Hi,
(OpenLDAP version 2.4.23)
I have a filter expression in an ACL that is somehow affecting my ability to retrieve specific attributes. What's strange (to me) is that with or without the filter expression in place, I can retrieve all attributes, i.e. the full object.
4986# ldapsearch -LLL -Z -x -y ../../private/pwemail '(uid=rpeterso)' dn: yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=email yDirectoryID: c44883ba-ac62-d28c-556f-99ccbf532da7 objectClass: yAccount objectClass: inetOrgPerson uid: rpeterso mail: rpeterso@mtholyoke.edu etc...
But if I specify a particular attribute, then having the filter expression in place somehow inhibits my ability to retrieve the specific attribute(s).
Without filter expression:
4987# ldapsearch -LLL -Z -x -y ../../private/pwemail '(uid=rpeterso)' mail dn: yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=email mail: rpeterso@mtholyoke.edu
With filter expression in place:
4990# ldapsearch -LLL -Z -x -y ../../private/pwemail '(uid=rpeterso)' mail dn: yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=email
The ACL in question looks like:
access to dn.regex="(yDirectoryID=.*),ou=email" filter="(&(yInstitution=mtholyoke.edu)(yGlobalPermission=allow)(|(yApplicationPermission=email)(&(yDefaultApplicationPermission=allow)(!(yApplicationPermission=email)))))" by dn.regex=$1,ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu read by dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" read by * none
I've turned my logging way up, and the hiccup seems to be that the DN I've authenticated as (uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu) needs read access to the attributes in the filter expression. But how do I give that account read access to those attributes, without then exposing the objects that I'm trying to hide with the filter expression?
Ron Peterson wrote:
Hi,
(OpenLDAP version 2.4.23)
I have a filter expression in an ACL that is somehow affecting my ability to retrieve specific attributes. What's strange (to me) is that with or without the filter expression in place, I can retrieve all attributes, i.e. the full object.
4986# ldapsearch -LLL -Z -x -y ../../private/pwemail '(uid=rpeterso)' dn: yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=email yDirectoryID: c44883ba-ac62-d28c-556f-99ccbf532da7 objectClass: yAccount objectClass: inetOrgPerson uid: rpeterso mail: rpeterso@mtholyoke.edu etc...
But if I specify a particular attribute, then having the filter expression in place somehow inhibits my ability to retrieve the specific attribute(s).
Without filter expression:
4987# ldapsearch -LLL -Z -x -y ../../private/pwemail '(uid=rpeterso)' mail dn: yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=email mail: rpeterso@mtholyoke.edu
With filter expression in place:
4990# ldapsearch -LLL -Z -x -y ../../private/pwemail '(uid=rpeterso)' mail dn: yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=email
The ACL in question looks like:
access to dn.regex="(yDirectoryID=.*),ou=email" filter="(&(yInstitution=mtholyoke.edu)(yGlobalPermission=allow)(|(yApplicationPermission=email)(&(yDefaultApplicationPermission=allow)(!(yApplicationPermission=email)))))" by dn.regex=$1,ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu read by dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" read by * none
I've turned my logging way up, and the hiccup seems to be that the DN I've authenticated as (uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu) needs read access to the attributes in the filter expression. But how do I give that account read access to those attributes, without then exposing the objects that I'm trying to hide with the filter expression?
Give it auth access, not read access.
2011-09-14_16:54:56-0400 Howard Chu hyc@symas.com:
I've turned my logging way up, and the hiccup seems to be that the DN I've authenticated as (uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu) needs read access to the attributes in the filter expression. But how do I give that account read access to those attributes, without then exposing the objects that I'm trying to hide with the filter expression?
Give it auth access, not read access.
Did that, but it seems to want read access. ?
Sep 15 08:13:15 mid slapd[5050]: => acl_mask: access to entry "yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=email", attr "yGlobalPermission" requested Sep 15 08:13:15 mid slapd[5050]: => acl_mask: to value by "uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu", (=0) Sep 15 08:13:15 mid slapd[5050]: <= check a_dn_pat: uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu Sep 15 08:13:15 mid slapd[5050]: <= acl_mask: [1] applying auth(=xd) (stop) Sep 15 08:13:15 mid slapd[5050]: <= acl_mask: [1] mask: auth(=xd) Sep 15 08:13:15 mid slapd[5050]: => slap_access_allowed: read access denied by auth(=xd)
Carefully watching logs for both master directory and proxy server, the master directory is passing the information required. It's the ACL's on the proxy that are tripping me up.
