directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wayne Johnson" <wjohn...@mqsoftware.com>
Subject RE: When do changes to ACI take effect?
Date Wed, 08 Aug 2007 13:07:48 GMT
We're using 1.0.2.  

THat does look like the issue though.  I dislike switching releases at this point (we're releasing
our product in 2 weeks).  Is there any sort of a bypass besides picking up the new code?

> -----Original Message-----
> From: Ersin Er [mailto:ersin.er@gmail.com]
> Sent: Tuesday, August 07, 2007 4:45 PM
> To: users@directory.apache.org
> Subject: Re: When do changes to ACI take effect?
> 
> 
> BTW, which version of ApacheDS are you using? I had recently 
> fixed such a
> bug:
> 
> https://issues.apache.org/jira/browse/DIRSERVER-988
> 
> On 8/8/07, Wayne Johnson <wjohnson@mqsoftware.com> wrote:
> >
> > We start out with a automatically read in LDIF file that has:
> >
> > # This ACI allows an Admin to read and modify everything 
> for all users
> > dn: cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com
> > objectClass: top
> > objectClass: subentry
> > objectClass: accessControlSubentry
> > cn: userAdminPermissions
> > subtreeSpecification: {}
> > prescriptiveACI: {
> >   identificationTag "userAdminPermissions",
> >   precedence 16,
> >   authenticationLevel simple,
> >   itemOrUserFirst userFirst: {
> >     userClasses {
> >       name {
> >         "cn=SA,ou=users,dc=mqsoftware,dc=com",
> >         "cn=fred,ou=users,dc=mqsoftware,dc=com",
> >         "cn=BrowserService,ou=users,dc=mqsoftware,dc=com"
> >       }
> >     },
> >     userPermissions
> >     {
> >       {
> >         protectedItems { entry, allUserAttributeTypesAndValues },
> >         grantsAndDenials { grantAdd, grantDiscloseOnError, 
> grantRead,
> >           grantRemove, grantBrowse, grantExport, 
> grantImport, grantModify,
> >           grantRename, grantReturnDN, grantCompare, 
> grantFilterMatch,
> >           grantInvoke }
> >       }
> >     }
> >   }
> > }
> >
> > I can then do an ldapsearch from users fred and bert and 
> fred shows full
> > access to the user information and bert (who isn't in the 
> Admin list) can
> > not.
> >
> > Now the program rewrites the prescriptiveACI with:
> >
> > 2007-08-07 15:41:57,437 [btpool0-1] 
> com.mqsoftware.ws.SWSLdapIETF DEBUG  -
> > [Client File=SWSLdapIETF.java, Line=835] Updating
> > cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com with:
> > LDAPModification: (operation=replace,(LDAPAttribute:
> > {type='prescriptiveACI', value='{
> >   identificationTag "userAdminPermissions",
> >   precedence 16,
> >   authenticationLevel simple,
> >   itemOrUserFirst userFirst: {
> >   userClasses {
> >       name {
> >           "cn=BrowserService,ou=users,dc=mqsoftware,dc=com",
> >           "cn=SA,ou=users,dc=mqsoftware,dc=com"
> >       }
> >   },
> >   userPermissions
> >   {
> >       {
> >           protectedItems { entry, allUserAttributeTypesAndValues },
> >           grantsAndDenials { grantAdd, 
> grantDiscloseOnError, grantRead,
> >           grantRemove, grantBrowse, grantExport, 
> grantImport, grantModify,
> >           grantRename, grantReturnDN, grantCompare, 
> grantFilterMatch,
> >           grantInvoke }
> >       }
> >   }
> > }
> > }
> > '}))
> >
> > At this point, fred still can see the user info.  I checked 
> the apacheds
> > logs and dont see any exceptions.  When I restart the 
> service, things start
> > working right (fred no lonfer has access).
> >
> > Is there a place where I can upload the full LDIF file?  
> It's 411 lines
> > long.
> >
> > Thanks.
> >
> > > -----Original Message-----
> > > From: Ersin Er [mailto:ersin.er@gmail.com]
> > > Sent: Tuesday, August 07, 2007 4:12 PM
> > > To: users@directory.apache.org
> > > Subject: Re: When do changes to ACI take effect?
> > >
> > >
> > > Hi,
> > >
> > > This is not intentional. Can you please give an example? Or
> > > even a test
> > > case?
> > >
> > > On 8/8/07, Wayne Johnson <wjohnson@mqsoftware.com> wrote:
> > > >
> > > > Our application allows an administrator to change the ACI
> > > to allow or
> > > > disallow users access to some data.  It seems to me that
> > > when we make
> > > > changes to the prescriptiveACI, it doesn't seem to take
> > > effect till we
> > > > restart the LDAP service.  Is this intentional?  Is there a
> > > way to force it
> > > > to be refreshed?
> > > >
> > > > Wayne Johnson
> > > > Senior Software Engineer
> > > > MQSoftware, Inc.
> > > > 1660 S Highway 100
> > > > Minneapolis, MN 55416
> > > > (952) 345-8628
> > > >
> > > >
> > > >
> > >
> > >
> > > --
> > > Ersin Er
> > >
> > > R.A. and Ph.D Student at the Dept. of Computer Eng. in
> > > Hacettepe University
> > > http://www.cs.hacettepe.edu.tr
> > >
> > > Committer and PMC Member of The Apache Directory Project
> > > http://directory.apache.org
> > >
> > >
> >
> 
> 
> 
> -- 
> Ersin Er
> 
> R.A. and Ph.D Student at the Dept. of Computer Eng. in 
> Hacettepe University
> http://www.cs.hacettepe.edu.tr
> 
> Committer and PMC Member of The Apache Directory Project
> http://directory.apache.org
> 
> 
Mime
View raw message