Fedora directory users - Sep 2006 - Does userattr="parent[1].attribute#LDAPURL" work ?

Hi all,

in the directory server access control documentation, it is said that the
following aci syntax can be used :
(version 3.0; acl "test" allow (all) userattr
"parent[1].attribute#LDAPURL";)

I need exactly this feature for the LDAP support of my software.

But in my tests, while userattr="url.#LDAPURL" does work, the use of
the
"parent" keyword does not work.


I use the class enatelUserReferer which allow the url attribute type. The
object under which I want to create another one is :
cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tests

it is named by the nsuniqueid of the object :
uid=francois,dc=evidian,dc=fr

I want to give add access to this user, even if the user is renamed. So I
want to use the nsuniqueid to find him. In the url attribute I store :
ldap:///dc=evidian,dc=fr??sub?(nsuniqueid=5b74e802-1dd211b2-80e4f010-e49d0000)


Here are the ACI set on my o=tests root suffix :

dn: o=tests
changetype: modify
add: aci
aci:
(targetfilter="(objectClass=enatelUserReferer)")(targetattr=*)(version
3.0; acl "enatelUserReferer read access";  allow (read,search,compare)
userdn="ldap:///all";)

dn: o=tests
changetype: modify
add: aci
aci:
(targetfilter="(objectClass=enatelUserReferer)")(targetattr=*)(version
3.0; acl "enatelUserReferer add access"; allow (add)
userdn="ldap:///all";)

dn: o=tests
changetype: modify
add: aci
aci:
(targetfilter="(objectClass=enatelUserReferer)")(targetattr=*)(version
3.0; acl "enatelUserReferer personal acce ss"; allow (all)
userattr="url#LDAPURL";)

dn: o=tests
changetype: modify
add: aci
aci:
(targetfilter="(objectClass=enatelUserManagedAuth)")(targetattr=*)(version
3.0; acl "enatelUserManagedAuth acces s"; allow (all)
userattr="parent[1].url#LDAPURL";)


Then I bind as uid=francois,dc=evidian,dc=fr and try to create an
enatelUserManagedAuth of DN :
cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tests


I got access denied error.


Here is the access control log of slapd :

[22/Sep/2006:17:35:28 +0200] NSACLPlugin - acl_init_userGroup: found in
cache for dn:uid=francois,dc=evidian,dc=fr
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - #### conn=1285 op=14
binddn="uid=francois,dc=evidian,dc=fr"
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Searching AVL tree for
update:cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d00 00,o=tests: container:-1
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Searching AVL tree for
update:cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tes ts: container:-1
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Searching AVL tree for
update:o=tests: container:26
[22/Sep/2006:17:35:28 +0200] NSACLPlugin -     ************ RESOURCE INFO
STARTS *********
[22/Sep/2006:17:35:28 +0200] NSACLPlugin -     Client DN:
uid=francois,dc=evidian,dc=fr
[22/Sep/2006:17:35:28 +0200] NSACLPlugin -     resource type:256(add
target_DN )
[22/Sep/2006:17:35:28 +0200] NSACLPlugin -     Slapi_Entry DN:
cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d0000,o=tests
[22/Sep/2006:17:35:28 +0200] NSACLPlugin -     ATTR: NULL
[22/Sep/2006:17:35:28 +0200] NSACLPlugin -     rights:add
[22/Sep/2006:17:35:28 +0200] NSACLPlugin -     ************ RESOURCE INFO
ENDS   *********
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Using ACL Cointainer:0 for
evaluation
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ***BEGIN ACL INFO[ Name:
"enatelUserManagedAuth access"]***
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ACL Index:692   ACL_ELEVEL:3
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ACI type:(compare search read
write delete add self target_attr target_fil ter acltxt allow_rule )
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ACI RULE type:(userattr )
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Slapi_Entry DN:o=tests
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - ***END ACL
INFO*****************************
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Num of ALLOW Handles:1, DENY
handles:0
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - Processed attr:NULL for
entry:cn=auth,cn=5b74e802-1dd211b2-80e4f010-e49d00 00,o=tests
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - 1. Evaluating ALLOW aci(692) "
"enatelUserManagedAuth access""
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - DS_LASUserAttrEval:
AttrName:parent[1].url, attrVal:LDAPURL
[22/Sep/2006:17:35:28 +0200] NSACLPlugin - conn=1285 op=14 (main): Deny add
on entry(cn=auth,cn=5b74e802-1dd211b2-80e
4f010-e49d0000,o=tests).attr(NULL): no aci matched the subject by aci(692):
aciname= "enatelUserManagedAuth access", acidn="o=tests"



Where is the problem ?

Thank you very much

François

Hi again,

since my first post may be complex, I made a much simpler sample, with
standard objects.

I created a root suffix ''o=bug''

with two ACI:
aci: (targetattr="*")(version 3.0; acl "Test"; allow
(all)userattr
="description#LDAPURL";)
aci: (targetattr="*")(version 3.0; acl "Test"; allow
(all)userattr
="parent[1].description#LDAPURL";)

Then I added a user, uid=testuser,o=bug

Then, an organizationalUnit, ou=testparentobject,o=bug
with the description: ldap:///o=bug??sub?(uid=testuser)

According the ACIs, testuser dhould be able to modify ou=testparentobject
and to create child objects under it.

But he only can modify it.

I don''t find where I made a mistake.

