From dev-return-59166-archive-asf-public=cust-asf.ponee.io@directory.apache.org Wed Mar 13 09:35:48 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id B595018064A for ; Wed, 13 Mar 2019 10:35:47 +0100 (CET) Received: (qmail 99737 invoked by uid 500); 13 Mar 2019 09:35:46 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 99727 invoked by uid 99); 13 Mar 2019 09:35:46 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 13 Mar 2019 09:35:45 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 9BC73180C90 for ; Wed, 13 Mar 2019 09:35:45 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.203 X-Spam-Level: X-Spam-Status: No, score=-0.203 tagged_above=-999 required=6.31 tests=[DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id TEq8tx1FkW6u for ; Wed, 13 Mar 2019 09:35:44 +0000 (UTC) Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 05A1161122 for ; Wed, 13 Mar 2019 09:35:43 +0000 (UTC) Received: by mail-wm1-f52.google.com with SMTP id f65so1151039wma.2 for ; Wed, 13 Mar 2019 02:35:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=tHAsalKxKmHO8C5hNg7KMs0ONoK85u7lprVskeWXm6M=; b=Q7DNEbPi1oU7CTfy4ZojkyR8oKckLXn+RGW36uEFpUWIhfnyIzDm7ZEXtBY0DaTUBH XJRIMwQgnECFSKnmlLMGy9edOSestUrFAO8vrH0m1eVdwUNRmFNcCsjIJOf+5N4UsMDz HZ40Yz0GkLpA48REF0G4YjiT5GUYUdScr9r5tawguvbkzLjW9P2Wpjs9qTZTE+i4XPSR AJhT3RdsgrspsxChp+XfCmQf2z6uCV8JUI5T+uD1Uc83TFtTkiX4/DQs4XxhOW7T6pI8 4VHG9xJpX5Hu2uoY8TGeZ6huHN7KDUj5J6UKYq6VjUlgbAQwn4w399wGa14IByPBOpzA SNDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=tHAsalKxKmHO8C5hNg7KMs0ONoK85u7lprVskeWXm6M=; b=N1OHmlIQpIkOaY1KyqZS1mWiZ4kiMoCgg4M8nd8V43ibDr1e6CNtvIXwyowHvRkcta wkBysaWHVaWCarPhK9L0lGTGWq7rBHUSliuIwfff7oL5P50IwvuavoK3kuIdPfspwstk ywvEHuJjIBkdGtMw3IxekNpyoQK8p4g32g0gA3CJLVkB/OeoTqSOBEEoHrAidcVPvw2M JOmlD+tkSgD+HHRswQU4nXpTPF6ZC1cojVDNRzpss18DGqjGrLAw8urqk/rvHPC8es8S Uo8JJu6DOI/4vWN5/PEctklXXQaNBIULkqVmRI4ktTxmXLy40mEi8/Be8/ClwTcS7vfc YblA== X-Gm-Message-State: APjAAAXMDYXub2bNe/IPBN3SnNkfZMfU+aU+Yy0cgJB+Dzenv+vLsWkx VjyD55sqsR9m3reSb3W41DmPz+UC X-Google-Smtp-Source: APXvYqzdR7+S/UGeNxkvZQR0Q5HJ8+BsJObMEszwWSowalAmmtBFeW02G0dgRtW5Z31PK2bqG5NOqg== X-Received: by 2002:a1c:a986:: with SMTP id s128mr1640142wme.44.1552469742154; Wed, 13 Mar 2019 02:35:42 -0700 (PDT) Received: from [192.168.8.1] ([109.94.60.193]) by smtp.gmail.com with ESMTPSA id e12sm12896820wrs.91.2019.03.13.02.35.41 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 13 Mar 2019 02:35:41 -0700 (PDT) Subject: Re: [ApacheDS]How delete "accessControlSubentries" object To: dev@directory.apache.org References: From: =?UTF-8?Q?Emmanuel_L=c3=a9charny?= Message-ID: Date: Wed, 13 Mar 2019 10:35:41 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.5.3 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Hi! This is not the simplest part of the server... Basically, accessControlSubentries cannot be deleted by the user - even by admin -. This operational attribute is automatically injected in an entry. If you want to remove it, you have to remove the full entry. On 13/03/2019 03:30, Loading..... wrote: > Hi guys, > I'm try to do something with ACI , I follow this article > https://directory.apache.org/apacheds/advanced-ug/4.2.7.1-enable-authenticated-users-to-browse-and-read-entries.html > and it's works, but when I try to delete test > "accessControlSubentries" object there some error happend > > when i click OK there ERROR occured > > Here is Details: > > Error while executing LDIF > �- [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for > MessageType : MODIFY_REQUES > � java.lang.Exception: [LDAP: error code 50 - > INSUFFICIENT_ACCESS_RIGHTS: failed for MessageType : MODIFY_REQUEST > Message