directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: Replication issues when using accessControlSubentry (with 2.0.0-M16)
Date Thu, 24 Apr 2014 09:40:56 GMT
Hi Pontus,

  I have committed a fix in the trunk, see
https://issues.apache.org/jira/browse/DIRSERVER-1971 for
  more details.

  thanks for reporting.



On Wed, Apr 23, 2014 at 7:25 PM, Pontus Freyhult
<pontus_apache_ds@soua.net>wrote:

>   Hi all,
>
> I'm trying to do a multi-master set up with special permissions
> (access controls), but I see replications issues.
>
> As this is multi master, any way I go about replicating both the
> consumer and the provider will have an accessControlSubentry governing
> the replicated area.
>
> Log excerpt from the replication client (server where the change wasn't
> done):
>
> DEBUG [org.apache.directory.server.CONSUMER_LOG] - -------------
> starting handleSearchResult ------------
> DEBUG [org.apache.directory.server.CONSUMER_LOG] - assigning the
> cookie from sync state value control:
> rid=001,csn=20140423074926.153000Z#000000#001#000000
> DEBUG [org.apache.directory.server.CONSUMER_LOG] - state name MODIFY
> DEBUG [org.apache.directory.server.CONSUMER_LOG] - entryUUID =
> a4037097-de9a-486d-a069-2d0fe75ceda4
> DEBUG [org.apache.directory.server.CONSUMER_LOG] - modifying entry
> with dn uid=pontusf,ou=People,dc=uppmax,dc=uu,dc=se
> ERROR [org.apache.directory.server.CONSUMER_LOG] - ERR_52 Cannot
> modify the attribute : attributetype ( 1.3.6.1.4.1.18060.0.4.1.2.11
> NAME 'accessControlSubentries'
>  #011DESC 'Used to track a subentry associated with access control areas'
>  #011EQUALITY distinguishedNameMatch
>  #011SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
>  #011NO-USER-MODIFICATION
>  #011USAGE directoryOperation
>  )
>  org.apache.directory.api.ldap.model.exception.LdapNoPermissionException:
> ERR_52 Cannot modify the attribute : attributetype (
> 1.3.6.1.4.1.18060.0.4.1.2.11 NAME 'accessControlSubentries'
>  #011DESC 'Used to track a subentry associated with access control areas'
>  #011EQUALITY distinguishedNameMatch
>  #011SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
>  #011NO-USER-MODIFICATION
>  #011USAGE directoryOperation
>  )
>  #011at
> org.apache.directory.server.core.schema.SchemaInterceptor.checkModifyEntry(SchemaInterceptor.java:721)
>  #011at
> org.apache.directory.server.core.schema.SchemaInterceptor.modify(SchemaInterceptor.java:1186)
>  #011at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
>  #011at
> org.apache.directory.server.core.hash.PasswordHashingInterceptor.modify(PasswordHashingInterceptor.java:131)
>  #011at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
>  #011at
> org.apache.directory.server.core.exception.ExceptionInterceptor.modify(ExceptionInterceptor.java:253)
>  #011at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
>  #011at
> org.apache.directory.server.core.admin.AdministrativePointInterceptor.modify(AdministrativePointInterceptor.java:1456)
>  #011at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
>  #011at
> org.apache.directory.server.core.authz.DefaultAuthorizationInterceptor.modify(DefaultAuthorizationInterceptor.java:277)
>  #011at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
>  #011at
> org.apache.directory.server.core.authz.AciAuthorizationInterceptor.modify(AciAuthorizationInterceptor.java:820)
>  #011at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
>  #011at
> org.apache.directory.server.core.referral.ReferralInterceptor.modify(ReferralInterceptor.java:319)
>  #011at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
>  #011at
> org.apache.directory.server.core.authn.AuthenticationInterceptor.modify(AuthenticationInterceptor.java:834)
>  #011at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
>  #011at
> org.apache.directory.server.core.normalization.NormalizationInterceptor.modify(NormalizationInterceptor.java:216)
>  #011at
> org.apache.directory.server.core.DefaultOperationManager.modify(DefaultOperationManager.java:883)
>  #011at
> org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.modify(ReplicationConsumerImpl.java:1215)
>  #011at
> org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.handleSearchResultEntry(ReplicationConsumerImpl.java:416)
>  #011at
> org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.doSyncSearch(ReplicationConsumerImpl.java:778)
>  #011at
> org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.startSync(ReplicationConsumerImpl.java:565)
>  #011at
> org.apache.directory.server.ldap.LdapServer$2.run(LdapServer.java:739)
>  #011at java.lang.Thread.run(Thread.java:744)
> DEBUG [org.apache.directory.server.CONSUMER_LOG] - -------------
> Ending handleSearchResult ------------
>
> I would have expected these to go away after setting
> ads-replattributes for the consumer (and restarting), but that didn't
> seem to affect it. That seems odd, but I really don't want to list all
> the attributes to replicate anyway so I haven't investigated further.
>
> Looking at
> protocol-ldap/src/main/java/org/apache/directory/server/ldap/replication/consumer/ReplicationConsumerImpl.java
> in directory-server, the obvious fix seems to be adding a
> SchemaConstants.ACCESS_CONTROL_SUBENTRIES_AT in MOD_IGNORE_AT as I can
> see no reason these should ever be replicated.
>
> Am I missing something or should I just go ahead and file a bug about this?
>
> cheers, Pontus
>



-- 
Kiran Ayyagari
http://keydap.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message