directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ersin Er" <ersin...@gmail.com>
Subject Re: When do changes to ACI take effect?
Date Tue, 07 Aug 2007 21:44:34 GMT
BTW, which version of ApacheDS are you using? I had recently fixed such a
bug:

https://issues.apache.org/jira/browse/DIRSERVER-988

On 8/8/07, Wayne Johnson <wjohnson@mqsoftware.com> wrote:
>
> We start out with a automatically read in LDIF file that has:
>
> # This ACI allows an Admin to read and modify everything for all users
> dn: cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com
> objectClass: top
> objectClass: subentry
> objectClass: accessControlSubentry
> cn: userAdminPermissions
> subtreeSpecification: {}
> prescriptiveACI: {
>   identificationTag "userAdminPermissions",
>   precedence 16,
>   authenticationLevel simple,
>   itemOrUserFirst userFirst: {
>     userClasses {
>       name {
>         "cn=SA,ou=users,dc=mqsoftware,dc=com",
>         "cn=fred,ou=users,dc=mqsoftware,dc=com",
>         "cn=BrowserService,ou=users,dc=mqsoftware,dc=com"
>       }
>     },
>     userPermissions
>     {
>       {
>         protectedItems { entry, allUserAttributeTypesAndValues },
>         grantsAndDenials { grantAdd, grantDiscloseOnError, grantRead,
>           grantRemove, grantBrowse, grantExport, grantImport, grantModify,
>           grantRename, grantReturnDN, grantCompare, grantFilterMatch,
>           grantInvoke }
>       }
>     }
>   }
> }
>
> I can then do an ldapsearch from users fred and bert and fred shows full
> access to the user information and bert (who isn't in the Admin list) can
> not.
>
> Now the program rewrites the prescriptiveACI with:
>
> 2007-08-07 15:41:57,437 [btpool0-1] com.mqsoftware.ws.SWSLdapIETF DEBUG  -
> [Client File=SWSLdapIETF.java, Line=835] Updating
> cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com with:
> LDAPModification: (operation=replace,(LDAPAttribute:
> {type='prescriptiveACI', value='{
>   identificationTag "userAdminPermissions",
>   precedence 16,
>   authenticationLevel simple,
>   itemOrUserFirst userFirst: {
>   userClasses {
>       name {
>           "cn=BrowserService,ou=users,dc=mqsoftware,dc=com",
>           "cn=SA,ou=users,dc=mqsoftware,dc=com"
>       }
>   },
>   userPermissions
>   {
>       {
>           protectedItems { entry, allUserAttributeTypesAndValues },
>           grantsAndDenials { grantAdd, grantDiscloseOnError, grantRead,
>           grantRemove, grantBrowse, grantExport, grantImport, grantModify,
>           grantRename, grantReturnDN, grantCompare, grantFilterMatch,
>           grantInvoke }
>       }
>   }
> }
> }
> '}))
>
> At this point, fred still can see the user info.  I checked the apacheds
> logs and dont see any exceptions.  When I restart the service, things start
> working right (fred no lonfer has access).
>
> Is there a place where I can upload the full LDIF file?  It's 411 lines
> long.
>
> Thanks.
>
> > -----Original Message-----
> > From: Ersin Er [mailto:ersin.er@gmail.com]
> > Sent: Tuesday, August 07, 2007 4:12 PM
> > To: users@directory.apache.org
> > Subject: Re: When do changes to ACI take effect?
> >
> >
> > Hi,
> >
> > This is not intentional. Can you please give an example? Or
> > even a test
> > case?
> >
> > On 8/8/07, Wayne Johnson <wjohnson@mqsoftware.com> wrote:
> > >
> > > Our application allows an administrator to change the ACI
> > to allow or
> > > disallow users access to some data.  It seems to me that
> > when we make
> > > changes to the prescriptiveACI, it doesn't seem to take
> > effect till we
> > > restart the LDAP service.  Is this intentional?  Is there a
> > way to force it
> > > to be refreshed?
> > >
> > > Wayne Johnson
> > > Senior Software Engineer
> > > MQSoftware, Inc.
> > > 1660 S Highway 100
> > > Minneapolis, MN 55416
> > > (952) 345-8628
> > >
> > >
> > >
> >
> >
> > --
> > Ersin Er
> >
> > R.A. and Ph.D Student at the Dept. of Computer Eng. in
> > Hacettepe University
> > http://www.cs.hacettepe.edu.tr
> >
> > Committer and PMC Member of The Apache Directory Project
> > http://directory.apache.org
> >
> >
>



-- 
Ersin Er

R.A. and Ph.D Student at the Dept. of Computer Eng. in Hacettepe University
http://www.cs.hacettepe.edu.tr

Committer and PMC Member of The Apache Directory Project
http://directory.apache.org

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message