directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (DIRSERVER-1680) allUsersSearchAndCompareACI doesn't work on service restart
Date Wed, 03 Oct 2012 03:56:07 GMT

     [ https://issues.apache.org/jira/browse/DIRSERVER-1680?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Emmanuel Lecharny resolved DIRSERVER-1680.
------------------------------------------

    Resolution: Duplicate

Duplicate of DIRSERVER-1524
                
> allUsersSearchAndCompareACI doesn't work on service restart
> -----------------------------------------------------------
>
>                 Key: DIRSERVER-1680
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1680
>             Project: Directory ApacheDS
>          Issue Type: Bug
>    Affects Versions: 1.5.7
>         Environment: server on Windows XP SP3
>            Reporter: Jason Sachs
>
> I have an allUsersSearchAndCompareACI set up to allow only authenticated users to read
the server, and another ACI directoryManagerFullAccessACI set up to allow privileged users/services
in the group cn=ldap-admin,ou=groups,o=foobar to access LDAP and have editing rights. I have
a number of these privileged users/services, and they can authenticate, but not see any of
the LDAP tree (just an empty Root DSE), until I rewrite the ACI info, at which point they
work perfectly... until the service or the computer it's on resets, and the problem re-occurs.
(The uid=admin,ou=system account can access everything just fine.)
> The allUsersSearchAndCompareACI  ACI source looks like this:
> {code}
> {
>     identificationTag "allUsersSearchAndCompareACI",
>     precedence 10,
>     authenticationLevel simple,
>     itemOrUserFirst userFirst: 
>     {
>         userClasses { allUsers },
>         userPermissions 
>         {
>             {
>                 protectedItems { entry, allUserAttributeTypesAndValues },
>                 grantsAndDenials 
>                 {
>                     grantDiscloseOnError,
>                     grantRead,
>                     grantReturnDN,
>                     grantBrowse,
>                     grantCompare,
>                     grantFilterMatch 
>                 }
>             }
>             ,
>             {
>                 protectedItems 
>                 {
>                     attributeType { userPassword } 
>                 }
>                 ,
>                 grantsAndDenials 
>                 {
>                     denyFilterMatch,
>                     denyRead,
>                     denyCompare 
>                 }
>             }
>         }
>     }
> }
> {code}
> The directoryManagerACI looks like this:
> {code}
> {
>     identificationTag "directoryManagerFullAccessACI",
>     precedence 11,
>     authenticationLevel simple,
>     itemOrUserFirst userFirst: 
>     {
>         userClasses 
>         {
>             userGroup { "cn=ldap-admin,ou=groups,o=foobar" } 
>         }
>         ,
>         userPermissions 
>         {
>             {
>                 protectedItems { entry, allUserAttributeTypesAndValues },
>                 grantsAndDenials 
>                 {
>                     grantModify,
>                     grantRead,
>                     grantBrowse,
>                     grantFilterMatch,
>                     grantExport,
>                     grantRemove,
>                     grantDiscloseOnError,
>                     grantAdd,
>                     grantReturnDN,
>                     grantInvoke,
>                     grantRename,
>                     grantImport,
>                     grantCompare 
>                 }
>             }
>         }
>     }
> }
> {code}
> My LDAP tree looks like this (my comments in /* */)
> {code}
> o=foobar
>   cn=acientry1   /* contains the two ACI above */
>   ou=groups
>     /* various groups elided */
>     cn=ldap-admin
> ou=schema
>   /* other stuff */
> ou=system
>   uid=admin
>   /* other stuff */
>    
>   

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message