directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wayne Johnson" <wjohn...@mqsoftware.com>
Subject RE: When do changes to ACI take effect?
Date Wed, 08 Aug 2007 13:46:50 GMT
OK, thanks.  Where can I download the snapshot from.  I don't see it in the regular location.

> -----Original Message-----
> From: Ersin Er [mailto:ersin.er@gmail.com]
> Sent: Wednesday, August 08, 2007 8:37 AM
> To: users@directory.apache.org
> Subject: Re: When do changes to ACI take effect?
> 
> 
> On 8/8/07, Wayne Johnson <wjohnson@mqsoftware.com> wrote:
> >
> > We're using 1.0.2.
> >
> > THat does look like the issue though.  I dislike switching 
> releases at
> > this point (we're releasing our product in 2 weeks).  Is 
> there any sort of a
> > bypass besides picking up the new code?
> 
> 
> I don't think that you can simply fix this on a previous 
> version with some
> tricks. As it's all open source you may apply hte patches to 
> your own custom
> version of ApacheDS if you wish.
> 
> > -----Original Message-----
> > > From: Ersin Er [mailto:ersin.er@gmail.com]
> > > Sent: Tuesday, August 07, 2007 4:45 PM
> > > To: users@directory.apache.org
> > > Subject: Re: When do changes to ACI take effect?
> > >
> > >
> > > BTW, which version of ApacheDS are you using? I had recently
> > > fixed such a
> > > bug:
> > >
> > > https://issues.apache.org/jira/browse/DIRSERVER-988
> > >
> > > On 8/8/07, Wayne Johnson <wjohnson@mqsoftware.com> wrote:
> > > >
> > > > We start out with a automatically read in LDIF file that has:
> > > >
> > > > # This ACI allows an Admin to read and modify everything
> > > for all users
> > > > dn: cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com
> > > > objectClass: top
> > > > objectClass: subentry
> > > > objectClass: accessControlSubentry
> > > > cn: userAdminPermissions
> > > > subtreeSpecification: {}
> > > > prescriptiveACI: {
> > > >   identificationTag "userAdminPermissions",
> > > >   precedence 16,
> > > >   authenticationLevel simple,
> > > >   itemOrUserFirst userFirst: {
> > > >     userClasses {
> > > >       name {
> > > >         "cn=SA,ou=users,dc=mqsoftware,dc=com",
> > > >         "cn=fred,ou=users,dc=mqsoftware,dc=com",
> > > >         "cn=BrowserService,ou=users,dc=mqsoftware,dc=com"
> > > >       }
> > > >     },
> > > >     userPermissions
> > > >     {
> > > >       {
> > > >         protectedItems { entry, 
> allUserAttributeTypesAndValues },
> > > >         grantsAndDenials { grantAdd, grantDiscloseOnError,
> > > grantRead,
> > > >           grantRemove, grantBrowse, grantExport,
> > > grantImport, grantModify,
> > > >           grantRename, grantReturnDN, grantCompare,
> > > grantFilterMatch,
> > > >           grantInvoke }
> > > >       }
> > > >     }
> > > >   }
> > > > }
> > > >
> > > > I can then do an ldapsearch from users fred and bert and
> > > fred shows full
> > > > access to the user information and bert (who isn't in the
> > > Admin list) can
> > > > not.
> > > >
> > > > Now the program rewrites the prescriptiveACI with:
> > > >
> > > > 2007-08-07 15:41:57,437 [btpool0-1]
> > > com.mqsoftware.ws.SWSLdapIETF DEBUG  -
> > > > [Client File=SWSLdapIETF.java, Line=835] Updating
> > > > cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com with:
> > > > LDAPModification: (operation=replace,(LDAPAttribute:
> > > > {type='prescriptiveACI', value='{
> > > >   identificationTag "userAdminPermissions",
> > > >   precedence 16,
> > > >   authenticationLevel simple,
> > > >   itemOrUserFirst userFirst: {
> > > >   userClasses {
> > > >       name {
> > > >           "cn=BrowserService,ou=users,dc=mqsoftware,dc=com",
> > > >           "cn=SA,ou=users,dc=mqsoftware,dc=com"
> > > >       }
> > > >   },
> > > >   userPermissions
> > > >   {
> > > >       {
> > > >           protectedItems { entry, 
> allUserAttributeTypesAndValues },
> > > >           grantsAndDenials { grantAdd,
> > > grantDiscloseOnError, grantRead,
> > > >           grantRemove, grantBrowse, grantExport,
> > > grantImport, grantModify,
> > > >           grantRename, grantReturnDN, grantCompare,
> > > grantFilterMatch,
> > > >           grantInvoke }
> > > >       }
> > > >   }
> > > > }
> > > > }
> > > > '}))
> > > >
> > > > At this point, fred still can see the user info.  I checked
> > > the apacheds
> > > > logs and dont see any exceptions.  When I restart the
> > > service, things start
> > > > working right (fred no lonfer has access).
> > > >
> > > > Is there a place where I can upload the full LDIF file?
> > > It's 411 lines
> > > > long.
> > > >
> > > > Thanks.
> > > >
> > > > > -----Original Message-----
> > > > > From: Ersin Er [mailto:ersin.er@gmail.com]
> > > > > Sent: Tuesday, August 07, 2007 4:12 PM
> > > > > To: users@directory.apache.org
> > > > > Subject: Re: When do changes to ACI take effect?
> > > > >
> > > > >
> > > > > Hi,
> > > > >
> > > > > This is not intentional. Can you please give an example? Or
> > > > > even a test
> > > > > case?
> > > > >
> > > > > On 8/8/07, Wayne Johnson <wjohnson@mqsoftware.com> wrote:
> > > > > >
> > > > > > Our application allows an administrator to change the ACI
> > > > > to allow or
> > > > > > disallow users access to some data.  It seems to me that
> > > > > when we make
> > > > > > changes to the prescriptiveACI, it doesn't seem to take
> > > > > effect till we
> > > > > > restart the LDAP service.  Is this intentional?  Is there a
> > > > > way to force it
> > > > > > to be refreshed?
> > > > > >
> > > > > > Wayne Johnson
> > > > > > Senior Software Engineer
> > > > > > MQSoftware, Inc.
> > > > > > 1660 S Highway 100
> > > > > > Minneapolis, MN 55416
> > > > > > (952) 345-8628
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Ersin Er
> > > > >
> > > > > R.A. and Ph.D Student at the Dept. of Computer Eng. in
> > > > > Hacettepe University
> > > > > http://www.cs.hacettepe.edu.tr
> > > > >
> > > > > Committer and PMC Member of The Apache Directory Project
> > > > > http://directory.apache.org
> > > > >
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Ersin Er
> > >
> > > R.A. and Ph.D Student at the Dept. of Computer Eng. in
> > > Hacettepe University
> > > http://www.cs.hacettepe.edu.tr
> > >
> > > Committer and PMC Member of The Apache Directory Project
> > > http://directory.apache.org
> > >
> > >
> >
> 
> 
> 
> -- 
> Ersin Er
> 
> R.A. and Ph.D Student at the Dept. of Computer Eng. in 
> Hacettepe University
> http://www.cs.hacettepe.edu.tr
> 
> Committer and PMC Member of The Apache Directory Project
> http://directory.apache.org
> 
> 
Mime
View raw message