Re: errors log - NSACLPlugin - acllas__client_match_URL:

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 02/04/2013 08:02 AM, Picture Book wrote:

The error message shows up in both 1.2.10.12 and 1.2.11.17. I think it's a bug, although maybe harmless.

I am trying to grant all users under "ou=special,ou=test,dc=example,dc=com" read access to "ou=people,ou=Test,dc=example,dc=com" subtree.

So I first created a dynamic group including all users under "ou=special,ou=test,dc=example,dc=com":
"cn=all special users,ou=special,ou=Test,dc=example,dc=com"
memberURL: ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass=inetorgperson)(cn=*))

Then I added an ACI to "ou=people,ou=Test,dc=example,dc=com" grant the dynamic group to read all attributes

aci: (targetattr = "*") (version 3.0;acl "special users";allow (all)(groupdn = "ldap:///cn=all special users,ou=special,ou=Test,dc=example,dc=com");)

The ACI does what it supposed to do, now all users under "ou=special,ou=test,dc=example,dc=com" are able to read all attributes of subtree: "ou=people,ou=Test,dc=example,dc=com".


1
ldapsearch -h localhost -p 389 -D "uid=ttest,ou=people,ou=Test,dc=example,dc=com" -w sp -b "ou=people,ou=Test,dc=example,dc=com"

[31/Jan/2013:10:53:36 -0500] NSACLPlugin - acllas__client_match_URL: url [ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass=inetorgperson)(cn=*))] scope is onelevel but dn [ou=special,ou=test,dc=example,dc=com] is not a direct child of [ou=people,ou=test,dc=example,dc=com]


Since "uid=ttest,ou=people,ou=Test,dc=example,dc=com" is NOT a member of the dynamic group, the ACI does not apply. But the NSACLPlugin log this error message which I think is not neccessary.

Ok.  Please file a ticket.



2.
ldapsearch -h localhost -p 389 -D "uid=test11,ou=Test,dc=example,dc=com" -w sp -b "ou=people,ou=Test,dc=example,dc=com"

[31/Jan/2013:10:58:12 -0500] NSACLPlugin - acllas__client_match_URL: url [ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass=inetorgperson)(cn=*))] scope is onelevel but dn [ou=special,ou=test,dc=example,dc=com] is not a direct child of [ou=test,dc=example,dc=com]

repeat search 1 & 2, acllas__client_match_URL error message doen't repeat.

3.
ldapsearch -h localhost -p 389 -D "uid=aclp,ou=special,ou=Test,dc=example,dc=com" -w sp -b "ou=people,ou=Test,dc=example,dc=com"

no message in errors log

Since "uid=aclp,ou=special,ou=Test,dc=example,dc=com" IS a member of the dynamic group, The ACL apply and the search return all the attributes.

Ok, so this is working.



________________________________

Date: Fri, 1 Feb 2013 12:20:58 -0700
From: rmeggins@xxxxxxxxxx
To: 389-users@xxxxxxxxxxxxxxxxxxxxxxx
CC: picturebook16@xxxxxxxxxxx
Subject: Re:  errors log - NSACLPlugin - acllas__client_match_URL:

On 01/31/2013 09:17 AM, Picture Book wrote:

After using dynamic group in ACL, I see the following messages in errors log

1
ldapsearch -h localhost -p 389 -D "uid=ttest,ou=people,ou=Test,dc=example,dc=com" -w sp -b "ou=people,ou=Test,dc=example,dc=com"

[31/Jan/2013:10:53:36 -0500] NSACLPlugin - acllas__client_match_URL: url [ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass=inetorgperson)(cn=*))] scope is onelevel but dn [ou=special,ou=test,dc=example,dc=com] is not a direct child of [ou=people,ou=test,dc=example,dc=com]

2.
ldapsearch -h localhost -p 389 -D "uid=test11,ou=Test,dc=example,dc=com" -w sp -b "ou=people,ou=Test,dc=example,dc=com"

[31/Jan/2013:10:58:12 -0500] NSACLPlugin - acllas__client_match_URL: url [ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass=inetorgperson)(cn=*))] scope is onelevel but dn [ou=special,ou=test,dc=example,dc=com] is not a direct child of [ou=test,dc=example,dc=com]

repeat search 1 & 2, acllas__client_match_URL error message doen't repeat.

3.
ldapsearch -h localhost -p 389 -D "uid=aclp,ou=special,ou=Test,dc=example,dc=com" -w sp -b "ou=people,ou=Test,dc=example,dc=com"

no message in errors log

What platform? What 389-ds-base version?
Not sure exactly what you're trying to do.




This is the dynamic group:

dn: cn=all special users,ou=special,ou=Test,dc=example,dc=com
objectClass: groupofurls
objectClass: groupofuniquenames
objectClass: top
cn: all special users
memberURL: ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass=
inetorgperson)(cn=*))

This is the ACL
dn: ou=people,ou=Test,dc=example,dc=com
objectClass: organizationalunit
objectClass: top
ou: people
aci: (targetattr = "*") (version 3.0;acl "special users";allow (all)(groupdn
= "ldap:///cn=all special users,ou=special,ou=Test,dc=example,dc=com");)
createTimestamp: 20130131152507Z

