directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <>
Subject [jira] Updated: (DIRSERVER-257) [Access Control] Autonomous areas for AC must not overlap
Date Thu, 08 Jul 2010 08:27:49 GMT


Emmanuel Lecharny updated DIRSERVER-257:

       Issue Type: Improvement  (was: Bug)
    Fix Version/s: 2.1.0
                       (was: 2.0.0-RC1)

This is due to the fact we don't currently support Inner AP. All our AAA are IAP in fact.

I don't think we can fix that for 2.0, I would rather do it for 2.1.

Note that it's a problem that can be worked around by adding a chopAfter restriction, where
the DN used on the chopAfter is the lower AP DN.

> [Access Control] Autonomous areas for AC must not overlap
> ---------------------------------------------------------
>                 Key: DIRSERVER-257
>                 URL:
>             Project: Directory ApacheDS
>          Issue Type: Improvement
>          Components: core
>    Affects Versions: 1.5.0, 1.0.2
>            Reporter: Alex Karasulu
>            Assignee: Alex Karasulu
>            Priority: Trivial
>             Fix For: 2.1.0
> Presently the subentry subsystem associates entries with all selecting subentries regardless
of autonomous area demarcations.  What this means is AAA's can overlap.  When the AP of an
accessControlSpecificArea is the decendent of the AP of another accessControlSpecificArea
those areas should not intersect such that the subentries of the first area do not effect
entries of the second area.  This is not the case.  The subentry subsystem associates entries
with effecting subentires without checking to see if those subentries are in a different AAA
in these configurations where an AAA is under another AAA.
> We need to track all AP of AAA's within the system.  Before associating an entry with
an AP's subentries checks should be made to determine under which AAA the entry resides. 
Only those subentries associated with that AAA should be associated with the entry.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message