directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason Sachs (Created) (JIRA)" <j...@apache.org>
Subject [jira] [Created] (DIRSERVER-1680) allUsersSearchAndCompareACI doesn't work on service restart
Date Tue, 27 Dec 2011 15:46:30 GMT
allUsersSearchAndCompareACI doesn't work on service restart
-----------------------------------------------------------

                 Key: DIRSERVER-1680
                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1680
             Project: Directory ApacheDS
          Issue Type: Bug
    Affects Versions: 1.5.7
         Environment: server on Windows XP SP3
            Reporter: Jason Sachs


I have an allUsersSearchAndCompareACI set up to allow only authenticated users to read the
server, and another ACI directoryManagerFullAccessACI set up to allow privileged users/services
in the group cn=ldap-admin,ou=groups,o=foobar to access LDAP and have editing rights. I have
a number of these privileged users/services, and they can authenticate, but not see any of
the LDAP tree (just an empty Root DSE), until I rewrite the ACI info, at which point they
work perfectly... until the service or the computer it's on resets, and the problem re-occurs.
(The uid=admin,ou=system account can access everything just fine.)

The allUsersSearchAndCompareACI  ACI source looks like this:

{code}
{
    identificationTag "allUsersSearchAndCompareACI",
    precedence 10,
    authenticationLevel simple,
    itemOrUserFirst userFirst: 
    {
        userClasses { allUsers },
        userPermissions 
        {
            {
                protectedItems { entry, allUserAttributeTypesAndValues },
                grantsAndDenials 
                {
                    grantDiscloseOnError,
                    grantRead,
                    grantReturnDN,
                    grantBrowse,
                    grantCompare,
                    grantFilterMatch 
                }
            }
            ,
            {
                protectedItems 
                {
                    attributeType { userPassword } 
                }
                ,
                grantsAndDenials 
                {
                    denyFilterMatch,
                    denyRead,
                    denyCompare 
                }
            }
        }
    }
}
{code}

The directoryManagerACI looks like this:
{code}
{
    identificationTag "directoryManagerFullAccessACI",
    precedence 11,
    authenticationLevel simple,
    itemOrUserFirst userFirst: 
    {
        userClasses 
        {
            userGroup { "cn=ldap-admin,ou=groups,o=foobar" } 
        }
        ,
        userPermissions 
        {
            {
                protectedItems { entry, allUserAttributeTypesAndValues },
                grantsAndDenials 
                {
                    grantModify,
                    grantRead,
                    grantBrowse,
                    grantFilterMatch,
                    grantExport,
                    grantRemove,
                    grantDiscloseOnError,
                    grantAdd,
                    grantReturnDN,
                    grantInvoke,
                    grantRename,
                    grantImport,
                    grantCompare 
                }
            }
        }
    }
}
{code}

My LDAP tree looks like this (my comments in /* */)
{code}
o=foobar
  cn=acientry1   /* contains the two ACI above */
  ou=groups
    /* various groups elided */
    cn=ldap-admin
ou=schema
  /* other stuff */
ou=system
  uid=admin
  /* other stuff */
   
  

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message