Hello,I've been trying to get using groups working in ACLs, but no matter what I do the group ACL isn't applied. It seems it might be a LMDB bug, and I'm planning on switching to hdb to see if it works there when I get the time.
I've attached the olcAccess.ldif that doesn't work and the output of
slapacl -D uid=kyrias,ou=users,dc=kyriasis,dc=com \
-b ou=users,dc=kyriasis,dc=com -dacl
which shows that the group ACL isn't applied to the user
uid=kyrias,ou=users,dc=kyriasis,dc=com even tho it is a member of the
cn=admins,ou=security,dc=kyriasis,dc=com group and that the 'to *' ACL
is above the other ones.
-- Sincerely, Johannes Löthberg PGP Key ID: 3A9D0BB5
53df9d87 => access_allowed: search access to "cn=config" "objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
53df9d87 => access_allowed: search access to "cn=schema,cn=config"
"objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
53df9d87 => access_allowed: search access to "cn={0}core,cn=schema,cn=config"
"objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
53df9d87 => access_allowed: search access to "cn={1}cosine,cn=schema,cn=config"
"objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
53df9d87 => access_allowed: search access to
"cn={2}inetorgperson,cn=schema,cn=config" "objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
53df9d87 => access_allowed: search access to "cn={3}nis,cn=schema,cn=config"
"objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
53df9d87 => access_allowed: search access to
"cn={4}kerberos,cn=schema,cn=config" "objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
53df9d87 => access_allowed: search access to "cn={5}ldapns,cn=schema,cn=config"
"objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
53df9d87 => access_allowed: search access to
"cn={6}kyriasis,cn=schema,cn=config" "objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
53df9d87 => access_allowed: search access to
"olcDatabase={-1}frontend,cn=config" "objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
Backend ACL: access to dn.base=""
by self write
by * read
Backend ACL: access to dn.base="cn=subschema"
by * read
53df9d87 => access_allowed: search access to "olcDatabase={0}config,cn=config"
"objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
Backend ACL: access to *
by * none
53df9d87 /etc/openldap/slapd.d: line 1: warning: cannot assess the validity of
the ACL scope within backend naming context
53df9d87 => access_allowed: search access to "olcDatabase={1}mdb,cn=config"
"objectClass" requested
53df9d87 <= root access granted
53df9d87 => access_allowed: search access granted by manage(=mwrscxd)
Backend ACL: access to *
by
group/groupOfNames/member.exact="cn=admins,ou=security,dc=kyriasis,dc=com"
manage
by * read
53df9d87 /etc/openldap/slapd.d: line 1: warning: cannot assess the validity of
the ACL scope within backend naming context
Backend ACL: access to
attrs=uid,uidNumber,gidNumber,homeDirectory,krbPrincipalName,objectClass,structuralObjectClass,entryUUID,entryCSN,creatorsName,createTimestamp,modifiersName,modifyTimestamp
by * read
53df9d87 /etc/openldap/slapd.d: line 1: warning: cannot assess the validity of
the ACL scope within backend naming context
Backend ACL: access to attrs=userPassword,userPKCS12,shadowLastChange
by self write
by * auth
53df9d87 /etc/openldap/slapd.d: line 1: warning: cannot assess the validity of
the ACL scope within backend naming context
Backend ACL: access to
dn.subtree="cn=krbcontainer,ou=security,dc=kyriasis,dc=com"
by dn.base="cn=kdc,ou=security,dc=kyriasis,dc=com" read
by dn.base="cn=kadmin,ou=security,dc=kyriasis,dc=com" write
by * none
Backend ACL: access to dn.regex="^uid=([^,]+),ou=users,dc=kyriasis,dc=com$"
by dn.base,expand="uid=$1,ou=users,dc=kyriasis,dc=com" write
by dn.base="cn=kadmin,ou=security,dc=kyriasis,dc=com" write
by * read
Backend ACL: access to dn.subtree="ou=hosts,dc=kyriasis,dc=com"
by dn.base="cn=kadmin,ou=security,dc=kyriasis,dc=com" write
by * read
53df9d87 mdb_monitor_db_open: monitoring disabled; configure monitor database
to enable
Backend ACL: access to *
by * none
53df9d87 config_back_db_open: line 0: warning: cannot assess the validity of
the ACL scope within backend naming context
authcDN: "uid=kyrias,ou=users,dc=kyriasis,dc=com"
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com"
"entry" requested
53df9d87 => acl_get: [1] attr entry
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr
"entry" requested
53df9d87 => acl_mask: to all values by
"uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0)
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 mdb_opinfo_get: err MDB_BAD_RSLOT: Invalid reuse of reader locktable
slot(-30783)
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
entry: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com"
"children" requested
53df9d87 => acl_get: [1] attr children
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr
"children" requested
53df9d87 => acl_mask: to all values by
"uid=kyrias,ou=users,dc=kyriasis,dc=com", (=0)
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