I join you my LDIF files and LDAP commands.


Thank you for your help

François



Here are the LDIF files :
---------- o=bug dump -------
dn: o=bug
aci: (targetattr != "userPassword") (version 3.0; acl "Anonymous
access";
allow (read, search, compare)userdn = "ldap:///anyone";)
aci: (targetattr="*")(version 3.0; acl "Test"; allow
(all)userattr
="description#LDAPURL";)
aci: (targetattr="*")(version 3.0; acl "Test"; allow
(all)userattr
="parent[1].description#LDAPURL";)
o: bug
objectClass: top
objectClass: organization

dn: uid=testuser,o=bug
uid: testuser
givenName: Test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: User
cn: Test User
userPassword: toto

dn: ou=testparentobject,o=bug
ou: testparentobject
description: ldap:///o=bug??sub?(uid=testuser)
objectClass: top
objectClass: organizationalunit




--------- modification command ----------
$ ldapmodify -x -D ''uid=testuser,o=bug'' -w toto -f
object-modification.ldif
modifying entry "ou=testparentobject,o=bug"
$

--------- creation command -----------
$ ldapadd -x -D ''uid=testuser,o=bug'' -w toto -f
object-creation.ldif
adding new entry "ou=testchildobject,ou=testparentobject,o=bug"
ldap_add: Insufficient access (50)
        additional info: Insufficient ''add'' privilege to add
the entry
''ou=testchildobject,ou=testparentobject,o=bug''.
$




---------- modification LDIF file ----------------
dn: ou=testparentobject,o=bug
changetype: modify
replace: telephoneNumber
telephoneNumber: 0123456789




---------- creation LDIF file --------------
dn: ou=testchildobject,ou=testparentobject,o=bug
objectClass: top
objectClass: organizationalUnit
ou: testchildobject

Hi,

I seem to have found a workaround (at least for my special case) by using a
macro ACI :

(targetattr="*")(target="ldap:///cn=*,cn=($dn),o=bug")(version
3.0; acl
"Test 2"; allow (all) userdn
="ldap:///o=bug??sub?(nsuniqueid=[$dn])";)

This works for my first post, which is my real life problem, where I want to
give right on an object to the user whose nsuniqueid equals the cn of the
object''s parent.

For my second post, this workaround does not work, since it is based on a DN
component, while I store the information in an attribute not used in the DN
(description).

Maybe I should file a bug.

François

2006/9/25, François Beretti
<francois.beretti@gmail.com>:
>
> Hi again,
>
> since my first post may be complex, I made a much simpler sample, with
> standard objects.
>
> I created a root suffix ''o=bug''
>
> with two ACI:
> aci: (targetattr="*")(version 3.0; acl "Test"; allow
(all)userattr
> ="description#LDAPURL";)
> aci: (targetattr="*")(version 3.0; acl "Test"; allow
(all)userattr
> ="parent[1].description#LDAPURL";)
>
> Then I added a user, uid=testuser,o=bug
>
> Then, an organizationalUnit, ou=testparentobject,o=bug
> with the description: ldap:///o=bug??sub?(uid=testuser)
>
> According the ACIs, testuser dhould be able to modify ou=testparentobject
> and to create child objects under it.
>
> But he only can modify it.
>
> I don''t find where I made a mistake.
>
> I join you my LDIF files and LDAP commands.
>
>
> Thank you for your help
>
> François
>
>
>
> Here are the LDIF files :
> ---------- o=bug dump -------
> dn: o=bug
> aci: (targetattr != "userPassword") (version 3.0; acl
"Anonymous access";
> allow (read, search, compare)userdn = "ldap:///anyone";)
> aci: (targetattr="*")(version 3.0; acl "Test"; allow
(all)userattr
> ="description#LDAPURL";)
> aci: (targetattr="*")(version 3.0; acl "Test"; allow
(all)userattr
> ="parent[1].description#LDAPURL";)
> o: bug
> objectClass: top
> objectClass: organization
>
> dn: uid=testuser,o=bug
> uid: testuser
> givenName: Test
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetorgperson
> sn: User
> cn: Test User
> userPassword: toto
>
> dn: ou=testparentobject,o=bug
> ou: testparentobject
> description: ldap:///o=bug??sub?(uid=testuser)
> objectClass: top
> objectClass: organizationalunit
>
>
>
>
> --------- modification command ----------
> $ ldapmodify -x -D ''uid=testuser,o=bug'' -w toto -f
> object-modification.ldif
> modifying entry "ou=testparentobject,o=bug"
> $
>
> --------- creation command -----------
> $ ldapadd -x -D ''uid=testuser,o=bug'' -w toto -f
object-creation.ldif
> adding new entry "ou=testchildobject,ou=testparentobject,o=bug"
> ldap_add: Insufficient access (50)
>         additional info: Insufficient ''add'' privilege to
add the entry
> ''ou=testchildobject,ou=testparentobject,o=bug''.
> $
>
>
>
>
> ---------- modification LDIF file ----------------
> dn: ou=testparentobject,o=bug
> changetype: modify
> replace: telephoneNumber
> telephoneNumber: 0123456789
>
>
>
>
> ---------- creation LDIF file --------------
> dn: ou=testchildobject,ou=testparentobject,o=bug
> objectClass: top
> objectClass: organizationalUnit
> ou: testchildobject
>
>
>
>
>
>
>