directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Blanchard <blt...@wanadoo.fr>
Subject Re: ACL/ACI testing in 0.9.3
Date Wed, 01 Feb 2006 08:58:44 GMT
So you have the same problem as me and I posted a week ago about this 
but I did not found the source of the problem.
I also use com.sun.jndi.ldap.LdapCtxFactory.
I just did not post again because I know every body here is on RC 1 and 
I thought I was missing something.
Thanks for the hint.

Unfortunately, I have no real answer for your second question.
I think holding the MAP with credentials in the memory of your program 
is a security issue but I do not know the "best practice" to use instead.
Maybe you can do the job at authentication time, but it may be time 
consuming to compute aci/acl for each user...
Why don't you make your aci/acl based on groups rights and change group 
compositions at runtime on authentication ?
If  you have an answer on the best practice, I am interested too.

Thanks,
Tony Blanchard

Gianmaria Clerici wrote:

> I have been testing some of the examples from 
> AddAuthorizationTest,java and I am not able to get them to work when I 
> have an actual LDAP server running.
>
>  
>
> The examples in AddAuthorizationTest.java will use the class 
> org.apache.ldap.server.jndi.CoreContextFactory as the 
> INITIAL_CONTEXT_FACTORY, and they seem to work fine.
>
>  
>
> But if I start my own LDAP server (with accessControlEnabled set to 
> true) and change AddAuthorizationTest.java to use 
> com.sun.jndi.ldap.LdapCtxFactory instead, the tests will fail when 
> trying to bind with:
>
> javax.naming.NoPermissionException: [LDAP: error code 50 - Bind failed]
>
>  
>
> I wonder if they have never been tested with 
> com.sun.jndi.ldap.LdapCtxFactory.
>
>  
>
> I also have a question.
>
>  
>
> The way we would like to use ACL/ACI is to generate on the fly 
> accessControlSubentry (in our  custom partition), based on the 
> credentials.
> But, as we all know, only the search API will have a Map with the 
> environment (which includes the credentials info).
>
>  
>
> So it will be impossible to generate accessControlSubentry, based on 
> the credentials, for other very important API like modify and so on.
>
>  
>
> Any ideas on how to solve this problem ?
>
>  
>
>  
>
>  
>
>  
>
>  
>



Mime
View raw message