directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Trustin Lee <trus...@gmail.com>
Subject Re: [apacheds]ACI support classes never consider "attributeValue" in ACIItem
Date Tue, 25 Oct 2005 10:43:21 GMT
2005/10/19, Alex Karasulu <aok123@bellsouth.net>:
>
> Trustin,
>
> Within the o.a.l.s.authz.support package nothing checks to see if the
> "attributeValue" field in a protectedItem is adhered too. For this
> reason permission checks are failing. Let me give you an example that I
> have in a testcase:
>
> I have the following ACIItem:
>
> {
> identificationTag "searchAci"
> precedence 14
> authenticationLevel none,
> itemOrUserFirst userFirst:
> {
> userClasses { allUsers },
> userPermissions
> {
> {
> protectedItems {entry, attributeType { ou }, allAttributeValues
> { objectClass }, attributeValue { ou=0, ou=1, ou=2 } }, grantsAndDenials
> { grantRead, grantReturnDN, grantBrowse } }
> }
> }
> }
>
> This should only allow the return of ou values that are "0", "1" and "2"
> and not allow the return of other ou values in a search. However it's
> not doing that. Nothing in the support pkg seems to test to see if the
> value is equal to any of these values.
>
> Could you advise on what's happening?


It was because RelatedProtectedItemFilter didn't ignore AttributeType when
operationScope is not ATTRIBUTE_TYPE_AND_VALUE. Now it should work fine.

Trustin
--
what we call human nature is actually human habit
--
http://gleamynode.net/

Mime
View raw message