directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pontus Freyhult <pontus_apache...@soua.net>
Subject Replication issues when using accessControlSubentry (with 2.0.0-M16)
Date Wed, 23 Apr 2014 13:55:23 GMT
  Hi all,

I'm trying to do a multi-master set up with special permissions
(access controls), but I see replications issues.

As this is multi master, any way I go about replicating both the
consumer and the provider will have an accessControlSubentry governing
the replicated area.

Log excerpt from the replication client (server where the change wasn't done):

DEBUG [org.apache.directory.server.CONSUMER_LOG] - -------------
starting handleSearchResult ------------
DEBUG [org.apache.directory.server.CONSUMER_LOG] - assigning the
cookie from sync state value control:
rid=001,csn=20140423074926.153000Z#000000#001#000000
DEBUG [org.apache.directory.server.CONSUMER_LOG] - state name MODIFY
DEBUG [org.apache.directory.server.CONSUMER_LOG] - entryUUID =
a4037097-de9a-486d-a069-2d0fe75ceda4
DEBUG [org.apache.directory.server.CONSUMER_LOG] - modifying entry
with dn uid=pontusf,ou=People,dc=uppmax,dc=uu,dc=se
ERROR [org.apache.directory.server.CONSUMER_LOG] - ERR_52 Cannot
modify the attribute : attributetype ( 1.3.6.1.4.1.18060.0.4.1.2.11
NAME 'accessControlSubentries'
 #011DESC 'Used to track a subentry associated with access control areas'
 #011EQUALITY distinguishedNameMatch
 #011SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
 #011NO-USER-MODIFICATION
 #011USAGE directoryOperation
 )
 org.apache.directory.api.ldap.model.exception.LdapNoPermissionException:
ERR_52 Cannot modify the attribute : attributetype (
1.3.6.1.4.1.18060.0.4.1.2.11 NAME 'accessControlSubentries'
 #011DESC 'Used to track a subentry associated with access control areas'
 #011EQUALITY distinguishedNameMatch
 #011SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
 #011NO-USER-MODIFICATION
 #011USAGE directoryOperation
 )
 #011at org.apache.directory.server.core.schema.SchemaInterceptor.checkModifyEntry(SchemaInterceptor.java:721)
 #011at org.apache.directory.server.core.schema.SchemaInterceptor.modify(SchemaInterceptor.java:1186)
 #011at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
 #011at org.apache.directory.server.core.hash.PasswordHashingInterceptor.modify(PasswordHashingInterceptor.java:131)
 #011at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
 #011at org.apache.directory.server.core.exception.ExceptionInterceptor.modify(ExceptionInterceptor.java:253)
 #011at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
 #011at org.apache.directory.server.core.admin.AdministrativePointInterceptor.modify(AdministrativePointInterceptor.java:1456)
 #011at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
 #011at org.apache.directory.server.core.authz.DefaultAuthorizationInterceptor.modify(DefaultAuthorizationInterceptor.java:277)
 #011at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
 #011at org.apache.directory.server.core.authz.AciAuthorizationInterceptor.modify(AciAuthorizationInterceptor.java:820)
 #011at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
 #011at org.apache.directory.server.core.referral.ReferralInterceptor.modify(ReferralInterceptor.java:319)
 #011at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
 #011at org.apache.directory.server.core.authn.AuthenticationInterceptor.modify(AuthenticationInterceptor.java:834)
 #011at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
 #011at org.apache.directory.server.core.normalization.NormalizationInterceptor.modify(NormalizationInterceptor.java:216)
 #011at org.apache.directory.server.core.DefaultOperationManager.modify(DefaultOperationManager.java:883)
 #011at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.modify(ReplicationConsumerImpl.java:1215)
 #011at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.handleSearchResultEntry(ReplicationConsumerImpl.java:416)
 #011at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.doSyncSearch(ReplicationConsumerImpl.java:778)
 #011at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.startSync(ReplicationConsumerImpl.java:565)
 #011at org.apache.directory.server.ldap.LdapServer$2.run(LdapServer.java:739)
 #011at java.lang.Thread.run(Thread.java:744)
DEBUG [org.apache.directory.server.CONSUMER_LOG] - -------------
Ending handleSearchResult ------------

I would have expected these to go away after setting
ads-replattributes for the consumer (and restarting), but that didn't
seem to affect it. That seems odd, but I really don't want to list all
the attributes to replicate anyway so I haven't investigated further.

Looking at protocol-ldap/src/main/java/org/apache/directory/server/ldap/replication/consumer/ReplicationConsumerImpl.java
in directory-server, the obvious fix seems to be adding a
SchemaConstants.ACCESS_CONTROL_SUBENTRIES_AT in MOD_IGNORE_AT as I can
see no reason these should ever be replicated.

Am I missing something or should I just go ahead and file a bug about this?

cheers, Pontus

Mime
View raw message