directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <elecha...@gmail.com>
Subject Re: ACL/ACI testing in 0.9.3
Date Wed, 01 Feb 2006 09:45:17 GMT
Hi Gianmaria, Hi tony,

yeah, we are currently tryong to close RC1. We have a list of bugs we
really want to fix before RC1, and others that are postponned to RCx.

We don't have a JIRA for the issue you mention, so there is no roadmap for it.

The best thing you colud do is to fill a JIRA, with all the needed
information to help us reproducing this problem (sample, test case,
data, etc.)

Thanks !

On 2/1/06, Tony Blanchard <bltony@wanadoo.fr> wrote:
> So you have the same problem as me and I posted a week ago about this
> but I did not found the source of the problem.
> I also use com.sun.jndi.ldap.LdapCtxFactory.
> I just did not post again because I know every body here is on RC 1 and
> I thought I was missing something.
> Thanks for the hint.
>
> Unfortunately, I have no real answer for your second question.
> I think holding the MAP with credentials in the memory of your program
> is a security issue but I do not know the "best practice" to use instead.
> Maybe you can do the job at authentication time, but it may be time
> consuming to compute aci/acl for each user...
> Why don't you make your aci/acl based on groups rights and change group
> compositions at runtime on authentication ?
> If  you have an answer on the best practice, I am interested too.
>
> Thanks,
> Tony Blanchard
>
> Gianmaria Clerici wrote:
>
> > I have been testing some of the examples from
> > AddAuthorizationTest,java and I am not able to get them to work when I
> > have an actual LDAP server running.
> >
> >
> >
> > The examples in AddAuthorizationTest.java will use the class
> > org.apache.ldap.server.jndi.CoreContextFactory as the
> > INITIAL_CONTEXT_FACTORY, and they seem to work fine.
> >
> >
> >
> > But if I start my own LDAP server (with accessControlEnabled set to
> > true) and change AddAuthorizationTest.java to use
> > com.sun.jndi.ldap.LdapCtxFactory instead, the tests will fail when
> > trying to bind with:
> >
> > javax.naming.NoPermissionException: [LDAP: error code 50 - Bind failed]
> >
> >
> >
> > I wonder if they have never been tested with
> > com.sun.jndi.ldap.LdapCtxFactory.
> >
> >
> >
> > I also have a question.
> >
> >
> >
> > The way we would like to use ACL/ACI is to generate on the fly
> > accessControlSubentry (in our  custom partition), based on the
> > credentials.
> > But, as we all know, only the search API will have a Map with the
> > environment (which includes the credentials info).
> >
> >
> >
> > So it will be impossible to generate accessControlSubentry, based on
> > the credentials, for other very important API like modify and so on.
> >
> >
> >
> > Any ideas on how to solve this problem ?
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
>
>
>


--
Cordialement,
Emmanuel L├ęcharny

Mime
View raw message