On 02/04/2013 08:02 AM, Picture Book wrote:
The error message shows up in both 1.2.10.12 and 1.2.11.17. I think
it's a bug, although maybe harmless.
I am trying to grant all users under "ou=special,ou=test,dc=example,dc=com"
read access to "ou=people,ou=Test,dc=example,dc=com" subtree.
So I first created a dynamic group including all users under
"ou=special,ou=test,dc=example,dc=com":
"cn=all special users,ou=special,ou=Test,dc=example,dc=com"
memberURL:
ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass=inetorgperson)(cn=*))
Then I added an ACI to "ou=people,ou=Test,dc=example,dc=com" grant the dynamic
group to read all attributes
aci: (targetattr = "*") (version 3.0;acl "special users";allow
(all)(groupdn = "ldap:///cn=all special
users,ou=special,ou=Test,dc=example,dc=com");)
The ACI does what it supposed to do, now all users under
"ou=special,ou=test,dc=example,dc=com" are able to read all attributes of
subtree: "ou=people,ou=Test,dc=example,dc=com".
> 1
> ldapsearch -h localhost -p 389 -D
"uid=ttest,ou=people,ou=Test,dc=example,dc=com" -w sp -b
"ou=people,ou=Test,dc=example,dc=com"
>
> [31/Jan/2013:10:53:36 -0500] NSACLPlugin - acllas__client_match_URL: url
[ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass=inetorgperson)(cn=*))]
scope is onelevel but dn [ou=special,ou=test,dc=example,dc=com] is not a direct child of
[ou=people,ou=test,dc=example,dc=com]
>
Since "uid=ttest,ou=people,ou=Test,dc=example,dc=com" is NOT a member of the
dynamic group, the ACI does not apply. But the NSACLPlugin log this error message which I
think is not neccessary.
Ok. Please file a ticket.
> 2.
> ldapsearch -h localhost -p 389 -D "uid=test11,ou=Test,dc=example,dc=com" -w
sp -b "ou=people,ou=Test,dc=example,dc=com"
>
> [31/Jan/2013:10:58:12 -0500] NSACLPlugin - acllas__client_match_URL: url
[ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass=inetorgperson)(cn=*))]
scope is onelevel but dn [ou=special,ou=test,dc=example,dc=com] is not a direct child of
[ou=test,dc=example,dc=com]
>
> repeat search 1 & 2, acllas__client_match_URL error message doen't repeat.
>
> 3.
> ldapsearch -h localhost -p 389 -D
"uid=aclp,ou=special,ou=Test,dc=example,dc=com" -w sp -b
"ou=people,ou=Test,dc=example,dc=com"
>
> no message in errors log
Since "uid=aclp,ou=special,ou=Test,dc=example,dc=com" IS a member of the
dynamic group, The ACL apply and the search return all the attributes.
Ok, so this
is working.
________________________________
> Date: Fri, 1 Feb 2013 12:20:58 -0700
> From: rmeggins(a)redhat.com
> To: 389-users(a)lists.fedoraproject.org
> CC: picturebook16(a)hotmail.com
> Subject: Re: [389-users] errors log - NSACLPlugin - acllas__client_match_URL:
>
> On 01/31/2013 09:17 AM, Picture Book wrote:
>
> After using dynamic group in ACL, I see the following messages in errors log
>
> 1
> ldapsearch -h localhost -p 389 -D
"uid=ttest,ou=people,ou=Test,dc=example,dc=com" -w sp -b
"ou=people,ou=Test,dc=example,dc=com"
>
> [31/Jan/2013:10:53:36 -0500] NSACLPlugin - acllas__client_match_URL: url
[ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass=inetorgperson)(cn=*))]
scope is onelevel but dn [ou=special,ou=test,dc=example,dc=com] is not a direct child of
[ou=people,ou=test,dc=example,dc=com]
>
> 2.
