aci: (targetfilter = "(objectClass=ipaToken)")(targetattrs =
"objectclass || d
escription || managedBy || ipatokenUniqueID ||
ipatokenDisabled || ipatokenNo
tBefore || ipatokenNotAfter || ipatokenVendor ||
ipatokenModel || ipatokenSer
ial || ipatokenOwner")(version 3.0; acl "*Users/managers
can read basic token*
info"; allow (read, search, compare) userattr =
"ipatokenOwner#USERDN" or use
rattr = "managedBy#USERDN";)
...
[09/Oct/2014:21:34:59 -0400] NSACLPlugin - Processed
attr:managedBy for
entry:ipatokenuniqueid=bar,cn=otp,dc=example,dc=com
[09/Oct/2014:21:34:59 -0400] NSACLPlugin - 1. Evaluating
ALLOW aci(11) " "*Users/managers can read basic token info*""
[09/Oct/2014:21:34:59 -0400] NSACLPlugin - Found READ SKIP
in cache
[09/Oct/2014:21:34:59 -0400] NSACLPlugin - 2. Evaluating
ALLOW aci(19) " "Admin can manage any entry""
[09/Oct/2014:21:34:59 -0400] NSACLPlugin - Found READ SKIP
in cache
[09/Oct/2014:21:34:59 -0400] NSACLPlugin - conn=29 op=1
(main): Deny read on
entry(ipatokenuniqueid=bar,cn=otp,dc=example,dc=com).attr(managedBy)
to uid=otp,cn=users,cn=accounts,dc=example,dc=com: no aci
matched the subject by aci(19): aciname= "Admin can manage
any entry", acidn="dc=example,dc=com"
[09/Oct/2014:21:34:59 -0400] - process_read_entry_controls:
access to entry not allowed
(ipatokenuniqueid=bar,cn=otp,dc=example,dc=com)
But for some reason, it evaluations of the READ access was not
accepted.
the key is READ SKIP, looks like it is using cached evaluation of the
acis, where the aci did not apply. aci caching is ....
Exact.
well, I think I've been a bit too fast, the READ SKIP is only logged
from the second attribute on, so caching was ok, but the wrong result
was cached. What really is strange is these lines:
[09/Oct/2014:21:34:58 -0400] NSACLPlugin - 1. Evaluating ALLOW aci(11) "
"Users/managers can read basic token info""
[09/Oct/2014:21:34:58 -0400] NSACLPlugin - Attr:ipatokenOwner
[09/Oct/2014:21:34:58 -0400] NSACLPlugin - ACL info: userdnattr does not
allow ADD permission at level 0.
[09/Oct/2014:21:34:58 -0400] NSACLPlugin - Returning UNDEFINED for
userdnattr evaluation.
why ADD, why UNDEFINED ?
Now If I create two entries x/y and their associated ipatoken
tokenX/tokenY and play updating
x update tokenX then y updates tokenY
x update tokenX then x updates tokenY
y update tokenY then x updates tokenX
...
each time I got the postread.
Something curious going on that make ACL_EvalTestRights return
something different that ACL_RES_ALLOW.
Did you already open a ticket for this problem ?
thanks
thierry
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel