directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wayne Johnson" <wjohn...@mqsoftware.com>
Subject RE: When do changes to ACI take effect?
Date Wed, 08 Aug 2007 13:04:40 GMT
We're using the stable 1.0.2.

> -----Original Message-----
> From: Markus Pohle [mailto:apacheds.users@webunity.de]
> Sent: Tuesday, August 07, 2007 4:43 PM
> To: users@directory.apache.org
> Cc: Wayne Johnson
> Subject: RE: When do changes to ACI take effect?
> 
> 
> 
> Hi Wayne,
> 
> what version of apacheds are you using?
> 
> The problem you descripe, looks for me similar to this one:
> http://issues.apache.org/jira/browse/DIRSERVER-1001
> 
> If you do not use newest 1.5.1-snapshot build or newest 
> 1.0.2-snapshot  
> try to build from trunk.
> 
> HTH
> Markus
> 
> 
> Zitat von Wayne Johnson <wjohnson@mqsoftware.com>:
> 
> > We start out with a automatically read in LDIF file that has:
> >
> > # This ACI allows an Admin to read and modify everything 
> for all users
> > dn: cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com
> > objectClass: top
> > objectClass: subentry
> > objectClass: accessControlSubentry
> > cn: userAdminPermissions
> > subtreeSpecification: {}
> > prescriptiveACI: {
> >   identificationTag "userAdminPermissions",
> >   precedence 16,
> >   authenticationLevel simple,
> >   itemOrUserFirst userFirst: {
> >     userClasses {
> >       name {
> >         "cn=SA,ou=users,dc=mqsoftware,dc=com",
> >         "cn=fred,ou=users,dc=mqsoftware,dc=com",
> >         "cn=BrowserService,ou=users,dc=mqsoftware,dc=com"
> >       }
> >     },
> >     userPermissions
> >     {
> >       {
> >         protectedItems { entry, allUserAttributeTypesAndValues },
> >         grantsAndDenials { grantAdd, grantDiscloseOnError, 
> grantRead,
> >           grantRemove, grantBrowse, grantExport, 
> grantImport, grantModify,
> >           grantRename, grantReturnDN, grantCompare, 
> grantFilterMatch,
> >           grantInvoke }
> >       }
> >     }
> >   }
> >  }
> >
> > I can then do an ldapsearch from users fred and bert and 
> fred shows   
> > full access to the user information and bert (who isn't in 
> the Admin  
> >  list) can not.
> >
> > Now the program rewrites the prescriptiveACI with:
> >
> > 2007-08-07 15:41:57,437 [btpool0-1] com.mqsoftware.ws.SWSLdapIETF   
> > DEBUG  - [Client File=SWSLdapIETF.java, Line=835] Updating   
> > cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com with:
> > LDAPModification: (operation=replace,(LDAPAttribute:   
> > {type='prescriptiveACI', value='{
> >   identificationTag "userAdminPermissions",
> >   precedence 16,
> >   authenticationLevel simple,
> >   itemOrUserFirst userFirst: {
> >   userClasses {
> >       name {
> >           "cn=BrowserService,ou=users,dc=mqsoftware,dc=com",
> >           "cn=SA,ou=users,dc=mqsoftware,dc=com"
> >       }
> >   },
> >   userPermissions
> >   {
> >       {
> >           protectedItems { entry, allUserAttributeTypesAndValues },
> >           grantsAndDenials { grantAdd, 
> grantDiscloseOnError, grantRead,
> >           grantRemove, grantBrowse, grantExport, 
> grantImport, grantModify,
> >           grantRename, grantReturnDN, grantCompare, 
> grantFilterMatch,
> >           grantInvoke }
> >       }
> >   }
> >  }
> > }
> > '}))
> >
> > At this point, fred still can see the user info.  I checked the   
> > apacheds logs and dont see any exceptions.  When I restart the   
> > service, things start working right (fred no lonfer has access).
> >
> > Is there a place where I can upload the full LDIF file?  
> It's 411 lines long.
> >
> > Thanks.
> >
> >> -----Original Message-----
> >> From: Ersin Er [mailto:ersin.er@gmail.com]
> >> Sent: Tuesday, August 07, 2007 4:12 PM
> >> To: users@directory.apache.org
> >> Subject: Re: When do changes to ACI take effect?
> >>
> >>
> >> Hi,
> >>
> >> This is not intentional. Can you please give an example? Or
> >> even a test
> >> case?
> >>
> >> On 8/8/07, Wayne Johnson <wjohnson@mqsoftware.com> wrote:
> >> >
> >> > Our application allows an administrator to change the ACI
> >> to allow or
> >> > disallow users access to some data.  It seems to me that
> >> when we make
> >> > changes to the prescriptiveACI, it doesn't seem to take
> >> effect till we
> >> > restart the LDAP service.  Is this intentional?  Is there a
> >> way to force it
> >> > to be refreshed?
> >> >
> >> > Wayne Johnson
> >> > Senior Software Engineer
> >> > MQSoftware, Inc.
> >> > 1660 S Highway 100
> >> > Minneapolis, MN 55416
> >> > (952) 345-8628
> >> >
> >> >
> >> >
> >>
> >>
> >> --
> >> Ersin Er
> >>
> >> R.A. and Ph.D Student at the Dept. of Computer Eng. in
> >> Hacettepe University
> >> http://www.cs.hacettepe.edu.tr
> >>
> >> Committer and PMC Member of The Apache Directory Project
> >> http://directory.apache.org
> >>
> >>
> >
> 
> 
> 
> 
> 
> 
Mime
View raw message