Return-Path: 
 <dev-return-39887-apmail-directory-dev-archive=directory.apache.org@directory.apache.org>
X-Original-To: apmail-directory-dev-archive@www.apache.org
Delivered-To: apmail-directory-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id D38FA76C0
	for <apmail-directory-dev-archive@www.apache.org>;
 Tue, 27 Dec 2011 15:46:52 +0000 (UTC)
Received: (qmail 79728 invoked by uid 500); 27 Dec 2011 15:46:52 -0000
Delivered-To: apmail-directory-dev-archive@directory.apache.org
Received: (qmail 79672 invoked by uid 500); 27 Dec 2011 15:46:52 -0000
Mailing-List: contact dev-help@directory.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@directory.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@directory.apache.org>
List-Post: <mailto:dev@directory.apache.org>
List-Id: <dev.directory.apache.org>
Reply-To: "Apache Directory Developers List" <dev@directory.apache.org>
Delivered-To: mailing list dev@directory.apache.org
Received: (qmail 79665 invoked by uid 99); 27 Dec 2011 15:46:52 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 27 Dec 2011 15:46:52 +0000
X-ASF-Spam-Status: No, hits=-2001.3 required=5.0
	tests=ALL_TRUSTED,RP_MATCHES_RCVD
X-Spam-Check-By: apache.org
Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 27 Dec 2011 15:46:51 +0000
Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116])
	by hel.zones.apache.org (Postfix) with ESMTP id E6FA912B38B
	for <dev@directory.apache.org>; Tue, 27 Dec 2011 15:46:30 +0000 (UTC)
Date: Tue, 27 Dec 2011 15:46:30 +0000 (UTC)
From: "Jason Sachs (Created) (JIRA)" <jira@apache.org>
To: dev@directory.apache.org
Message-ID: <9329506.46513.1325000790947.JavaMail.tomcat@hel.zones.apache.org>
Subject: [jira] [Created] (DIRSERVER-1680) allUsersSearchAndCompareACI
 doesn't work on service restart
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394

allUsersSearchAndCompareACI doesn't work on service restart
-----------------------------------------------------------

                 Key: DIRSERVER-1680
                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1680
             Project: Directory ApacheDS
          Issue Type: Bug
    Affects Versions: 1.5.7
         Environment: server on Windows XP SP3
            Reporter: Jason Sachs


I have an allUsersSearchAndCompareACI set up to allow only authenticated users to read the server, and another ACI directoryManagerFullAccessACI set up to allow privileged users/services in the group cn=ldap-admin,ou=groups,o=foobar to access LDAP and have editing rights. I have a number of these privileged users/services, and they can authenticate, but not see any of the LDAP tree (just an empty Root DSE), until I rewrite the ACI info, at which point they work perfectly... until the service or the computer it's on resets, and the problem re-occurs. (The uid=admin,ou=system account can access everything just fine.)

The allUsersSearchAndCompareACI  ACI source looks like this:

{code}
{
    identificationTag "allUsersSearchAndCompareACI",
    precedence 10,
    authenticationLevel simple,
    itemOrUserFirst userFirst: 
    {
        userClasses { allUsers },
        userPermissions 
        {
            {
                protectedItems { entry, allUserAttributeTypesAndValues },
                grantsAndDenials 
                {
                    grantDiscloseOnError,
                    grantRead,
                    grantReturnDN,
                    grantBrowse,
                    grantCompare,
                    grantFilterMatch 
                }
            }
            ,
            {
                protectedItems 
                {
                    attributeType { userPassword } 
                }
                ,
                grantsAndDenials 
                {
                    denyFilterMatch,
                    denyRead,
                    denyCompare 
                }
            }
        }
    }
}
{code}

The directoryManagerACI looks like this:
{code}
{
    identificationTag "directoryManagerFullAccessACI",
    precedence 11,
    authenticationLevel simple,
    itemOrUserFirst userFirst: 
    {
        userClasses 
        {
            userGroup { "cn=ldap-admin,ou=groups,o=foobar" } 
        }
        ,
        userPermissions 
        {
            {
                protectedItems { entry, allUserAttributeTypesAndValues },
                grantsAndDenials 
                {
                    grantModify,
                    grantRead,
                    grantBrowse,
                    grantFilterMatch,
                    grantExport,
                    grantRemove,
                    grantDiscloseOnError,
                    grantAdd,
                    grantReturnDN,
                    grantInvoke,
                    grantRename,
                    grantImport,
                    grantCompare 
                }
            }
        }
    }
}
{code}

My LDAP tree looks like this (my comments in /* */)
{code}
o=foobar
  cn=acientry1   /* contains the two ACI above */
  ou=groups
    /* various groups elided */
    cn=ldap-admin
ou=schema
  /* other stuff */
ou=system
  uid=admin
  /* other stuff */
   
  

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira