directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Markus Pohle <apacheds.us...@webunity.de>
Subject RE: When do changes to ACI take effect?
Date Tue, 07 Aug 2007 21:42:59 GMT

Hi Wayne,

what version of apacheds are you using?

The problem you descripe, looks for me similar to this one:
http://issues.apache.org/jira/browse/DIRSERVER-1001

If you do not use newest 1.5.1-snapshot build or newest 1.0.2-snapshot  
try to build from trunk.

HTH
Markus


Zitat von Wayne Johnson <wjohnson@mqsoftware.com>:

> We start out with a automatically read in LDIF file that has:
>
> # This ACI allows an Admin to read and modify everything for all users
> dn: cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com
> objectClass: top
> objectClass: subentry
> objectClass: accessControlSubentry
> cn: userAdminPermissions
> subtreeSpecification: {}
> prescriptiveACI: {
>   identificationTag "userAdminPermissions",
>   precedence 16,
>   authenticationLevel simple,
>   itemOrUserFirst userFirst: {
>     userClasses {
>       name {
>         "cn=SA,ou=users,dc=mqsoftware,dc=com",
>         "cn=fred,ou=users,dc=mqsoftware,dc=com",
>         "cn=BrowserService,ou=users,dc=mqsoftware,dc=com"
>       }
>     },
>     userPermissions
>     {
>       {
>         protectedItems { entry, allUserAttributeTypesAndValues },
>         grantsAndDenials { grantAdd, grantDiscloseOnError, grantRead,
>           grantRemove, grantBrowse, grantExport, grantImport, grantModify,
>           grantRename, grantReturnDN, grantCompare, grantFilterMatch,
>           grantInvoke }
>       }
>     }
>   }
>  }
>
> I can then do an ldapsearch from users fred and bert and fred shows   
> full access to the user information and bert (who isn't in the Admin  
>  list) can not.
>
> Now the program rewrites the prescriptiveACI with:
>
> 2007-08-07 15:41:57,437 [btpool0-1] com.mqsoftware.ws.SWSLdapIETF   
> DEBUG  - [Client File=SWSLdapIETF.java, Line=835] Updating   
> cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com with:
> LDAPModification: (operation=replace,(LDAPAttribute:   
> {type='prescriptiveACI', value='{
>   identificationTag "userAdminPermissions",
>   precedence 16,
>   authenticationLevel simple,
>   itemOrUserFirst userFirst: {
>   userClasses {
>       name {
>           "cn=BrowserService,ou=users,dc=mqsoftware,dc=com",
>           "cn=SA,ou=users,dc=mqsoftware,dc=com"
>       }
>   },
>   userPermissions
>   {
>       {
>           protectedItems { entry, allUserAttributeTypesAndValues },
>           grantsAndDenials { grantAdd, grantDiscloseOnError, grantRead,
>           grantRemove, grantBrowse, grantExport, grantImport, grantModify,
>           grantRename, grantReturnDN, grantCompare, grantFilterMatch,
>           grantInvoke }
>       }
>   }
>  }
> }
> '}))
>
> At this point, fred still can see the user info.  I checked the   
> apacheds logs and dont see any exceptions.  When I restart the   
> service, things start working right (fred no lonfer has access).
>
> Is there a place where I can upload the full LDIF file?  It's 411 lines long.
>
> Thanks.
>
>> -----Original Message-----
>> From: Ersin Er [mailto:ersin.er@gmail.com]
>> Sent: Tuesday, August 07, 2007 4:12 PM
>> To: users@directory.apache.org
>> Subject: Re: When do changes to ACI take effect?
>>
>>
>> Hi,
>>
>> This is not intentional. Can you please give an example? Or
>> even a test
>> case?
>>
>> On 8/8/07, Wayne Johnson <wjohnson@mqsoftware.com> wrote:
>> >
>> > Our application allows an administrator to change the ACI
>> to allow or
>> > disallow users access to some data.  It seems to me that
>> when we make
>> > changes to the prescriptiveACI, it doesn't seem to take
>> effect till we
>> > restart the LDAP service.  Is this intentional?  Is there a
>> way to force it
>> > to be refreshed?
>> >
>> > Wayne Johnson
>> > Senior Software Engineer
>> > MQSoftware, Inc.
>> > 1660 S Highway 100
>> > Minneapolis, MN 55416
>> > (952) 345-8628
>> >
>> >
>> >
>>
>>
>> --
>> Ersin Er
>>
>> R.A. and Ph.D Student at the Dept. of Computer Eng. in
>> Hacettepe University
>> http://www.cs.hacettepe.edu.tr
>>
>> Committer and PMC Member of The Apache Directory Project
>> http://directory.apache.org
>>
>>
>






Mime
View raw message