acl bug? - openldap-technical - openldap.org

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

December

acl bug?

Updating Symas LMDB page to add...

missing init script

BÖSCH Christian

Tuesday, 26 January 2016 Tue, 26 Jan '16

2:21 a.m.

hi, i’m using this acl: {0}to filter=(objectclass=person) attrs=Hidden by group.exact=“cn=group,ou=groups,o=abc.net” none but members of the group can still access the attribute Hidden. with any filter it does not work. if i use a single dn it works. seems to me filters do not work? chris

Attachments:

smime.p7s (application/pkcs7-signature — 3.4 KB)

Reply

Show replies by date

Michael Ströder

Tuesday, 26 January Tue, 26 Jan

3:23 a.m.

BÖSCH Christian wrote:

i’m using this acl: {0}to filter=(objectclass=person) attrs=Hidden by group.exact=“cn=group,ou=groups,o=abc.net” none but members of the group can still access the attribute Hidden. with any filter it does not work. if i use a single dn it works. seems to me filters do not work?

..or there is another ACL applied before reaching this ACL. Debug this with log level "acl". Ciao, Michael.

Reply

BÖSCH Christian

3:43 a.m.

On 26 Jan 2016, at 12:23 , Michael Ströder <michael(a)stroeder.com> wrote: BÖSCH Christian wrote: > i’m using this acl: > > {0}to filter=(objectclass=person) attrs=Hidden by group.exact=“cn=group,ou=groups,o=abc.net” none > > but members of the group can still access the attribute Hidden. > with any filter it does not work. > if i use a single dn it works. > > seems to me filters do not work? ..or there is another ACL applied before reaching this ACL.

no, it’s the first acl entry.

Debug this with log level "acl”.

below is the debug. do you see something suspicious? thanks, christian Jan 26 12:35:46 openldap1 slapd[84283]: => mdb_entry_get: found entry: "uid=user1,ou=people,o=abc.net" Jan 26 12:35:46 openldap1 slapd[84283]: => mdb_entry_get: found entry: "cn=default,ou=ppolicies,o=abc.net" Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: result not in cache (userPassword) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: auth access to "uid=user1,ou=people,o=abc.net" "userPassword" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_get: [3] attr userPassword Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: access to entry "uid=user1,ou=people,o=abc.net", attr "userPassword" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: to value by "", (=0) Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_dn_pat: self Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_dn_pat: anonymous Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [2] applying auth(=xd) (stop) Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [2] mask: auth(=xd) Jan 26 12:35:46 openldap1 slapd[84283]: => slap_access_allowed: auth access granted by auth(=xd) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: auth access granted by auth(=xd) Jan 26 12:35:46 openldap1 slapd[84283]: => mdb_entry_get: found entry: "uid=user1,ou=people,o=abc.net" Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: search access to "o=abc.net" "entry" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_get: [4] attr entry Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: access to entry "o=abc.net", attr "entry" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: to all values by "uid=user1,ou=people,o=abc.net", (=0) Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_dn_pat: * Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] applying read(=rscxd) (stop) Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] mask: read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => slap_access_allowed: search access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: search access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: search access to "uid=user2,ou=people,o=abc.net" "uid" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_get: [4] attr uid Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: access to entry "uid=user2,ou=people,o=abc.net", attr "uid" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: to value by "uid=user1,ou=people,o=abc.net", (=0) Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_dn_pat: * Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] applying read(=rscxd) (stop) Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] mask: read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => slap_access_allowed: search access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: search access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: read access to "uid=user2,ou=people,o=abc.net" "entry" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_get: [4] attr entry Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: access to entry "uid=user2,ou=people,o=abc.net", attr "entry" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: to all values by "uid=user1,ou=people,o=abc.net", (=0) Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_dn_pat: * Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] applying read(=rscxd) (stop) Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] mask: read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => slap_access_allowed: read access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: read access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: result not in cache (Hidden) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: read access to "uid=user2,ou=people,o=abc.net" "Hidden" requested Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: search access to "uid=user2,ou=people,o=abc.net" "objectClass" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_get: [2] attr Hidden Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: access to entry "uid=user2,ou=people,o=abc.net", attr "Hidden" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: to value by "uid=user1,ou=people,o=abc.net", (=0) Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_group_pat: cn=group,ou=groups,o=abc.net Jan 26 12:35:46 openldap1 slapd[84283]: => mdb_entry_get: found entry: "cn=group,ou=groups,o=abc.net" Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_authz.sai_ssf: ACL 128 > OP 256 Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] applying read(=rscxd) (stop) Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] mask: read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => slap_access_allowed: read access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: read access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: connection_read(36): no connection!

Ciao, Michael.

Reply

Michael Ströder

3:51 a.m.

BÖSCH Christian wrote:

> On 26 Jan 2016, at 12:23 , Michael Ströder <michael(a)stroeder.com> wrote: > > BÖSCH Christian wrote: >> i’m using this acl: >> >> {0}to filter=(objectclass=person) attrs=Hidden by group.exact=“cn=group,ou=groups,o=abc.net” none >> >> but members of the group can still access the attribute Hidden. >> with any filter it does not work. >> if i use a single dn it works. >> >> seems to me filters do not work? > > ..or there is another ACL applied before reaching this ACL. no, it’s the first acl entry.

Without seeing the complete configuration one can only guess. Note that global ACLs in cn=config are also applied.

below is the debug. do you see something suspicious?

I won't debug your ACLs. It's your homework, especially because you're the only one who has all the necessary information.

Jan 26 12:35:46 openldap1 slapd[84283]: => acl_get: [2] attr Hidden Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: access to entry "uid=user2,ou=people,o=abc.net", attr "Hidden" requested Jan 26 12:35:46 openldap1 slapd[84283]: => acl_mask: to value by "uid=user1,ou=people,o=abc.net", (=0) Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_group_pat: cn=group,ou=groups,o=abc.net Jan 26 12:35:46 openldap1 slapd[84283]: => mdb_entry_get: found entry: "cn=group,ou=groups,o=abc.net" Jan 26 12:35:46 openldap1 slapd[84283]: <= check a_authz.sai_ssf: ACL 128 > OP 256 Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] applying read(=rscxd) (stop) Jan 26 12:35:46 openldap1 slapd[84283]: <= acl_mask: [1] mask: read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => slap_access_allowed: read access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: => access_allowed: read access granted by read(=rscxd) Jan 26 12:35:46 openldap1 slapd[84283]: connection_read(36): no connection!

You have to check why there is read access granted. Ciao, Michael.

Reply

2870

days inactive

2870

days old

openldap-technical@openldap.org

Manage subscription

3 comments

2 participants

tags (0)

participants (2)

BÖSCH Christian
Michael Ströder