Re: Dynamic ACL in OpenLDAP with set:expand not working

[Martin W.]

Hi Ondřej,
Hi Dieter,

Thanks for your replies! The basic links I've had already found and read 
through carefully and didn't find a correct solution for my problem =(

The olcAccess statements out of the trials were all placed in front of the 
asterisk * one. So the order should not be the problem =(

Within the little bash script, the LDIF-parts from the different trials are 
always replacing this block:
>>> ########
>>> ## LDIF blocks from below
>>> ########


With slapacl I don’t really get a clue – I’ll attach one result below, that I 
would interpret like that my l.dap user is not allowed to change the 
description of entity e1 … but if I use JXplorer to connect to the directory as 
l.dap, I can – even submit. Is it wrong how I’m using slapacl? Or isn’t it 
reliable since I’m using RegEx?

Thank you for your help!
Cheers,
Martin


> $ slapacl -v -U "uid=l.dap,ou=people,dc=example,dc=com" -b 
> "o=e1,ou=entities,dc=example,dc=com" -d acl "description/write"
> 
> 5d5db13a => access_allowed: search access to "cn=config" "objectClass" 
> requested
> 5d5db13a <= root access granted
> 5d5db13a => access_allowed: search access granted by manage(=mwrscxd)
> 5d5db13a => access_allowed: search access to "cn=module{0},cn=config" 
> "objectClass" requested
> 5d5db13a <= root access granted
> 5d5db13a => access_allowed: search access granted by manage(=mwrscxd)
> 5d5db13a => access_allowed: search access to "cn=schema,cn=config" 
> "objectClass" requested
> 5d5db13a <= root access granted
> 5d5db13a => access_allowed: search access granted by manage(=mwrscxd)
> 5d5db13a => access_allowed: search access to "cn={0}core,cn=schema,cn=config" 
> "objectClass" requested
> 5d5db13a <= root access granted
> 5d5db13a => access_allowed: search access granted by manage(=mwrscxd)
> 5d5db13a => access_allowed: search access to 
> "cn={1}cosine,cn=schema,cn=config" "objectClass" requested
> 5d5db13a <= root access granted
> 5d5db13a => access_allowed: search access granted by manage(=mwrscxd)
> 5d5db13a => access_allowed: search access to "cn={2}nis,cn=schema,cn=config" 
> "objectClass" requested
> 5d5db13a <= root access granted
> 5d5db13a => access_allowed: search access granted by manage(=mwrscxd)
> 5d5db13a => access_allowed: search access to 
> "cn={3}inetorgperson,cn=schema,cn=config" "objectClass" requested
> 5d5db13a <= root access granted
> 5d5db13a => access_allowed: search access granted by manage(=mwrscxd)
> 5d5db13a => access_allowed: search access to 
> "cn={4}ppolicy,cn=schema,cn=config" "objectClass" requested
> 5d5db13a <= root access granted
> 5d5db13a => access_allowed: search access granted by manage(=mwrscxd)
> 5d5db13a => access_allowed: search access to "cn={5}dhcp,cn=schema,cn=config" 
> "objectClass" requested
> 5d5db13a <= root access granted
> 5d5db13a => access_allowed: search access granted by manage(=mwrscxd)
> 5d5db13a => access_allowed: search access to 
> "cn={6}dnszone,cn=schema,cn=config" "objectClass" requested
> 5d5db13a <= root access granted
> 5d5db13a => access_allowed: search access granted by manage(=mwrscxd)
> 5d5db13a => access_allowed: search access to "cn={7}mail,cn=schema,cn=config" 
> "objectClass" requested
> 5d5db13a <= root access granted
> 5d5db13a => access_allowed: search access granted by manage(=mwrscxd)
> 5d5db13a => access_allowed: search access to "cn={8}mmc,cn=schema,cn=config" 
> "objectClass" requested
> 5d5db13a <= root access granted
> 5d5db13a => access_allowed: search access granted by manage(=mwrscxd)
> 5d5db13a => access_allowed: search access to 
> "cn={9}openssh-lpk,cn=schema,cn=config" "objectClass" requested
> 5d5db13a <= root access granted
> 5d5db13a => access_allowed: search access granted by manage(=mwrscxd)
> 5d5db13a => access_allowed: search access to 
> "cn={10}quota,cn=schema,cn=config" "objectClass" requested
> 5d5db13a <= root access granted
> 5d5db13a => access_allowed: search access granted by manage(=mwrscxd)
> 5d5db13a => access_allowed: search access to 
> "cn={11}radius,cn=schema,cn=config" "objectClass" requested
> 5d5db13a <= root access granted
> 5d5db13a => access_allowed: search access granted by manage(=mwrscxd)
> 5d5db13a => access_allowed: search access to 
> "cn={12}samba,cn=schema,cn=config" "objectClass" requested
> 5d5db13a <= root access granted
> 5d5db13a => access_allowed: search access granted by manage(=mwrscxd)
> 5d5db13a => access_allowed: search access to 
> "cn={13}zarafa,cn=schema,cn=config" "objectClass" requested
> 5d5db13a <= root access granted
> 5d5db13a => access_allowed: search access granted by manage(=mwrscxd)
> 5d5db13a => access_allowed: search access to "olcBackend={0}mdb,cn=config" 
> "objectClass" requested
> 5d5db13a <= root access granted
> 5d5db13a => access_allowed: search access granted by manage(=mwrscxd)
> 5d5db13a => access_allowed: search access to 
> "olcDatabase={-1}frontend,cn=config" "objectClass" requested
> 5d5db13a <= root access granted
> 5d5db13a => access_allowed: search access granted by manage(=mwrscxd)
> Backend ACL: access to *
>       by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" 
> manage
>       by * +0 break
> 
> Backend ACL: access to dn.base=""
>       by * read
> 
> Backend ACL: access to dn.base="cn=subschema"
>       by * read
> 
> 5d5db13a => access_allowed: search access to 
> "olcDatabase={0}config,cn=config" "objectClass" requested
> 5d5db13a <= root access granted
> 5d5db13a => access_allowed: search access granted by manage(=mwrscxd)
> Backend ACL: access to *
>       by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" 
> manage
>       by * +0 break
> 
> 5d5db13a /etc/ldap/slapd.d: line 1: warning: cannot assess the validity of 
> the ACL scope within backend naming context
> 5d5db13a => access_allowed: search access to "olcDatabase={1}mdb,cn=config" 
> "objectClass" requested
> 5d5db13a <= root access granted
> 5d5db13a => access_allowed: search access granted by manage(=mwrscxd)
> Backend ACL: access to attrs=userPassword,shadowLastChange
>       by self =wx
>       by dn.base="cn=admin,dc=example,dc=com" =wx
>       by set.exact="[cn=ldapadmins,ou=groups,dc=example,dc=com]/member* & 
> user" =wx
>       by anonymous auth
>       by * none
> 
> 5d5db13a /etc/ldap/slapd.d: line 1: warning: cannot assess the validity of 
> the ACL scope within backend naming context
> Backend ACL: access to *
>       by self write
>       by dn.base="cn=admin,dc=example,dc=com" write
>       by set.exact="[cn=ldapadmins,ou=groups,dc=example,dc=com]/member* & 
> user" write
>       by users read
>       by * none
> 
> 5d5db13a /etc/ldap/slapd.d: line 1: warning: cannot assess the validity of 
> the ACL scope within backend naming context
> Backend ACL: access to dn.regex="([^,]+,)?o=([^,]+),ou=lve,dc=example,dc=com"
>       by self write
>       by dn.base="cn=admin,dc=example,dc=com" write
>       by set.exact="[cn=ldapadmins,ou=groups,dc=example,dc=com]/member* & 
> user" write
>       by set.expand="[cn=admin,o=,ou=lve,dc=example,dc=com]/member* & user" 
> write
>       by set.exact="this/member* & user" read
>       by * none
> 
> 5d5db13a => access_allowed: search access to 
> "olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config" "objectClass" requested
> 5d5db13a <= root access granted
> 5d5db13a => access_allowed: search access granted by manage(=mwrscxd)
> 5d5db13a => access_allowed: search access to 
> "olcOverlay={1}refint,olcDatabase={1}mdb,cn=config" "objectClass" requested
> 5d5db13a <= root access granted
> 5d5db13a => access_allowed: search access granted by manage(=mwrscxd)
> Backend ACL: access to *
>       by * none
> 
> 5d5db13a config_back_db_open: line 0: warning: cannot assess the validity of 
> the ACL scope within backend naming context
> authcDN: "uid=uid\3Dl.dap\2Cou\3Dpeople\2Cdc\3dexample\2Cdc\3Dcom,cn=auth"
> 5d5db13a => access_allowed: write access to 
> "o=jpbay,ou=lve,dc=example,dc=com" "description" requested
> 5d5db13a => acl_get: [2] attr description
> 5d5db13a => acl_mask: access to entry "o=jpbay,ou=lve,dc=example,dc=com", 
> attr "description" requested
> 5d5db13a => acl_mask: to all values by 
> "uid=uid\3Dl.dap\2Cou\3Dpeople\2Cdc\3dexample\2Cdc\3Dcom,cn=auth", (=0) 
> 5d5db13a <= check a_dn_pat: self
> 5d5db13a <= check a_dn_pat: cn=admin,dc=example,dc=com
> 5d5db13a <= check a_set_pat: 
> [cn=ldapadmins,ou=groups,dc=example,dc=com]/member* & user
> 5d5db13a => mdb_entry_get: found entry: 
> "cn=ldapadmins,ou=groups,dc=example,dc=com"
> 5d5db13a   ACL set[0]=cn=globaladmins,ou=groups,dc=example,dc=com
> 5d5db13a => mdb_entry_get: found entry: 
> "cn=globaladmins,ou=groups,dc=example,dc=com"
> 5d5db13a   ACL set[0]=cn=globaladmins,ou=groups,dc=example,dc=com
> 5d5db13a   ACL set[1]=cn=admin,dc=example,dc=com
> 5d5db13a   ACL set[2]=uid=l.dap,ou=people,dc=example,dc=com
> 5d5db13a => mdb_entry_get: found entry: "cn=admin,dc=example,dc=com"
> 5d5db13a <= mdb_entry_get: failed to find attribute member
> 5d5db13a => mdb_entry_get: found entry: 
> "uid=l.dap,ou=people,dc=example,dc=com"
> 5d5db13a <= mdb_entry_get: failed to find attribute member
> 5d5db13a   ACL set: empty
> 5d5db13a <= check a_dn_pat: users
> 5d5db13a <= acl_mask: [4] applying read(=rscxd) (stop)
> 5d5db13a <= acl_mask: [4] mask: read(=rscxd)
> 5d5db13a => slap_access_allowed: write access denied by read(=rscxd)
> 5d5db13a => access_allowed: no more rules
> write access to description: DENIED



