directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Blanchard <blt...@wanadoo.fr>
Subject Re: ACL/ACI testing in 0.9.3
Date Wed, 01 Feb 2006 11:31:28 GMT
Ok, I have created a new issue at : 
https://issues.apache.org/jira/browse/DIR-126

If something is missing or if  Gianmara wants to add details, please 
tell me.
Best regards,
Tony Blanchard

Emmanuel Lecharny wrote:

>Hi Gianmaria, Hi tony,
>
>yeah, we are currently tryong to close RC1. We have a list of bugs we
>really want to fix before RC1, and others that are postponned to RCx.
>
>We don't have a JIRA for the issue you mention, so there is no roadmap for it.
>
>The best thing you colud do is to fill a JIRA, with all the needed
>information to help us reproducing this problem (sample, test case,
>data, etc.)
>
>Thanks !
>
>On 2/1/06, Tony Blanchard <bltony@wanadoo.fr> wrote:
>  
>
>>So you have the same problem as me and I posted a week ago about this
>>but I did not found the source of the problem.
>>I also use com.sun.jndi.ldap.LdapCtxFactory.
>>I just did not post again because I know every body here is on RC 1 and
>>I thought I was missing something.
>>Thanks for the hint.
>>
>>Unfortunately, I have no real answer for your second question.
>>I think holding the MAP with credentials in the memory of your program
>>is a security issue but I do not know the "best practice" to use instead.
>>Maybe you can do the job at authentication time, but it may be time
>>consuming to compute aci/acl for each user...
>>Why don't you make your aci/acl based on groups rights and change group
>>compositions at runtime on authentication ?
>>If  you have an answer on the best practice, I am interested too.
>>
>>Thanks,
>>Tony Blanchard
>>
>>Gianmaria Clerici wrote:
>>
>>    
>>
>>>I have been testing some of the examples from
>>>AddAuthorizationTest,java and I am not able to get them to work when I
>>>have an actual LDAP server running.
>>>
>>>
>>>
>>>The examples in AddAuthorizationTest.java will use the class
>>>org.apache.ldap.server.jndi.CoreContextFactory as the
>>>INITIAL_CONTEXT_FACTORY, and they seem to work fine.
>>>
>>>
>>>
>>>But if I start my own LDAP server (with accessControlEnabled set to
>>>true) and change AddAuthorizationTest.java to use
>>>com.sun.jndi.ldap.LdapCtxFactory instead, the tests will fail when
>>>trying to bind with:
>>>
>>>javax.naming.NoPermissionException: [LDAP: error code 50 - Bind failed]
>>>
>>>
>>>
>>>I wonder if they have never been tested with
>>>com.sun.jndi.ldap.LdapCtxFactory.
>>>
>>>
>>>
>>>I also have a question.
>>>
>>>
>>>
>>>The way we would like to use ACL/ACI is to generate on the fly
>>>accessControlSubentry (in our  custom partition), based on the
>>>credentials.
>>>But, as we all know, only the search API will have a Map with the
>>>environment (which includes the credentials info).
>>>
>>>
>>>
>>>So it will be impossible to generate accessControlSubentry, based on
>>>the credentials, for other very important API like modify and so on.
>>>
>>>
>>>
>>>Any ideas on how to solve this problem ?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>      
>>>
>>
>>    
>>
>
>
>--
>Cordialement,
>Emmanuel L├ęcharny
>
>
>
>  
>



Mime
View raw message