I added my comments and also what I found when I was debugging the issue. I didn't find the bug but I think I was close. Hopefully it will help you guys. -----Original Message----- From: Tony Blanchard [mailto:bltony@wanadoo.fr] Sent: Wednesday, February 01, 2006 3:31 AM To: Apache Directory Developers List Subject: Re: ACL/ACI testing in 0.9.3 Ok, I have created a new issue at : https://issues.apache.org/jira/browse/DIR-126 If something is missing or if Gianmara wants to add details, please tell me. Best regards, Tony Blanchard Emmanuel Lecharny wrote: >Hi Gianmaria, Hi tony, > >yeah, we are currently tryong to close RC1. We have a list of bugs we >really want to fix before RC1, and others that are postponned to RCx. > >We don't have a JIRA for the issue you mention, so there is no roadmap for it. > >The best thing you colud do is to fill a JIRA, with all the needed >information to help us reproducing this problem (sample, test case, >data, etc.) > >Thanks ! > >On 2/1/06, Tony Blanchard wrote: > > >>So you have the same problem as me and I posted a week ago about this >>but I did not found the source of the problem. >>I also use com.sun.jndi.ldap.LdapCtxFactory. >>I just did not post again because I know every body here is on RC 1 and >>I thought I was missing something. >>Thanks for the hint. >> >>Unfortunately, I have no real answer for your second question. >>I think holding the MAP with credentials in the memory of your program >>is a security issue but I do not know the "best practice" to use instead. >>Maybe you can do the job at authentication time, but it may be time >>consuming to compute aci/acl for each user... >>Why don't you make your aci/acl based on groups rights and change group >>compositions at runtime on authentication ? >>If you have an answer on the best practice, I am interested too. >> >>Thanks, >>Tony Blanchard >> >>Gianmaria Clerici wrote: >> >> >> >>>I have been testing some of the examples from >>>AddAuthorizationTest,java and I am not able to get them to work when I >>>have an actual LDAP server running. >>> >>> >>> >>>The examples in AddAuthorizationTest.java will use the class >>>org.apache.ldap.server.jndi.CoreContextFactory as the >>>INITIAL_CONTEXT_FACTORY, and they seem to work fine. >>> >>> >>> >>>But if I start my own LDAP server (with accessControlEnabled set to >>>true) and change AddAuthorizationTest.java to use >>>com.sun.jndi.ldap.LdapCtxFactory instead, the tests will fail when >>>trying to bind with: >>> >>>javax.naming.NoPermissionException: [LDAP: error code 50 - Bind failed] >>> >>> >>> >>>I wonder if they have never been tested with >>>com.sun.jndi.ldap.LdapCtxFactory. >>> >>> >>> >>>I also have a question. >>> >>> >>> >>>The way we would like to use ACL/ACI is to generate on the fly >>>accessControlSubentry (in our custom partition), based on the >>>credentials. >>>But, as we all know, only the search API will have a Map with the >>>environment (which includes the credentials info). >>> >>> >>> >>>So it will be impossible to generate accessControlSubentry, based on >>>the credentials, for other very important API like modify and so on. >>> >>> >>> >>>Any ideas on how to solve this problem ? >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >> >> >> > > >-- >Cordialement, >Emmanuel Lécharny > > > > >