Debugging OpenLDAP ACLs

OpenLDAP provides a super powerful ACL syntax which allows you to control access to every nook and cranny of your directory server. When I’m testing advanced ACL configurations I have found it incredibly useful to add the “ACL” log option to the loglevel directive:

loglevel ACL

When this option is set slapd will show you how it applies the ACLs to a given LDAP operation:

Dec  4 09:01:00 rocco slapd[6026]: => acl_mask: access to entry "ou=users,dc=prefetch,dc=net", attr "entry" requested
Dec  4 09:01:00 rocco slapd[6026]: => acl_mask: to all values by "", (=0) 
Dec  4 09:01:00 rocco slapd[6026]: <= check a_dn_pat: users
Dec  4 09:01:00 rocco slapd[6026]: <= check a_peername_path: 1.2.3.4
Dec  4 09:01:00 rocco slapd[6026]: <= acl_mask: [2] applying read(=rscxd) (stop)
Dec  4 09:01:00 rocco slapd[6026]: <= acl_mask: [2] mask: read(=rscxd)
Dec  4 09:01:00 rocco slapd[6026]: => slap_access_allowed: search access granted by read(=rscxd)
Dec  4 09:01:00 rocco slapd[6026]: => access_allowed: search access granted by read(=rscxd)
Dec  4 09:01:00 rocco slapd[6026]: => access_allowed: search access to "cn=matty,ou=users,dc=prefetch,dc=net" "uid" requested

This is super handy and will save you tons of time and heartburn when crafting complex ACLs.

Leave a Reply

Your email address will not be published. Required fields are marked *