hi,
i’m using this acl:
{0}to filter=(objectclass=person) attrs=Hidden by group.exact=“cn=group,ou=groups,o=abc.net” none
but members of the group can still access the attribute Hidden. with any filter it does not work. if i use a single dn it works.
seems to me filters do not work?
chris
BÖSCH Christian wrote:
i’m using this acl:
{0}to filter=(objectclass=person) attrs=Hidden by group.exact=“cn=group,ou=groups,o=abc.net” none
but members of the group can still access the attribute Hidden. with any filter it does not work. if i use a single dn it works.
seems to me filters do not work?
..or there is another ACL applied before reaching this ACL.
Debug this with log level "acl".
Ciao, Michael.
On 26 Jan 2016, at 12:23 , Michael Ströder michael@stroeder.com wrote:
BÖSCH Christian wrote:
i’m using this acl:
{0}to filter=(objectclass=person) attrs=Hidden by group.exact=“cn=group,ou=groups,o=abc.net” none
but members of the group can still access the attribute Hidden. with any filter it does not work. if i use a single dn it works.
seems to me filters do not work?
..or there is another ACL applied before reaching this ACL.
no, it’s the first acl entry.
Debug this with log level "acl”.
below is the debug. do you see something suspicious? thanks, christian
Jan 26 12:35:46 openldap1 slapd[84283]: => mdb_entry_get: found entry: "uid=user1,ou=people,o=abc.net" Jan 26 12:35:46 openldap1 slapd[84283]: => mdb_entry_get: found entry: "cn=default,ou=ppolicies,o=abc.net" Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: result not in cache (userPassword) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: auth access to "uid=user1,ou=people,o=abc.net" "userPassword" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_get: [3] attr userPassword Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: access to entry "uid=user1,ou=people,o=abc.net", attr "userPassword" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: to value by "", (=0) Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_dn_pat: self Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_dn_pat: anonymous Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [2] applying auth(=xd) (stop) Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [2] mask: auth(=xd) Jan 26 12:35:46 openldap1 slapd[84283]: => slap_access_allowed: auth access granted by auth(=xd) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: auth access granted by auth(=xd) Jan 26 12:35:46 openldap1 slapd[84283]: => mdb_entry_get: found entry: "uid=user1,ou=people,o=abc.net" Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: search access to "o=abc.net" "entry" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_get: [4] attr entry Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: access to entry "o=abc.net", attr "entry" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: to all values by "uid=user1,ou=people,o=abc.net", (=0) Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_dn_pat: * Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] applying read(=rscxd) (stop) Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] mask: read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => slap_access_allowed: search access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: search access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: search access to "uid=user2,ou=people,o=abc.net" "uid" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_get: [4] attr uid Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: access to entry "uid=user2,ou=people,o=abc.net", attr "uid" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: to value by "uid=user1,ou=people,o=abc.net", (=0) Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_dn_pat: * Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] applying read(=rscxd) (stop) Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] mask: read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => slap_access_allowed: search access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: search access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: read access to "uid=user2,ou=people,o=abc.net" "entry" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_get: [4] attr entry Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: access to entry "uid=user2,ou=people,o=abc.net", attr "entry" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: to all values by "uid=user1,ou=people,o=abc.net", (=0) Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_dn_pat: * Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] applying read(=rscxd) (stop) Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] mask: read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => slap_access_allowed: read access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: read access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: result not in cache (Hidden) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: read access to "uid=user2,ou=people,o=abc.net" "Hidden" requested Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: search access to "uid=user2,ou=people,o=abc.net" "objectClass" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_get: [2] attr Hidden Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: access to entry "uid=user2,ou=people,o=abc.net", attr "Hidden" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: to value by "uid=user1,ou=people,o=abc.net", (=0) Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_group_pat: cn=group,ou=groups,o=abc.net Jan 26 12:35:46 openldap1 slapd[84283]: => mdb_entry_get: found entry: "cn=group,ou=groups,o=abc.net" Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_authz.sai_ssf: ACL 128 > OP 256 Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] applying read(=rscxd) (stop) Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] mask: read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => slap_access_allowed: read access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: read access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: connection_read(36): no connection!
Ciao, Michael.
BÖSCH Christian wrote:
On 26 Jan 2016, at 12:23 , Michael Ströder michael@stroeder.com wrote:
BÖSCH Christian wrote:
i’m using this acl:
{0}to filter=(objectclass=person) attrs=Hidden by group.exact=“cn=group,ou=groups,o=abc.net” none
but members of the group can still access the attribute Hidden. with any filter it does not work. if i use a single dn it works.
seems to me filters do not work?
..or there is another ACL applied before reaching this ACL.
no, it’s the first acl entry.
Without seeing the complete configuration one can only guess. Note that global ACLs in cn=config are also applied.
below is the debug. do you see something suspicious?
I won't debug your ACLs. It's your homework, especially because you're the only one who has all the necessary information.
Jan 26 12:35:46 openldap1 slapd[84283]: => acl_get: [2] attr Hidden Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: access to entry "uid=user2,ou=people,o=abc.net", attr "Hidden" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: to value by "uid=user1,ou=people,o=abc.net", (=0) Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_group_pat: cn=group,ou=groups,o=abc.net Jan 26 12:35:46 openldap1 slapd[84283]: => mdb_entry_get: found entry: "cn=group,ou=groups,o=abc.net" Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_authz.sai_ssf: ACL 128 > OP 256 Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] applying read(=rscxd) (stop) Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] mask: read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => slap_access_allowed: read access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: read access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: connection_read(36): no connection!
You have to check why there is read access granted.
Ciao, Michael.
openldap-technical@openldap.org
-
BÖSCH Christian -
Michael Ströder