The following is the ldif export of the test setup

version: 1
dn: ou=Test,dc=example,dc=com
objectClass: organizationalunit
objectClass: top
ou: Test
createTimestamp: 20130123175104Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
ot
entrydn: ou=test,dc=example,dc=com
entryid: 10
hasSubordinates: TRUE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
oot
modifyTimestamp: 20130123175104Z
nsUniqueId: 6428fe79-658511e2-9283c9b9-f4c01566
numSubordinates: 5
parentid: 1
subschemaSubentry: cn=schema
dn: cn=mygroup,ou=Test,dc=example,dc=com
objectClass: groupofuniquenames
objectClass: top
cn: mygroup
uniqueMember: uid=test11,ou=test,dc=example,dc=com
createTimestamp: 20130123175116Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
ot
entrydn: cn=mygroup,ou=test,dc=example,dc=com
entryid: 11
hasSubordinates: FALSE
modifiersName: cn=referential integrity postoperation,cn=plugins,cn=config
modifyTimestamp: 20130123182725Z
nsUniqueId: 6428fe7a-658511e2-9283c9b9-f4c01566
numSubordinates: 0
parentid: 10
subschemaSubentry: cn=schema
dn: uid=test11,ou=Test,dc=example,dc=com
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: test 1
sn: 1
givenName: test
uid: test11
userPassword:: e1NTSEF9QUNkS1NiOFVkOFJQSy9TeklGN2pCN2trblQvYWpkZjBwZy84c0E9P
Q==
createTimestamp: 20130123175131Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
ot
entrydn: uid=test11,ou=test,dc=example,dc=com
entryid: 12
hasSubordinates: FALSE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
oot
modifyTimestamp: 20130131155727Z
nsUniqueId: 6428fe7b-658511e2-9283c9b9-f4c01566
numSubordinates: 0
parentid: 10
passwordGraceUserTime: 0
subschemaSubentry: cn=schema
dn: ou=people,ou=Test,dc=example,dc=com
objectClass: organizationalunit
objectClass: top
ou: people
aci: (targetattr = "*") (version 3.0;acl "special users";allow (all)(groupdn
= "ldap:///cn=all special users,ou=special,ou=Test,dc=example,dc=com");)
createTimestamp: 20130131152507Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
ot
entrydn: ou=people,ou=test,dc=example,dc=com
entryid: 13
hasSubordinates: TRUE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
oot
modifyTimestamp: 20130131155032Z
nsUniqueId: 55ac9901-6bba11e2-9283c9b9-f4c01566
numSubordinates: 1
parentid: 10
subschemaSubentry: cn=schema
dn: ou=groups,ou=Test,dc=example,dc=com
objectClass: organizationalunit
objectClass: top
ou: groups
createTimestamp: 20130131152521Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
ot
entrydn: ou=groups,ou=test,dc=example,dc=com
entryid: 14
hasSubordinates: FALSE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
oot
modifyTimestamp: 20130131152521Z
nsUniqueId: 55ac9902-6bba11e2-9283c9b9-f4c01566
numSubordinates: 0
parentid: 10
subschemaSubentry: cn=schema
dn: ou=special,ou=Test,dc=example,dc=com
objectClass: organizationalunit
objectClass: top
ou: special
createTimestamp: 20130131152543Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
ot
entrydn: ou=special,ou=test,dc=example,dc=com
entryid: 15
hasSubordinates: TRUE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
oot
modifyTimestamp: 20130131152543Z
nsUniqueId: 796fdf01-6bba11e2-9283c9b9-f4c01566
numSubordinates: 2
parentid: 10
subschemaSubentry: cn=schema
dn: uid=aclp,ou=special,ou=Test,dc=example,dc=com
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: acl problem
sn: problem
givenName: acl
uid: aclp
userPassword:: e1NTSEF9dE1MR0F6bzhjcDJMb2JTN2FoMkZTcnE1RS9PTXg2S0FEUEtjMnc9P
Q==
createTimestamp: 20130131152618Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
ot
entrydn: uid=aclp,ou=special,ou=test,dc=example,dc=com
entryid: 16
hasSubordinates: FALSE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
oot
modifyTimestamp: 20130131152854Z
nsUniqueId: 796fdf02-6bba11e2-9283c9b9-f4c01566
numSubordinates: 0
parentid: 15
passwordGraceUserTime: 0
subschemaSubentry: cn=schema
dn: cn=all special users,ou=special,ou=Test,dc=example,dc=com
objectClass: groupofurls
objectClass: groupofuniquenames
objectClass: top
cn: all special users
memberURL: ldap:///ou=special,ou=test,dc=example,dc=com??one?(&(objectclass=
inetorgperson)(cn=*))
createTimestamp: 20130131152806Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
ot
entrydn: cn=all special users,ou=special,ou=test,dc=example,dc=com
entryid: 17
hasSubordinates: FALSE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
oot
modifyTimestamp: 20130131155311Z
nsUniqueId: c0f66b01-6bba11e2-9283c9b9-f4c01566
numSubordinates: 0
parentid: 15
subschemaSubentry: cn=schema
dn: uid=ttest,ou=people,ou=Test,dc=example,dc=com
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: test test
sn: test
givenName: test
uid: ttest
userPassword:: e1NTSEF9VktyMVRzbHgxbVRJbGJJQlRnTXlRamVmREpHVE1nQk8yNnNucVE9P
Q==
createTimestamp: 20130131152911Z
creatorsName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRo
ot
entrydn: uid=ttest,ou=people,ou=test,dc=example,dc=com
entryid: 18
hasSubordinates: FALSE
modifiersName: uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeR
oot
modifyTimestamp: 20130131154252Z
nsUniqueId: e4b9b101-6bba11e2-9283c9b9-f4c01566
numSubordinates: 0
parentid: 13
passwordGraceUserTime: 0
subschemaSubentry: cn=schema



--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx<mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx>
https://admin.fedoraproject.org/mailman/listinfo/389-users
		 	   		


--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux