directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Przybylski (JIRA)" <j...@apache.org>
Subject [jira] [Created] (DIRSERVER-1947) maxValueCount not working correctly
Date Mon, 06 Jan 2014 05:42:50 GMT
Michael Przybylski created DIRSERVER-1947:
---------------------------------------------

             Summary: maxValueCount not working correctly
                 Key: DIRSERVER-1947
                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1947
             Project: Directory ApacheDS
          Issue Type: Bug
          Components: ldap
    Affects Versions: 2.0.0-M15
         Environment: Server environment:
Oracle JDK 1.7u45
ApacheDS 2.0.0-M15
Debian 7.3, AMD64

Client environment:
Apache Directory Studio 2.0.0.v20130628
Oracle JDK 1.7u45
OS X 10.9.1
            Reporter: Michael Przybylski


I’ve been teaching myself how to use Apache Directory Server’s access control subsystem.

Before getting too cute, I figured I’d try out the recipes here:

http://directory.apache.org/apacheds/advanced-ug/4.2.7-using-acis-trail.html

Both work as advertised, but as I’ve been reading more, some have suggested refining…

http://directory.apache.org/apacheds/advanced-ug/4.2.7.2-allow-self-password-modify.html

…to use maxValueCount to prevent (someone claiming to be) the user from inserting multiple
userPassword values.  However, as soon as I put maxValueCount in any protectedItems clause
of my prescriptiveACI, all of my unprivileged user’s attributes become invisible to him.

If I weren’t such a n00b, I’d think this was a bug.

Here is the prescriptiveACI that I think should work:

{
   identificationTag "userSelfModifyPassword",
   precedence 0,
   authenticationLevel none,
   itemOrUserFirst userFirst: 
   {
       userClasses { thisEntry },
       userPermissions 
       {
           {
               protectedItems 
               {
                   maxValueCount 
                   {
                       { type userPassword, maxCount 1 }
                   }
                   ,
                   allAttributeValues { userPassword } 
               }
               ,
               grantsAndDenials { grantAdd, grantRemove } 
           }
           ,
           {
               protectedItems { entry },
               grantsAndDenials 
               {
                   grantRead,
                   grantBrowse,
                   grantModify 
               }
           }
       }
   }
}

Kiran Ayyagari ( kayyagari@apache.org ) was able to reproduce and asked me to file this bug.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message