> ldapsearch -h localhost -p 389 -D "uid=test11,ou=Test,dc=example,dc=com" -w
sp -b "ou=people,ou=Test,dc=example,dc=com"
>
> [31/Jan/2013:10:58:12 -0500] NSACLPlugin - acllas__client_match_URL: url
[ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass=inetorgperson)(cn=*))]
scope is onelevel but dn [ou=special,ou=test,dc=example,dc=com] is not a direct child of
[ou=test,dc=example,dc=com]
>
> repeat search 1 & 2, acllas__client_match_URL error message doen't repeat.
>
> 3.
> ldapsearch -h localhost -p 389 -D
"uid=aclp,ou=special,ou=Test,dc=example,dc=com" -w sp -b
"ou=people,ou=Test,dc=example,dc=com"
>
> no message in errors log
>
> What platform? What 389-ds-base version?
> Not sure exactly what you're trying to do.
>
>
>
>
> This is the dynamic group:
>
> dn: cn=all special users,ou=special,ou=Test,dc=example,dc=com
> objectClass: groupofurls
> objectClass: groupofuniquenames
> objectClass: top
> cn: all special users
> memberURL: ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass=
> inetorgperson)(cn=*))
>
> This is the ACL
> dn: ou=people,ou=Test,dc=example,dc=com
> objectClass: organizationalunit
> objectClass: top
> ou: people
> aci: (targetattr = "*") (version 3.0;acl "special users";allow
(all)(groupdn
> = "ldap:///cn=all special users,ou=special,ou=Test,dc=example,dc=com");)
> createTimestamp: 20130131152507Z
>
> The following is the ldif export of the test setup
>
> version: 1
> dn: ou=Test,dc=example,dc=com
> objectClass: organizationalunit
> objectClass: top
> ou: Test
> createTimestamp: 20130123175104Z
> creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
> ot
> entrydn: ou=test,dc=example,dc=com
> entryid: 10
> hasSubordinates: TRUE
> modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
> oot
> modifyTimestamp: 20130123175104Z
> nsUniqueId: 6428fe79-658511e2-9283c9b9-f4c01566
> numSubordinates: 5
> parentid: 1
> subschemaSubentry: cn=schema
> dn: cn=mygroup,ou=Test,dc=example,dc=com
> objectClass: groupofuniquenames
> objectClass: top
> cn: mygroup
> uniqueMember: uid=test11,ou=test,dc=example,dc=com
> createTimestamp: 20130123175116Z
> creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
> ot
> entrydn: cn=mygroup,ou=test,dc=example,dc=com
> entryid: 11
> hasSubordinates: FALSE
> modifiersName: cn=referential integrity postoperation,cn=plugins,cn=config
> modifyTimestamp: 20130123182725Z
> nsUniqueId: 6428fe7a-658511e2-9283c9b9-f4c01566
> numSubordinates: 0
> parentid: 10
> subschemaSubentry: cn=schema
> dn: uid=test11,ou=Test,dc=example,dc=com
> objectClass: inetorgperson
> objectClass: organizationalPerson
> objectClass: person
> objectClass: top
> cn: test 1
> sn: 1
> givenName: test
> uid: test11
> userPassword:: e1NTSEF9QUNkS1NiOFVkOFJQSy9TeklGN2pCN2trblQvYWpkZjBwZy84c0E9P
> Q==
> createTimestamp: 20130123175131Z
> creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
> ot
> entrydn: uid=test11,ou=test,dc=example,dc=com
> entryid: 12
> hasSubordinates: FALSE
> modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
> oot
> modifyTimestamp: 20130131155727Z
> nsUniqueId: 6428fe7b-658511e2-9283c9b9-f4c01566
> numSubordinates: 0
> parentid: 10
> passwordGraceUserTime: 0
> subschemaSubentry: cn=schema
> dn: ou=people,ou=Test,dc=example,dc=com
> objectClass: organizationalunit
> objectClass: top
> ou: people
> aci: (targetattr = "*") (version 3.0;acl "special users";allow
(all)(groupdn
> = "ldap:///cn=all special users,ou=special,ou=Test,dc=example,dc=com");)
> createTimestamp: 20130131152507Z
> creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
> ot
> entrydn: ou=people,ou=test,dc=example,dc=com
