directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ersin Er" <ersin...@gmail.com>
Subject Re: When do changes to ACI take effect?
Date Wed, 08 Aug 2007 13:37:24 GMT
On 8/8/07, Wayne Johnson <wjohnson@mqsoftware.com> wrote:
>
> We're using 1.0.2.
>
> THat does look like the issue though.  I dislike switching releases at
> this point (we're releasing our product in 2 weeks).  Is there any sort of a
> bypass besides picking up the new code?


I don't think that you can simply fix this on a previous version with some
tricks. As it's all open source you may apply hte patches to your own custom
version of ApacheDS if you wish.

> -----Original Message-----
> > From: Ersin Er [mailto:ersin.er@gmail.com]
> > Sent: Tuesday, August 07, 2007 4:45 PM
> > To: users@directory.apache.org
> > Subject: Re: When do changes to ACI take effect?
> >
> >
> > BTW, which version of ApacheDS are you using? I had recently
> > fixed such a
> > bug:
> >
> > https://issues.apache.org/jira/browse/DIRSERVER-988
> >
> > On 8/8/07, Wayne Johnson <wjohnson@mqsoftware.com> wrote:
> > >
> > > We start out with a automatically read in LDIF file that has:
> > >
> > > # This ACI allows an Admin to read and modify everything
> > for all users
> > > dn: cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com
> > > objectClass: top
> > > objectClass: subentry
> > > objectClass: accessControlSubentry
> > > cn: userAdminPermissions
> > > subtreeSpecification: {}
> > > prescriptiveACI: {
> > >   identificationTag "userAdminPermissions",
> > >   precedence 16,
> > >   authenticationLevel simple,
> > >   itemOrUserFirst userFirst: {
> > >     userClasses {
> > >       name {
> > >         "cn=SA,ou=users,dc=mqsoftware,dc=com",
> > >         "cn=fred,ou=users,dc=mqsoftware,dc=com",
> > >         "cn=BrowserService,ou=users,dc=mqsoftware,dc=com"
> > >       }
> > >     },
> > >     userPermissions
> > >     {
> > >       {
> > >         protectedItems { entry, allUserAttributeTypesAndValues },
> > >         grantsAndDenials { grantAdd, grantDiscloseOnError,
> > grantRead,
> > >           grantRemove, grantBrowse, grantExport,
> > grantImport, grantModify,
> > >           grantRename, grantReturnDN, grantCompare,
> > grantFilterMatch,
> > >           grantInvoke }
> > >       }
> > >     }
> > >   }
> > > }
> > >
> > > I can then do an ldapsearch from users fred and bert and
> > fred shows full
> > > access to the user information and bert (who isn't in the
> > Admin list) can
> > > not.
> > >
> > > Now the program rewrites the prescriptiveACI with:
> > >
> > > 2007-08-07 15:41:57,437 [btpool0-1]
> > com.mqsoftware.ws.SWSLdapIETF DEBUG  -
> > > [Client File=SWSLdapIETF.java, Line=835] Updating
> > > cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com with:
> > > LDAPModification: (operation=replace,(LDAPAttribute:
> > > {type='prescriptiveACI', value='{
> > >   identificationTag "userAdminPermissions",
> > >   precedence 16,
> > >   authenticationLevel simple,
> > >   itemOrUserFirst userFirst: {
> > >   userClasses {
> > >       name {
> > >           "cn=BrowserService,ou=users,dc=mqsoftware,dc=com",
> > >           "cn=SA,ou=users,dc=mqsoftware,dc=com"
> > >       }
> > >   },
> > >   userPermissions
> > >   {
> > >       {
> > >           protectedItems { entry, allUserAttributeTypesAndValues },
> > >           grantsAndDenials { grantAdd,
> > grantDiscloseOnError, grantRead,
> > >           grantRemove, grantBrowse, grantExport,
> > grantImport, grantModify,
> > >           grantRename, grantReturnDN, grantCompare,
> > grantFilterMatch,
> > >           grantInvoke }
> > >       }
> > >   }
> > > }
> > > }
> > > '}))
> > >
> > > At this point, fred still can see the user info.  I checked
> > the apacheds
> > > logs and dont see any exceptions.  When I restart the
> > service, things start
> > > working right (fred no lonfer has access).
> > >
> > > Is there a place where I can upload the full LDIF file?
> > It's 411 lines
> > > long.
> > >
> > > Thanks.
> > >
> > > > -----Original Message-----
> > > > From: Ersin Er [mailto:ersin.er@gmail.com]
> > > > Sent: Tuesday, August 07, 2007 4:12 PM
> > > > To: users@directory.apache.org
> > > > Subject: Re: When do changes to ACI take effect?
> > > >
> > > >
> > > > Hi,
> > > >
> > > > This is not intentional. Can you please give an example? Or
> > > > even a test
> > > > case?
> > > >
> > > > On 8/8/07, Wayne Johnson <wjohnson@mqsoftware.com> wrote:
> > > > >
> > > > > Our application allows an administrator to change the ACI
> > > > to allow or
> > > > > disallow users access to some data.  It seems to me that
> > > > when we make
> > > > > changes to the prescriptiveACI, it doesn't seem to take
> > > > effect till we
> > > > > restart the LDAP service.  Is this intentional?  Is there a
> > > > way to force it
> > > > > to be refreshed?
> > > > >
> > > > > Wayne Johnson
> > > > > Senior Software Engineer
> > > > > MQSoftware, Inc.
> > > > > 1660 S Highway 100
> > > > > Minneapolis, MN 55416
> > > > > (952) 345-8628
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > Ersin Er
> > > >
> > > > R.A. and Ph.D Student at the Dept. of Computer Eng. in
> > > > Hacettepe University
> > > > http://www.cs.hacettepe.edu.tr
> > > >
> > > > Committer and PMC Member of The Apache Directory Project
> > > > http://directory.apache.org
> > > >
> > > >
> > >
> >
> >
> >
> > --
> > Ersin Er
> >
> > R.A. and Ph.D Student at the Dept. of Computer Eng. in
> > Hacettepe University
> > http://www.cs.hacettepe.edu.tr
> >
> > Committer and PMC Member of The Apache Directory Project
> > http://directory.apache.org
> >
> >
>



-- 
Ersin Er

R.A. and Ph.D Student at the Dept. of Computer Eng. in Hacettepe University
http://www.cs.hacettepe.edu.tr

Committer and PMC Member of The Apache Directory Project
http://directory.apache.org

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message