children: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com" "ou"
requested
53df9d87 => acl_get: [1] attr ou
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr "ou"
requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com",
(=0)
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
ou=users: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com"
"objectClass" requested
53df9d87 => acl_get: [1] attr objectClass
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr
"objectClass" requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com",
(=0)
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
objectClass=top: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com"
"objectClass" requested
53df9d87 => acl_get: [1] attr objectClass
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr
"objectClass" requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com",
(=0)
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
objectClass=organizationalUnit: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com"
"structuralObjectClass" requested
53df9d87 => acl_get: [1] attr structuralObjectClass
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr
"structuralObjectClass" requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com",
(=0)
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
structuralObjectClass=organizationalUnit: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com"
"entryUUID" requested
53df9d87 => acl_get: [1] attr entryUUID
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr
"entryUUID" requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com",
(=0)
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
entryUUID=02cdf845-c212-41a7-8984-948c1ccb3e50: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com"
"creatorsName" requested
53df9d87 => acl_get: [1] attr creatorsName
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr
"creatorsName" requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com",
(=0)
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
creatorsName=cn=Manager,dc=kyriasis,dc=com: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com"
"createTimestamp" requested
53df9d87 => acl_get: [1] attr createTimestamp
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr
"createTimestamp" requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com",
(=0)
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
createTimestamp=20140507152708Z: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com"
"entryCSN" requested
53df9d87 => acl_get: [1] attr entryCSN
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr
"entryCSN" requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com",
(=0)
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
entryCSN=20140507152708.194854Z#000000#000#000000: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com"
"modifiersName" requested
53df9d87 => acl_get: [1] attr modifiersName
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr
"modifiersName" requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com",
(=0)
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
modifiersName=cn=Manager,dc=kyriasis,dc=com: read(=rscxd)
53df9d87 => access_allowed: auth access to "ou=users,dc=kyriasis,dc=com"
"modifyTimestamp" requested
53df9d87 => acl_get: [1] attr modifyTimestamp
53df9d87 => acl_mask: access to entry "ou=users,dc=kyriasis,dc=com", attr
"modifyTimestamp" requested
53df9d87 => acl_mask: to value by "uid=kyrias,ou=users,dc=kyriasis,dc=com",
(=0)
53df9d87 <= check a_group_pat: cn=admins,ou=security,dc=kyriasis,dc=com
53df9d87 <= check a_dn_pat: *
53df9d87 <= acl_mask: [2] applying read(=rscxd) (stop)
53df9d87 <= acl_mask: [2] mask: read(=rscxd)
53df9d87 => slap_access_allowed: auth access granted by read(=rscxd)
53df9d87 => access_allowed: auth access granted by read(=rscxd)
modifyTimestamp=20140507152708Z: read(=rscxd)
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: to *
by group.exact="cn=admins,ou=security,dc=kyriasis,dc=com" manage
by * read
olcAccess: to attrs=uid,uidNumber,gidNumber,homeDirectory,
krbPrincipalName,objectClass,structuralObjectClass,entryUUID,
entryCSN,creatorsName,createTimestamp,modifiersName,modifyTimestamp
by * read
olcAccess: to attrs=userPassword,userPKCS12,shadowLastChange
by self write
by * auth
olcAccess: to dn.subtree="cn=krbcontainer,ou=security,dc=kyriasis,dc=com"
by dn.exact="cn=kdc,ou=security,dc=kyriasis,dc=com" read
by dn.exact="cn=kadmin,ou=security,dc=kyriasis,dc=com" write
by * none
olcAccess: to dn.regex="^uid=([^,]+),ou=users,dc=kyriasis,dc=com$"
by dn.exact,expand="uid=$1,ou=users,dc=kyriasis,dc=com" write
by dn.exact="cn=kadmin,ou=security,dc=kyriasis,dc=com" write
by * read
olcAccess: to dn.subtree="ou=hosts,dc=kyriasis,dc=com"
by dn.exact="cn=kadmin,ou=security,dc=kyriasis,dc=com" write
by * read
#olcAccess: to *
by self write
by * read
-
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
replace: olcAccess
olcAccess: to dn.base=""
by self write
by * read
olcAccess: to dn.base="cn=Subschema"
by * read
pgpmRMotTBX2Q.pgp
Description: PGP signature
