[Issue 10081] New: slapacl lists wrong permissions when peername.ip is used in ACL

openldap-its Tue, 11 Jul 2023 02:28:43 -0700

https://bugs.openldap.org/show_bug.cgi?id=10081


          Issue ID: 10081
           Summary: slapacl lists wrong permissions when peername.ip is
                    used in ACL
           Product: OpenLDAP
           Version: 2.5.14
          Hardware: x86_64
                OS: Linux
            Status: UNCONFIRMED
          Keywords: needs_review
          Severity: normal
          Priority: ---
         Component: client tools
          Assignee: b...@openldap.org
          Reporter: carsten.jaec...@tu-dortmund.de
  Target Milestone: ---

in a testing environment (SLES 15 SP5, OpenLDAP 2.5.14) I use the following
ACLs in olcAccess:

{0}to dn.exact="cn=test,ou=users,dc=foo,dc=bar" by
dn.exact="cn=test,ou=users,dc=foo,dc=bar" peername.ip="10.10.10.10" write by *
none {1}to * by group.exact="cn=Admins,ou=groups,dc=foo,dc=bar" manage by *
none break {2}to * by self read by anonymous auth by * none break

If I run ldapmodify -xWD "cn=test,ou=users,dc=foo,dc=bar" to change the account
cn=test,ou=users,dc=foo,dc=bar on the system with ip 10.10.10.10 everything
works as expected.

LDAP-Log:
2023-06-16T12:53:12.024030+02:00 tst1 slapd[1333]: conn=1016 fd=28 ACCEPT from
IP=10.10.10.10:53558 (IP=0.0.0.0:636)
2023-06-16T12:53:12.039643+02:00 tst1 slapd[1333]: conn=1016 fd=28 TLS
established tls_ssf=128 ssf=128 tls_proto=TLSv1.3
tls_cipher=TLS_AES_128_GCM_SHA256
2023-06-16T12:53:12.039773+02:00 tst1 slapd[1333]: conn=1016 op=0 BIND
dn="cn=test,ou=users,dc=foo,dc=bar" method=128
2023-06-16T12:53:12.039841+02:00 tst1 slapd[1333]: conn=1016 op=0 BIND
dn="cn=test,ou=users,dc=foo,dc=bar" mech=SIMPLE bind_ssf=0 ssf=128
2023-06-16T12:53:12.041918+02:00 tst1 slapd[1333]: conn=1016 op=0 RESULT tag=97
err=0 qtime=0.000014 etime=0.002242 text=
2023-06-16T12:53:30.488074+02:00 tst1 slapd[1333]: conn=1016 op=1 MOD
dn="cn=test,ou=users,dc=foo,dc=bar"
2023-06-16T12:53:30.488474+02:00 tst1 slapd[1333]: conn=1016 op=1 MOD
attr=description
2023-06-16T12:53:30.557458+02:00 tst1 slapd[1333]: conn=1016 op=1 RESULT
tag=103 err=0 qtime=0.000022 etime=0.069664 text=
2023-06-16T12:53:33.035486+02:00 tst1 slapd[1333]: conn=1016 fd=28 closed
(connection lost)

Running the above command from another machine results in a Insufficient access
(50) error as also expected.
So I assume the ACLs to be working correctly.

If I run
slapacl -F /etc/symas/etc/openldap/slapd.d -o peername=10.10.10.10 -D
cn=test,ou=users,dc=foo,dc=bar -b cn=test,ou=users,dc=foo,dc=bar on the system
with ip 10.10.10.10 I get the following output:

PROXIED attributeDescription "OU" inserted.
PROXIED attributeDescription "DC" inserted.
authcDN: "cn=test,ou=users,dc=foo,dc=bar"
entry: none(=0)
children: none(=0)
description=test: none(=0)
cn=test: none(=0)
sn=test: none(=0)
objectClass=person: none(=0)
objectClass=top: none(=0)
structuralObjectClass=person: none(=0)
entryUUID=2304877c-4aed-103d-8c25-b91c1e3518c8: none(=0)
creatorsName=cn=manager,dc=foo,dc=bar: none(=0)
createTimestamp=20230227131940Z: none(=0)
userPassword=****: none(=0)
pwdChangedTime=20230227131959Z: none(=0)
authTimestamp=20230616065542Z: none(=0)
pwdLastSuccess=20230616103806Z: none(=0)
entryCSN=20230616103806.257186Z#000000#000#000000: none(=0)
modifiersName=cn=test,ou=users,dc=foo,dc=bar: none(=0)
modifyTimestamp=20230616103806Z: none(=0)

I expected to see write access in slapacl's output.

If I remove the 'peername.ip="10.10.10.10"' part from olcAccess {0}to
dn.exact="cn=test,ou=users,dc=foo,dc=bar" by
dn.exact="cn=test,ou=users,dc=foo,dc=bar" peername.ip="10.10.10.10" write by *
none the above slapacl command outputs write access correctly no matter if the
parameter '-o peername=10.10.10.10' is set or not.

olcAccess:
{0}to dn.exact="cn=test,ou=users,dc=foo,dc=bar" by
dn.exact="cn=test,ou=users,dc=foo,dc=bar" write by * none {1}to * by
group.exact="cn=Admins,ou=groups,dc=foo,dc=bar" manage by * none break {2}to *
by self read by anonymous auth by * none break

slapacl -F /etc/symas/etc/openldap/slapd.d -o peername=10.10.10.10 -D
cn=test,ou=users,dc=foo,dc=bar -b cn=test,ou=users,dc=foo,dc=bar

PROXIED attributeDescription "OU" inserted.
PROXIED attributeDescription "DC" inserted.
authcDN: "cn=test,ou=users,dc=foo,dc=bar"
entry: write(=wrscxd)
children: write(=wrscxd)
description=first test
cn=test: write(=wrscxd)
sn=test: write(=wrscxd)
objectClass=person: write(=wrscxd)
objectClass=top: write(=wrscxd)
structuralObjectClass=person: write(=wrscxd)
entryUUID=2304877c-4aed-103d-8c25-b91c1e3518c8: write(=wrscxd)
creatorsName=cn=manager,dc=foo,dc=bar: write(=wrscxd)
createTimestamp=20230227131940Z: write(=wrscxd)
userPassword=****: write(=wrscxd)
pwdChangedTime=20230227131959Z: write(=wrscxd)
authTimestamp=20230616065542Z: write(=wrscxd)
pwdLastSuccess=20230616105312Z: write(=wrscxd)
entryCSN=20230616105330.487886Z#000000#000#000000: write(=wrscxd)
modifiersName=cn=test,ou=users,dc=foo,dc=bar: write(=wrscxd)
modifyTimestamp=20230616105330Z: write(=wrscxd)

-- 
You are receiving this mail because:
You are on the CC list for the issue.

[Issue 10081] New: slapacl lists wrong permissions when peername.ip is used in ACL

Reply via email to