ID : 224 > � � Modify Request > � � � � Object : 'dc=example,dc=com' > � � � � � � Modification[0] > � � � � � � � � Operation :� delete > � � � � � � � � Modification > accessControlSubentries: > (null)org.apache.directory.api.ldap.model.message.ModifyRequestImpl@fcdf11fa: > ERR_52 Cannot modify the attribute : attributetype ( > 1.3.6.1.4.1.18060.0.4.1.2.11 NAME 'accessControlSubentries' > DESC 'Used to track a subentry associated with access control areas' > EQUALITY distinguishedNameMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 > NO-USER-MODIFICATION > USAGE directoryOperation )] > at > org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkResponse(DirectoryApiConnectionWrapper.java:1418) > at > org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.access$11(DirectoryApiConnectionWrapper.java:1386) > at > org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$4.run(DirectoryApiConnectionWrapper.java:787) > at > org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1312) > at > org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkConnectionAndRunAndMonitor(DirectoryApiConnectionWrapper.java:1256) > at > org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.modifyEntry(DirectoryApiConnectionWrapper.java:809) > at > org.apache.directory.studio.ldapbrowser.core.jobs.ImportLdifRunnable.importLdifRecord(ImportLdifRunnable.java:515) > at > org.apache.directory.studio.ldapbrowser.core.jobs.ImportLdifRunnable.importLdif(ImportLdifRunnable.java:272) > at > org.apache.directory.studio.ldapbrowser.core.jobs.ExecuteLdifRunnable.executeLdif(ExecuteLdifRunnable.java:157) > at > org.apache.directory.studio.ldapbrowser.core.jobs.ExecuteLdifRunnable.run(ExecuteLdifRunnable.java:123) > at > org.apache.directory.studio.ldapbrowser.core.jobs.UpdateEntryRunnable.run(UpdateEntryRunnable.java:59) > at > org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:129) > at > org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:119) > > � [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for > MessageType : MODIFY_REQUEST > Message ID : 224 > � � Modify Request > � � � � Object : 'dc=example,dc=com' > � � � � � � Modification[0] > � � � � � � � � Operation :� delete > � � � � � � � � Modification > accessControlSubentries: > (null)org.apache.directory.api.ldap.model.message.ModifyRequestImpl@fcdf11fa: > ERR_52 Cannot modify the attribute : attributetype ( > 1.3.6.1.4.1.18060.0.4.1.2.11 NAME 'accessControlSubentries' > DESC 'Used to track a subentry associated with access control areas' > EQUALITY distinguishedNameMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 > NO-USER-MODIFICATION > USAGE directoryOperation )] > > > Here is Modification log: > > #!RESULT ERROR > > #!CONNECTION ldap://172.17.40.137:10636 > > #!DATE 2019-03-13T02:22:17.423 > > #!ERROR [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for > MessageType : MODIFY_REQUEST Message ID : 224 Modify Request Object : > 'dc=example,dc=com' Modification[0] Operation :delete Modification > accessControlSubentries: > (null)org.apache.directory.api.ldap.model.message.ModifyRequestImpl@fcdf11fa: > ERR_52 Cannot modify the attribute : attributetype ( > 1.3.6.1.4.1.18060.0.4.1.2.11 NAME 'accessControlSubentries' DESC 'Used > to track a subentry associated with access control areas' EQUALITY > distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 > NO-USER-MODIFICATION USAGE directoryOperation )] > > *dn**: **dc=example,dc=com* > > *changetype**: **modify* > > *delete**: **accessControlSubentries* > > *-* > > > I'm use "uid=admin,ou=system" to login > am i missing something? > look forward your reply! Thanks! > > Mike Yoo >