search like:
ldapsearch -LLL -Z -x -y ../../private/pwemail '(uid=rpeterso)'
ldaprc like:
BASE ou=email BINDDN uid=email,ou=admin URI ldap://proxy.mtholyoke.edu SIZELIMIT 40000 TLS_CACERT /local/etc/cert/ca/cacert.pem
Full config:
database ldap suffix "ou=email" uri "ldapi://%2Fvar%2Frun%2Fslapd%2Fmastertest%2Fldapi"
idassert-bind bindmethod=simple binddn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" credentials="sanitized" mode=self
chase-referrals yes overlay rwm rwm-rewriteEngine on
rwm-rewriteMap ldap uid2emailDN "ldaps://dirt-master.mtholyoke.edu/ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu?dn?sub" binddn="uid=proxy,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" credentials="sanitized"
rwm-rewriteMap ldap yid2emailDN "ldaps://dirt-master.mtholyoke.edu/ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu?dn?sub" binddn="uid=proxy,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" credentials="sanitized"
# yUsername is rewritten to uid, so that's what we bind with rwm-rewriteContext bindDN rwm-rewriteRule "^(yDirectoryID=.+),ou=email" "${yid2emailDN($1)}" ":@I" rwm-rewriteRule "^uid=([a-z0-9_]{3,24}),ou=email" "${uid2emailDN(yUsername=$1)}" ":@I"
rwm-suffixmassage "ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" rwm-map objectClass inetOrgPerson yDummyA rwm-map objectClass yAccount * rwm-map objectClass * rwm-map attribute givenName yNameFirstLegal rwm-map attribute sn yNameLastLegal rwm-map attribute uid yUsername rwm-map attribute mail yPrimaryEmail # keep these attribute names the same rwm-map attribute yDirectoryID * rwm-map attribute yInstitution * rwm-map attribute yGlobalPermission * rwm-map attribute yDefaultApplicationPermission * rwm-map attribute yApplicationPermission * rwm-map attribute ySHA1Password * rwm-map attribute *
access to dn.sub="ou=email" by dn="uid=proxy,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" read by * break
access to dn.sub="ou=email" attrs="entry" by dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" read by * break
access to dn.sub="ou=email" by dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" auth by * break
access to dn.sub="ou=email" filter="(&(yInstitution=mtholyoke.edu)(yGlobalPermission=allow)(|(yApplicationPermission=email)(&(yDefaultApplicationPermission=allow)(!(yApplicationPermission=email)))))" by anonymous auth by dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" read by * break
access to dn.regex="(yDirectoryID=.*),ou=email" filter="(&(yInstitution=mtholyoke.edu)(yGlobalPermission=allow)(|(yApplicationPermission=email)(&(yDefaultApplicationPermission=allow)(!(yApplicationPermission=email)))))" by dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" read by dn.regex=$1,ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu read by * none
2011-09-15_08:22:54-0400 Ron Peterson rpeterso@mtholyoke.edu:
2011-09-14_16:54:56-0400 Howard Chu hyc@symas.com:
I've turned my logging way up, and the hiccup seems to be that the DN I've authenticated as (uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu) needs read access to the attributes in the filter expression. But how do I give that account read access to those attributes, without then exposing the objects that I'm trying to hide with the filter expression?
Give it auth access, not read access.
My previous example had too much going on for any sane person to wade through, so I've distilled this configuration down to illustrate the essence of the problem. No fancy rewrite rules, etc. The problem remains: adding a filter expression makes it impossible to query the value of particular attributes, although I can retrieve the entire object.
It must be possible to filter the result set in a back-ldap proxy setup when querying for particular attributes, but how?
________________________________________________________________________ ldaprc like:
BASE ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu BINDDN uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu URI ldap://dirt.mtholyoke.edu SIZELIMIT 40000 TLS_CACERT /local/etc/cert/ca/cacert.pem
________________________________________________________________________ proxy config like:
database ldap suffix "ou=accounts,ou=prod,dc=mtholyoke,dc=edu" uri "ldapi://%2Fvar%2Frun%2Fslapd%2Fmastertest%2Fldapi"
access to dn.sub="ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" attrs="entry" by dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" read by * none
# log file (see below) seems to indicate proxy wants search permission on this attribute, # but this doesn't help access to dn.sub="ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" attrs="yApplicationPermission" by dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" search by * none
access to dn.sub="ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" filter="(yApplicationPermission=email)" by dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" read by * none
________________________________________________________________________ (1) This query works (returns all attributes): ldapsearch -LLL -Z -x -y ../../private/pwemail '(yUsername=rpeterso)'
(2) This query does not (only returns DN, but not yPrimaryEmail): ldapsearch -LLL -Z -x -y ../../private/pwemail '(yUsername=rpeterso)' yPrimaryEmail
________________________________________________________________________ Log for both master and proxy database (loglevel 256 128 64 32), for query (2) above:
pid 32160 = proxy server pid 24268 = master directory server
Sep 16 09:17:41 mid slapd[32160]: conn=1001 fd=13 ACCEPT from IP=138.110.86.129:51010 (IP=138.110.86.129:389) Sep 16 09:17:41 mid slapd[32160]: conn=1001 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Sep 16 09:17:41 mid slapd[32160]: conn=1001 op=0 STARTTLS Sep 16 09:17:41 mid slapd[32160]: conn=1001 op=0 RESULT oid= err=0 text= Sep 16 09:17:41 mid slapd[32160]: conn=1001 fd=13 TLS established tls_ssf=256 ssf=256 Sep 16 09:17:41 mid slapd[32160]: conn=1001 op=1 BIND dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" method=128 Sep 16 09:17:41 mid slapd[24268]: conn=1025 fd=13 ACCEPT from PATH=/var/run/slapd/mastertest/ldapi (PATH=/var/run/slapd/mastertest/ldapi) Sep 16 09:17:41 mid slapd[24268]: conn=1025 op=0 BIND dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" method=128 Sep 16 09:17:41 mid slapd[24268]: => access_allowed: result not in cache (userPassword) Sep 16 09:17:41 mid slapd[24268]: => access_allowed: auth access to "uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" "userPassword" requested Sep 16 09:17:41 mid slapd[24268]: => acl_get: [1] attr userPassword Sep 16 09:17:41 mid slapd[24268]: => acl_mask: access to entry "uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu", attr "userPassword" requested Sep 16 09:17:41 mid slapd[24268]: => acl_mask: to value by "", (=0) Sep 16 09:17:41 mid slapd[24268]: <= check a_dn_pat: self Sep 16 09:17:41 mid slapd[24268]: <= check a_dn_pat: anonymous Sep 16 09:17:41 mid slapd[24268]: <= acl_mask: [2] applying auth(=xd) (stop) Sep 16 09:17:41 mid slapd[24268]: <= acl_mask: [2] mask: auth(=xd) Sep 16 09:17:41 mid slapd[24268]: => slap_access_allowed: auth access granted by auth(=xd) Sep 16 09:17:41 mid slapd[24268]: => access_allowed: auth access granted by auth(=xd) Sep 16 09:17:41 mid slapd[24268]: conn=1025 op=0 BIND dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" mech=SIMPLE ssf=0 Sep 16 09:17:41 mid slapd[24268]: conn=1025 op=0 RESULT tag=97 err=0 text= Sep 16 09:17:41 mid slapd[32160]: conn=1001 op=1 BIND dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" mech=SIMPLE ssf=0 Sep 16 09:17:41 mid slapd[32160]: conn=1001 op=1 RESULT tag=97 err=0 text= Sep 16 09:17:41 mid slapd[32160]: begin get_filter Sep 16 09:17:41 mid slapd[32160]: EQUALITY Sep 16 09:17:41 mid slapd[32160]: end get_filter 0 Sep 16 09:17:41 mid slapd[32160]: conn=1001 op=2 SRCH base="ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" scope=2 deref=0 filter="(yUsername=rpeterso)" Sep 16 09:17:41 mid slapd[32160]: conn=1001 op=2 SRCH attr=yPrimaryEmail Sep 16 09:17:41 mid slapd[24268]: conn=1025 op=1 SRCH base="ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" scope=2 