Discussion:
val/integerMatch="0"
Michael Ströder
2015-11-07 21:19:20 UTC
Permalink
HI!

Maybe I'm doing something obviously wrong but I don't see it.

I want to limit the right to reset a counter value solely to zero with this
ACL directive:

add_content_acl yes
[..]
access to
dn.subtree="ou=ae-dir"
filter="(aeStatus=0)"
attrs=oathHOTPCounter
val/integerMatch="0"
by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" write
by * break
[..]

The modify request looks like this (old value is 10):

dn: serialNumber=yubikey-23,cn=2fa,ou=ae-dir
changetype: modify
replace: oathHOTPCounter
oathHOTPCounter: 0
-

It seems the ACL does not trigger, without the val= part the modification is
allowed (but to any value). I also tried other forms:

val="0"
val=0
val.regex="^0$"

Can somebody help me? Thanks in advance.

Ciao, Michael.
Howard Chu
2015-11-08 01:18:10 UTC
Permalink
Content preview: Michael Ströder wrote: > HI! > > Maybe I'm doing something
obviously wrong but I don't see it. > > I want to limit the right to reset
a counter value solely to zero with this > ACL directive: > > add_content_acl
yes > [..] > access to > dn.subtree="ou=ae-dir" > filter="(aeStatus=0)" >
attrs=oathHOTPCounter > val/integerMatch="0" > by group/aeGroup/member="cn=2fa
admins,cn=2fa,ou=ae-dir" write > by * break > [..] > > The modify request
looks like this (old value is 10): > > dn: serialNumber=yubikey-23,cn=2fa,ou=ae-dir
changetype: modify > replace: oathHOTPCounter > oathHOTPCounter: 0 > -
Post by Michael Ströder
It seems the ACL does not trigger, without the val= part the modification
is > allowed (but to any value). I also tried other forms: [...]

Content analysis details: (-4.2 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust
[69.43.206.106 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: symas.com]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
X-BeenThere: openldap-***@openldap.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenLDAP Technical Discussion list <openldap-technical.openldap.org>
List-Unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=unsubscribe>
List-Archive: <http://www.openldap.org/lists/openldap-technical/>
List-Post: <mailto:openldap-***@openldap.org>
List-Help: <mailto:openldap-technical-***@openldap.org?subject=help>
List-Subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=subscribe>
Errors-To: openldap-technical-***@openldap.org
Sender: "openldap-technical" <openldap-technical-***@openldap.org>
X-Spam-Score: -4.2 (----)
X-Spam-Report: Spam detection software, running on the system "gauss.openldap.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: Michael Ströder wrote: > HI! > > Maybe I'm doing something
obviously wrong but I don't see it. > > I want to limit the right to reset
a counter value solely to zero with this > ACL directive: > > add_content_acl
yes > [..] > access to > dn.subtree="ou=ae-dir" > filter="(aeStatus=0)" >
attrs=oathHOTPCounter > val/integerMatch="0" > by group/aeGroup/member="cn=2fa
admins,cn=2fa,ou=ae-dir" write > by * break > [..] > > The modify request
looks like this (old value is 10): > > dn: serialNumber=yubikey-23,cn=2fa,ou=ae-dir
changetype: modify > replace: oathHOTPCounter > oathHOTPCounter: 0 > -
Post by Michael Ströder
It seems the ACL does not trigger, without the val= part the modification
is > allowed (but to any value). I also tried other forms: [...]

Content analysis details: (-4.2 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust
[69.43.206.106 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: highlandsun.com]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
HI!
Maybe I'm doing something obviously wrong but I don't see it.
I want to limit the right to reset a counter value solely to zero with this
add_content_acl yes
[..]
access to
dn.subtree="ou=ae-dir"
filter="(aeStatus=0)"
attrs=oathHOTPCounter
val/integerMatch="0"
by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" write
by * break
[..]
dn: serialNumber=yubikey-23,cn=2fa,ou=ae-dir
changetype: modify
replace: oathHOTPCounter
oathHOTPCounter: 0
-
It seems the ACL does not trigger, without the val= part the modification is
Your ACL is set on a specific value. The replace op doesn't delete a specific
value, it deletes the entire attribute.
val="0"
val=0
val.regex="^0$"
Can somebody help me? Thanks in advance.
Ciao, Michael.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
Michael Ströder
2015-11-08 02:08:34 UTC
Permalink
Post by Howard Chu
Post by Michael Ströder
Maybe I'm doing something obviously wrong but I don't see it.
I want to limit the right to reset a counter value solely to zero with this
add_content_acl yes
[..]
access to
dn.subtree="ou=ae-dir"
filter="(aeStatus=0)"
attrs=oathHOTPCounter
val/integerMatch="0"
by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" write
by * break
[..]
dn: serialNumber=yubikey-23,cn=2fa,ou=ae-dir
changetype: modify
replace: oathHOTPCounter
oathHOTPCounter: 0
-
It seems the ACL does not trigger, without the val= part the modification is
Your ACL is set on a specific value. The replace op doesn't delete a specific
value, it deletes the entire attribute.
Hmm, so for enforcing that a client can only set a specific value I'd have to
use two ACLs:
1. One for deleting an arbitrary value -> =z (or =zr in my case) and
2. another one with val=0 -> =a.

Right?

Ciao, Michael.
Michael Ströder
2015-11-08 08:55:44 UTC
Permalink
Post by Michael Ströder
Post by Howard Chu
Post by Michael Ströder
Maybe I'm doing something obviously wrong but I don't see it.
I want to limit the right to reset a counter value solely to zero with this
add_content_acl yes
[..]
access to
dn.subtree="ou=ae-dir"
filter="(aeStatus=0)"
attrs=oathHOTPCounter
val/integerMatch="0"
by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" write
by * break
[..]
dn: serialNumber=yubikey-23,cn=2fa,ou=ae-dir
changetype: modify
replace: oathHOTPCounter
oathHOTPCounter: 0
-
It seems the ACL does not trigger, without the val= part the modification is
Your ACL is set on a specific value. The replace op doesn't delete a specific
value, it deletes the entire attribute.
Hmm, so for enforcing that a client can only set a specific value I'd have to
1. One for deleting an arbitrary value -> =z (or =zr in my case) and
2. another one with val=0 -> =a.
Right?
Thanks for pointing out the obvious.

This seems to work like I want:

# allow 2FA admins to add new value 0
access to
dn.subtree="ou=ae-dir"
filter="(aeStatus=0)"
attrs=oathHOTPCounter
val/integerMatch="0"
by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" =ra
by * break

# allow 2FA admins to delete any value
access to
dn.subtree="ou=ae-dir"
filter="(aeStatus=0)"
attrs=oathHOTPCounter
by group/aeGroup/member="cn=2fa admins,cn=2fa,ou=ae-dir" =rz
by * none

Ciao, Michael.

Loading...