On Thu, Oct 15, 2009 at 11:22 AM, Edward Capriolo <[email protected]> wrote:
> Hello all,
>
> We are currently migrating from a master-slave, to a multi-master
> setup. All went well except for the fact that the access on the old
> master node was more liberal then the access on the slave node. As a
> result some applications were able to use this to their advantage and
> now are not working quite correctly when each node is a read write
> master.
>
> here is my configuration:
>
> #access to
> dn.regex="mail=.*[email protected],ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
> # attrs=userPassword,accountstatus
> # by
> dn="[email protected],ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
> write break
> # by dn="[email protected],ou=user,ou=jointhegrid,o=jointhegrid,c=US"
> write break
> access to attr=userPassword
> by self write
> by anonymous auth
> by
> dn="[email protected],ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
> read
> by
> dn="[email protected],ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US"
> read
> by * none
> access to attrs=sambaLMPassword,sambaNTPassword
> by
> dn="[email protected],ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
> read
> by
> dn="[email protected],ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US"
> read
> by self write
> by * none
> access to *
> by
> dn="[email protected],ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
> write
> by
> dn="[email protected],ou=user,ou=jointhegrid-inc.com,o=jointhegrid,c=US"
> write
> by dnattr=manager write
> by self write
> by users read
> by * none
>
> My problem is the top commented lines, these rules are to allow sara
> and john to administer all
> "mail=.*.managed" users. This worked fine in the past because no read
> queries hit the master, but now with multi-master
> "mail=.*.managed" users have no access to the directory. The old rule was
>
> # by dn="[email protected],ou=user,ou=jointhegrid,o=jointhegrid,c=US"
> write stop
>
> I also tried
>
> # by dn="[email protected],ou=user,ou=jointhegrid,o=jointhegrid,c=US"
> write break
>
> Which I was under the impression that "write break" would continue
> evaluation, but I do not understand how this is working. Can anyone
> help me with a suggestion for fixing this?
>
> Thank you!
>
Hey all,
I know this is somewhat of an RTFM question, but I did RTFM and I dont
understand
why how BREAK is interpreted.
man slapd.access
....
The other two forms are used to keep on processing access clauses. In
detail, the continue form allows for other <who> clauses in the same
<access> clause to be considered, so that they may result in incremen-
tally altering the privileges, while the break form allows for other
<access> clauses that match the same target to be processed. Consider
the (silly) example
access to dn.subtree="dc=example,dc=com" attrs=cn
by * =cs break
access to dn.subtree="ou=People,dc=example,dc=com"
by * +r
do I need?
access to
dn.regex="mail=.*[email protected],ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
attrs=userPassword,accountstatus
by dn="[email protected],ou=user,ou=jointhegrid.com,o=jointhegrid,c=US"
write break
by dn="[email protected],ou=user,ou=jointhegrid,o=jointhegrid,c=US"
write break
by * break
?
We have a pretty large LDAP deployment with lots of application using
it. Every time I get this rule wrong I manage to block someones
access. I know its not your problem, but please throw me a bone here
:)
