directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Giamma (JIRA)" <directory-...@incubator.apache.org>
Subject [jira] Commented: (DIR-126) ACI problem when using com.sun.jndi.ldap.LdapCtxFactory as the INITIAL_CONTEXT_FACTORY
Date Wed, 01 Feb 2006 21:19:23 GMT
    [ http://issues.apache.org/jira/browse/DIR-126?page=comments#action_12364871 ] 

Giamma commented on DIR-126:
----------------------------


Just addiing my original email:

================================================
I have been testing some of the examples from AddAuthorizationTest,java and I am not able
to get them to work when I have an actual LDAP server running.

The examples in AddAuthorizationTest.java will use the class org.apache.ldap.server.jndi.CoreContextFactory
as the INITIAL_CONTEXT_FACTORY, and they seem to work fine.

But if I start my own LDAP server (with accessControlEnabled set to true) and change AddAuthorizationTest.java
to use com.sun.jndi.ldap.LdapCtxFactory instead, the tests will fail when trying to bind with:
javax.naming.NoPermissionException: [LDAP: error code 50 - Bind failed]

I wonder if they have never been tested with com.sun.jndi.ldap.LdapCtxFactory.
================================================

I did debug the issue a bit and it seems related to the fact that when we try to look up the
tuples in AuthorizationService.addPerscriptiveAciTuples(), we do not find them.
And we don't find them because the parameter name is set to "".
I do not fully understand why but it seems to me that this value is coming from:
java.naming.provider.url=""

But instead it should be:
java.naming.provider.url="ou=system"

When I changed AbstractAuthorizationTest.getContextAs(), this is what I did to make the connection
use LDAP contact factory.
And in this case dn="ou=system"

So I was expecting java.naming.provider.url to be "ou=system".
Anyway, I am not sure but this is all I found.

 public DirContext getContextAs( Name user, String password, String dn ) throws NamingException
    {
        Hashtable env = ( Hashtable ) sysRoot.getEnvironment().clone();
        if (useLDAP) {
          env.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
          env.put( DirContext.PROVIDER_URL, "ldap://localhost:389/" + dn );
        } else {
          env.put( DirContext.PROVIDER_URL, dn );
        }
        env.put( DirContext.SECURITY_AUTHENTICATION, "simple" );
        env.put( DirContext.SECURITY_PRINCIPAL, user.toString() );
        env.put( DirContext.SECURITY_CREDENTIALS, password );
        return new InitialDirContext( env );
    }








> ACI problem when using com.sun.jndi.ldap.LdapCtxFactory as the INITIAL_CONTEXT_FACTORY
> --------------------------------------------------------------------------------------
>
>          Key: DIR-126
>          URL: http://issues.apache.org/jira/browse/DIR-126
>      Project: Directory
>         Type: Bug
>  Environment: Win XP SP2
> JRE1.5_04
>     Reporter: Tony Blanchard
>     Assignee: Alex Karasulu

>
> As mentioned by Gianmaria Clerici, 
> the use of com.sun.jndi.ldap.LdapCtxFactory instead of org.apache.ldap.server.jndi.CoreContextFactory
as the INITIAL_CONTEXT_FACTORY makes ACIs not working.
> Here is an explanationof the problem I sent on the list :
> I have some troubles to add some ACIs on ou=system to enable users to do
> what they want with their own entry.
> I added an "accessControlSpecificArea" value to the "administrativeRole"
> attribute on ou=system.
> I used the following subtree specification : "{}" and the following
> value for my  prescriptiveACI on the accesControlSubentry I created
> under ou=system  :
> " { identificationTag "enableUserSelfModification", precedence 1,
> authenticationLevel simple, itemOrUserFirst userFirst:{ userClasses {
> thisEntry }, userPermissions { { protectedItems { entry,
> allUserAttributeTypesAndValues }, grantsAndDenials { grantAdd,
> grantRemove, grantModify, grantFilterMatch, grantCompare, grantRead,
> grantReturnDN, grantBrowse } } } } }"
> When i create a new user with admin rights and try to log under this
> user, i get a 50 error code : noPermission. This is not an 49 error code
> : AuthenticationException 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message