deref=0 filter="(yUsername=rpeterso)" Sep 16 09:17:41 mid slapd[24268]: conn=1025 op=1 SRCH attr=yPrimaryEmail Sep 16 09:17:41 mid slapd[24268]: => access_allowed: search access to "ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" "entry" requested Sep 16 09:17:41 mid slapd[24268]: => dn: [3] dc=mtholyoke,dc=edu Sep 16 09:17:41 mid slapd[24268]: => acl_get: [3] matched Sep 16 09:17:41 mid slapd[24268]: => acl_get: [3] attr entry Sep 16 09:17:41 mid slapd[24268]: => acl_mask: access to entry "ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu", attr "entry" requested Sep 16 09:17:41 mid slapd[24268]: => acl_mask: to all values by "uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu", (=0) Sep 16 09:17:41 mid slapd[24268]: <= check a_dn_pat: ^uid=[^,]*,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu Sep 16 09:17:41 mid slapd[24268]: => acl_string_expand: pattern: ^uid=[^,]*,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu Sep 16 09:17:41 mid slapd[24268]: => acl_string_expand: expanded: ^uid=[^,]*,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu Sep 16 09:17:41 mid slapd[24268]: <= acl_mask: [1] applying read(=rscxd) (stop) Sep 16 09:17:41 mid slapd[24268]: <= acl_mask: [1] mask: read(=rscxd) Sep 16 09:17:41 mid slapd[24268]: => slap_access_allowed: search access granted by read(=rscxd) Sep 16 09:17:41 mid slapd[24268]: => access_allowed: search access granted by read(=rscxd) Sep 16 09:17:41 mid slapd[24268]: => access_allowed: search access to "yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" "yUsername" requested Sep 16 09:17:41 mid slapd[24268]: => dn: [3] dc=mtholyoke,dc=edu Sep 16 09:17:41 mid slapd[24268]: => acl_get: [3] matched Sep 16 09:17:41 mid slapd[24268]: => dn: [4] dc=mtholyoke,dc=edu Sep 16 09:17:41 mid slapd[24268]: => acl_get: [4] matched Sep 16 09:17:41 mid slapd[24268]: => acl_get: [4] attr yUsername Sep 16 09:17:41 mid slapd[24268]: => acl_mask: access to entry "yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu", attr "yUsername" requested Sep 16 09:17:41 mid slapd[24268]: => acl_mask: to value by "uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu", (=0) Sep 16 09:17:41 mid slapd[24268]: <= check a_dn_pat: ^uid[^,]*,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu Sep 16 09:17:41 mid slapd[24268]: => acl_string_expand: pattern: ^uid[^,]*,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu Sep 16 09:17:41 mid slapd[24268]: => acl_string_expand: expanded: ^uid[^,]*,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu Sep 16 09:17:41 mid slapd[24268]: <= acl_mask: [1] applying read(=rscxd) (stop) Sep 16 09:17:41 mid slapd[24268]: <= acl_mask: [1] mask: read(=rscxd) Sep 16 09:17:41 mid slapd[24268]: => slap_access_allowed: search access granted by read(=rscxd) Sep 16 09:17:41 mid slapd[24268]: => access_allowed: search access granted by read(=rscxd) Sep 16 09:17:41 mid slapd[24268]: => access_allowed: read access to "yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" "entry" requested Sep 16 09:17:41 mid slapd[24268]: => dn: [3] dc=mtholyoke,dc=edu Sep 16 09:17:41 mid slapd[24268]: => acl_get: [3] matched Sep 16 09:17:41 mid slapd[24268]: => acl_get: [3] attr entry Sep 16 09:17:41 mid slapd[24268]: => acl_mask: access to entry "yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu", attr "entry" requested Sep 16 09:17:41 mid slapd[24268]: => acl_mask: to all values by "uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu", (=0) Sep 16 09:17:41 mid slapd[24268]: <= check a_dn_pat: ^uid=[^,]*,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu Sep 16 09:17:41 mid slapd[24268]: => acl_string_expand: pattern: ^uid=[^,]*,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu Sep 16 09:17:41 mid slapd[24268]: => acl_string_expand: expanded: ^uid=[^,]*,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu Sep 16 09:17:41 mid slapd[24268]: <= acl_mask: [1] applying read(=rscxd) (stop) Sep 16 09:17:41 mid slapd[24268]: <= acl_mask: [1] mask: read(=rscxd) Sep 16 09:17:41 mid slapd[24268]: => slap_access_allowed: read access granted by read(=rscxd) Sep 16 09:17:41 mid slapd[24268]: => access_allowed: read access granted by read(=rscxd) Sep 16 09:17:41 mid slapd[24268]: => access_allowed: result not in cache (yPrimaryEmail) Sep 16 09:17:41 mid slapd[24268]: => access_allowed: read access to "yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" "yPrimaryEmail" requested Sep 16 09:17:41 mid slapd[24268]: => dn: [3] dc=mtholyoke,dc=edu Sep 16 09:17:41 mid slapd[24268]: => acl_get: [3] matched Sep 16 09:17:41 mid slapd[24268]: => dn: [4] dc=mtholyoke,dc=edu Sep 16 09:17:41 mid slapd[24268]: => acl_get: [4] matched Sep 16 09:17:41 mid slapd[24268]: => acl_get: [4] attr yPrimaryEmail Sep 16 09:17:41 mid slapd[24268]: => acl_mask: access to entry "yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu", attr "yPrimaryEmail" requested Sep 16 09:17:41 mid slapd[24268]: => acl_mask: to value by "uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu", (=0) Sep 16 09:17:41 mid slapd[24268]: <= check a_dn_pat: ^uid[^,]*,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu Sep 16 09:17:41 mid slapd[24268]: => acl_string_expand: pattern: ^uid[^,]*,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu Sep 16 09:17:41 mid slapd[24268]: => acl_string_expand: expanded: ^uid[^,]*,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu Sep 16 09:17:41 mid slapd[24268]: <= acl_mask: [1] applying read(=rscxd) (stop) Sep 16 09:17:41 mid slapd[24268]: <= acl_mask: [1] mask: read(=rscxd) Sep 16 09:17:41 mid slapd[24268]: => slap_access_allowed: read access granted by read(=rscxd) Sep 16 09:17:41 mid slapd[24268]: => access_allowed: read access granted by read(=rscxd) Sep 16 09:17:41 mid slapd[24268]: conn=1025 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Sep 16 09:17:41 mid slapd[32160]: => access_allowed: read access to "yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" "entry" requested Sep 16 09:17:41 mid slapd[32160]: => dn: [1] ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu Sep 16 09:17:41 mid slapd[32160]: => acl_get: [1] matched Sep 16 09:17:41 mid slapd[32160]: => acl_get: [1] attr entry Sep 16 09:17:41 mid slapd[32160]: => acl_mask: access to entry "yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu", attr "entry" requested Sep 16 09:17:41 mid slapd[32160]: => acl_mask: to all values by "uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu", (=0) Sep 16 09:17:41 mid slapd[32160]: <= check a_dn_pat: uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu Sep 16 09:17:41 mid slapd[32160]: <= acl_mask: [1] applying read(=rscxd) (stop) Sep 16 09:17:41 mid slapd[32160]: <= acl_mask: [1] mask: read(=rscxd) Sep 16 09:17:41 mid slapd[32160]: => slap_access_allowed: read access granted by read(=rscxd) Sep 16 09:17:41 mid slapd[32160]: => access_allowed: read access granted by read(=rscxd) Sep 16 09:17:41 mid slapd[32160]: => access_allowed: result not in cache (yPrimaryEmail) Sep 16 09:17:41 mid slapd[32160]: => access_allowed: read access to "yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" "yPrimaryEmail" requested Sep 16 09:17:41 mid slapd[32160]: => dn: [1] ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu Sep 16 09:17:41 mid slapd[32160]: => acl_get: [1] matched Sep 16 09:17:41 mid slapd[32160]: => dn: [2] ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu Sep 16 09:17:41 mid slapd[32160]: => acl_get: [2] matched Sep 16 09:17:41 mid slapd[32160]: => dn: [3] ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu Sep 16 09:17:41 mid slapd[32160]: => acl_get: [3] matched Sep 16 09:17:41 mid slapd[32160]: => test_filter Sep 16 09:17:41 mid slapd[32160]: EQUALITY Sep 16 09:17:41 mid slapd[32160]: => access_allowed: search access to "yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" "yApplicationPermission" requested Sep 16 09:17:41 mid slapd[32160]: <= test_filter 5 Sep 16 09:17:41 mid slapd[32160]: <= acl_get: done. Sep 16 09:17:41 mid slapd[32160]: => slap_access_allowed: no more rules Sep 16 09:17:41 mid slapd[32160]: => access_allowed: no more rules Sep 16 09:17:41 mid slapd[32160]: send_search_entry: conn 1001 access to attribute yPrimaryEmail, value #0 not allowed Sep 16 09:17:41 mid slapd[32160]: conn=1001 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Sep 16 09:17:41 mid slapd[32160]: conn=1001 op=3 UNBIND Sep 16 09:17:41 mid slapd[24268]: conn=1025 op=2 UNBIND Sep 16 09:17:41 mid slapd[32160]: conn=1001 fd=13 closed Sep 16 09:17:41 mid slapd[24268]: conn=1025 fd=13 closed Sep 16 09:17:41 mid slapd[24268]: connection_read(13): no connection! Sep 16 09:17:41 mid slapd[24268]: connection_read(13): no connection!
openldap-technical@openldap.org
-
Howard Chu -
Ron Peterson