We start out with a automatically read in LDIF file that has:
# This ACI allows an Admin to read and modify everything for all users
dn: cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com
objectClass: top
objectClass: subentry
objectClass: accessControlSubentry
cn: userAdminPermissions
subtreeSpecification: {}
prescriptiveACI: {
identificationTag "userAdminPermissions",
precedence 16,
authenticationLevel simple,
itemOrUserFirst userFirst: {
userClasses {
name {
"cn=SA,ou=users,dc=mqsoftware,dc=com",
"cn=fred,ou=users,dc=mqsoftware,dc=com",
"cn=BrowserService,ou=users,dc=mqsoftware,dc=com"
}
},
userPermissions
{
{
protectedItems { entry, allUserAttributeTypesAndValues },
grantsAndDenials { grantAdd, grantDiscloseOnError, grantRead,
grantRemove, grantBrowse, grantExport, grantImport, grantModify,
grantRename, grantReturnDN, grantCompare, grantFilterMatch,
grantInvoke }
}
}
}
}
I can then do an ldapsearch from users fred and bert and fred shows full access
to the user information and bert (who isn't in the Admin list) can not.
Now the program rewrites the prescriptiveACI with:
2007-08-07 15:41:57,437 [btpool0-1] com.mqsoftware.ws.SWSLdapIETF DEBUG -
[Client File=SWSLdapIETF.java, Line=835] Updating
cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com with:
LDAPModification: (operation=replace,(LDAPAttribute: {type='prescriptiveACI',
value='{
identificationTag "userAdminPermissions",
precedence 16,
authenticationLevel simple,
itemOrUserFirst userFirst: {
userClasses {
name {
"cn=BrowserService,ou=users,dc=mqsoftware,dc=com",
"cn=SA,ou=users,dc=mqsoftware,dc=com"
}
},
userPermissions
{
{
protectedItems { entry, allUserAttributeTypesAndValues },
grantsAndDenials { grantAdd, grantDiscloseOnError, grantRead,
grantRemove, grantBrowse, grantExport, grantImport, grantModify,
grantRename, grantReturnDN, grantCompare, grantFilterMatch,
grantInvoke }
}
}
}
}
'}))
At this point, fred still can see the user info. I checked the apacheds logs
and dont see any exceptions. When I restart the service, things start working
right (fred no lonfer has access).
Is there a place where I can upload the full LDIF file? It's 411 lines long.
Thanks.
> -----Original Message-----
> From: Ersin Er [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, August 07, 2007 4:12 PM
> To: [email protected]
> Subject: Re: When do changes to ACI take effect?
>
>
> Hi,
>
> This is not intentional. Can you please give an example? Or
> even a test
> case?
>
> On 8/8/07, Wayne Johnson <[EMAIL PROTECTED]> wrote:
> >
> > Our application allows an administrator to change the ACI
> to allow or
> > disallow users access to some data. It seems to me that
> when we make
> > changes to the prescriptiveACI, it doesn't seem to take
> effect till we
> > restart the LDAP service. Is this intentional? Is there a
> way to force it
> > to be refreshed?
> >
> > Wayne Johnson
> > Senior Software Engineer
> > MQSoftware, Inc.
> > 1660 S Highway 100
> > Minneapolis, MN 55416
> > (952) 345-8628
> >
> >
> >
>
>
> --
> Ersin Er
>
> R.A. and Ph.D Student at the Dept. of Computer Eng. in
> Hacettepe University
> http://www.cs.hacettepe.edu.tr
>
> Committer and PMC Member of The Apache Directory Project
> http://directory.apache.org
>
>
