directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wayne Johnson" <wjohn...@mqsoftware.com>
Subject RE: When do changes to ACI take effect?
Date Tue, 07 Aug 2007 21:29:22 GMT
We start out with a automatically read in LDIF file that has:

# This ACI allows an Admin to read and modify everything for all users
dn: cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com
objectClass: top
objectClass: subentry
objectClass: accessControlSubentry
cn: userAdminPermissions
subtreeSpecification: {}
prescriptiveACI: { 
  identificationTag "userAdminPermissions", 
  precedence 16, 
  authenticationLevel simple,
  itemOrUserFirst userFirst: { 
    userClasses { 
      name { 
        "cn=SA,ou=users,dc=mqsoftware,dc=com",
        "cn=fred,ou=users,dc=mqsoftware,dc=com",
        "cn=BrowserService,ou=users,dc=mqsoftware,dc=com"
      }
    }, 
    userPermissions 
    { 
      { 
        protectedItems { entry, allUserAttributeTypesAndValues }, 
        grantsAndDenials { grantAdd, grantDiscloseOnError, grantRead, 
          grantRemove, grantBrowse, grantExport, grantImport, grantModify, 
          grantRename, grantReturnDN, grantCompare, grantFilterMatch, 
          grantInvoke } 
      } 
    } 
  } 
 }

I can then do an ldapsearch from users fred and bert and fred shows full access to the user
information and bert (who isn't in the Admin list) can not.

Now the program rewrites the prescriptiveACI with:

2007-08-07 15:41:57,437 [btpool0-1] com.mqsoftware.ws.SWSLdapIETF DEBUG  - [Client File=SWSLdapIETF.java,
Line=835] Updating cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com with: 
LDAPModification: (operation=replace,(LDAPAttribute: {type='prescriptiveACI', value='{ 
  identificationTag "userAdminPermissions", 
  precedence 16, 
  authenticationLevel simple,
  itemOrUserFirst userFirst: { 
  userClasses { 
      name { 
          "cn=BrowserService,ou=users,dc=mqsoftware,dc=com",
          "cn=SA,ou=users,dc=mqsoftware,dc=com"
      } 
  }, 
  userPermissions 
  { 
      { 
          protectedItems { entry, allUserAttributeTypesAndValues }, 
          grantsAndDenials { grantAdd, grantDiscloseOnError, grantRead, 
          grantRemove, grantBrowse, grantExport, grantImport, grantModify, 
          grantRename, grantReturnDN, grantCompare, grantFilterMatch, 
          grantInvoke } 
      } 
  } 
 } 
}
'})) 

At this point, fred still can see the user info.  I checked the apacheds logs and dont see
any exceptions.  When I restart the service, things start working right (fred no lonfer has
access).

Is there a place where I can upload the full LDIF file?  It's 411 lines long.

Thanks.

> -----Original Message-----
> From: Ersin Er [mailto:ersin.er@gmail.com]
> Sent: Tuesday, August 07, 2007 4:12 PM
> To: users@directory.apache.org
> Subject: Re: When do changes to ACI take effect?
> 
> 
> Hi,
> 
> This is not intentional. Can you please give an example? Or 
> even a test
> case?
> 
> On 8/8/07, Wayne Johnson <wjohnson@mqsoftware.com> wrote:
> >
> > Our application allows an administrator to change the ACI 
> to allow or
> > disallow users access to some data.  It seems to me that 
> when we make
> > changes to the prescriptiveACI, it doesn't seem to take 
> effect till we
> > restart the LDAP service.  Is this intentional?  Is there a 
> way to force it
> > to be refreshed?
> >
> > Wayne Johnson
> > Senior Software Engineer
> > MQSoftware, Inc.
> > 1660 S Highway 100
> > Minneapolis, MN 55416
> > (952) 345-8628
> >
> >
> >
> 
> 
> -- 
> Ersin Er
> 
> R.A. and Ph.D Student at the Dept. of Computer Eng. in 
> Hacettepe University
> http://www.cs.hacettepe.edu.tr
> 
> Committer and PMC Member of The Apache Directory Project
> http://directory.apache.org
> 
> 
Mime
View raw message