien,
It's clearly asking for access to the objectClass attribute in "dc=fr", which is not a part of your ACL#3, so it's correctly denied:
# 3) ********* CONTEXTCSN ********* access to dn.base="dc=fr" attrs=entry,children,contextcsn by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read by dn.exact="cn=supervision,ou=Comptes Clients,dc=fr" read by * none
You need to modify the access to line to include objectClass.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Lirien Maxime -
Quanah Gibson-Mount