> entryid: 13
> hasSubordinates: TRUE
> modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
> oot
> modifyTimestamp: 20130131155032Z
> nsUniqueId: 55ac9901-6bba11e2-9283c9b9-f4c01566
> numSubordinates: 1
> parentid: 10
> subschemaSubentry: cn=schema
> dn: ou=groups,ou=Test,dc=example,dc=com
> objectClass: organizationalunit
> objectClass: top
> ou: groups
> createTimestamp: 20130131152521Z
> creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
> ot
> entrydn: ou=groups,ou=test,dc=example,dc=com
> entryid: 14
> hasSubordinates: FALSE
> modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
> oot
> modifyTimestamp: 20130131152521Z
> nsUniqueId: 55ac9902-6bba11e2-9283c9b9-f4c01566
> numSubordinates: 0
> parentid: 10
> subschemaSubentry: cn=schema
> dn: ou=special,ou=Test,dc=example,dc=com
> objectClass: organizationalunit
> objectClass: top
> ou: special
> createTimestamp: 20130131152543Z
> creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
> ot
> entrydn: ou=special,ou=test,dc=example,dc=com
> entryid: 15
> hasSubordinates: TRUE
> modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
> oot
> modifyTimestamp: 20130131152543Z
> nsUniqueId: 796fdf01-6bba11e2-9283c9b9-f4c01566
> numSubordinates: 2
> parentid: 10
> subschemaSubentry: cn=schema
> dn: uid=aclp,ou=special,ou=Test,dc=example,dc=com
> objectClass: inetorgperson
> objectClass: organizationalPerson
> objectClass: person
> objectClass: top
> cn: acl problem
> sn: problem
> givenName: acl
> uid: aclp
> userPassword:: e1NTSEF9dE1MR0F6bzhjcDJMb2JTN2FoMkZTcnE1RS9PTXg2S0FEUEtjMnc9P
> Q==
> createTimestamp: 20130131152618Z
> creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
> ot
> entrydn: uid=aclp,ou=special,ou=test,dc=example,dc=com
> entryid: 16
> hasSubordinates: FALSE
> modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
> oot
> modifyTimestamp: 20130131152854Z
> nsUniqueId: 796fdf02-6bba11e2-9283c9b9-f4c01566
> numSubordinates: 0
> parentid: 15
> passwordGraceUserTime: 0
> subschemaSubentry: cn=schema
> dn: cn=all special users,ou=special,ou=Test,dc=example,dc=com
> objectClass: groupofurls
> objectClass: groupofuniquenames
> objectClass: top
> cn: all special users
> memberURL: ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass=
> inetorgperson)(cn=*))
> createTimestamp: 20130131152806Z
> creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
> ot
> entrydn: cn=all special users,ou=special,ou=test,dc=example,dc=com
> entryid: 17
> hasSubordinates: FALSE
> modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
> oot
> modifyTimestamp: 20130131155311Z
> nsUniqueId: c0f66b01-6bba11e2-9283c9b9-f4c01566
> numSubordinates: 0
> parentid: 15
> subschemaSubentry: cn=schema
> dn: uid=ttest,ou=people,ou=Test,dc=example,dc=com
> objectClass: inetorgperson
> objectClass: organizationalPerson
> objectClass: person
> objectClass: top
> cn: test test
> sn: test
> givenName: test
> uid: ttest
> userPassword:: e1NTSEF9VktyMVRzbHgxbVRJbGJJQlRnTXlRamVmREpHVE1nQk8yNnNucVE9P
> Q==
> createTimestamp: 20130131152911Z
> creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
> ot
> entrydn: uid=ttest,ou=people,ou=test,dc=example,dc=com
> entryid: 18
> hasSubordinates: FALSE
> modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
> oot
> modifyTimestamp: 20130131154252Z
> nsUniqueId: e4b9b101-6bba11e2-9283c9b9-f4c01566
> numSubordinates: 0
> parentid: 13
> passwordGraceUserTime: 0
> subschemaSubentry: cn=schema
>
>
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org<mailto:389-users@lists.fedoraproject.org>
>
https://admin.fedoraproject.org/mailman/listinfo/389-users
>