On 21. Aug 2019, at 19:14, Dieter Klünter <die...@dkluenter.de> wrote:

> Am Wed, 21 Aug 2019 10:50:19 +0200
> schrieb Ondřej Kuzník <on...@mistotebe.net <mailto:on...@mistotebe.net>>:
> 
>> On Tue, Aug 20, 2019 at 10:22:56PM +0200, Martin W. wrote:
>>> Dear OpenLDAP technical list,
>>> 
>>> I‘ve been running into a little problem with my permission
>>> structures – and was wondering if you could help me with it.
>>> 
>>> I want the members of a group to administer a tree structure, the
>>> group is member of it. I've tried some acl settings – I'll post my
>>> trials below the basic structure.
>>> 
>>> I've tried some different things ... and none Regex was successful
>>> :( Since I'll post some fragments, I put every LDIF fragment within
>>> such a bash fragment:
>>> 
>>>> olcAccess: to *
>>>>           by self write
>>>>           by dn="cn=admin,dc=example,dc=com" write
>>>>           by
>>>> set="[cn=ldapadmins,ou=groups,dc=example,dc=com]/member* & user"
>>>> write by users read by * none  
>>> 
>>> trial 1
>>> 
>>>> olcAccess: to
>>>> dn.regex="([^,]+,)?o=([^,]+),ou=entities,dc=example,dc=com" by
>>>> self write by dn="cn=admin,dc=example,dc=com" write
>>>>           by
>>>> set="[cn=ldapadmins,ou=groups,dc=example,dc=com]/member* & user"
>>>> write by
>>>> set.expand="[cn=admin,o=$2,ou=entities,dc=example,dc=com]/member*
>>>> & user" write by set="this/member* & user" read by * none  
>>> 
>>> The result is, that admin and any member of ldapadminscan edit, the
>>> members of specific entity admin subgroups cannot edit.
>>> The specific admin subgroups cannot even see the entities subtree.  
>> 
>> Hi Martin,
>> what is the order of the above two olcAccess statements? If they apply
>> in the order above, it seems the first one will always apply and
>> processing will stop there. In that case you either want to add a
>> "break" in the first one or split/move it to be checked later.
>> 
>> I assume you also know and use the slapacl tool (and loglevel acl) to
>> test with? Does it show any additional information that might be
>> helpful in diagnosing the issue?
> 
> With regard to 'set' here is some basic information.
> http://www.openldap.org/faq/data/cache/1133.html 
> <http://www.openldap.org/faq/data/cache/1133.html>
> http://www.openldap.org/faq/data/cache/1134.html 
> <http://www.openldap.org/faq/data/cache/1134.html>
> 
> -Dieter
> 
> -- 
> Dieter Klünter | Systemberatung
> http://sys4.de <http://sys4.de/>
> GPG Key ID: E9ED159B
> 53°37'09,95"N
> 10°08'02,42"E