RE: When do changes to ACI take effect?

Tue, 07 Aug 2007 14:43:29 -0700 


Hi Wayne,

what version of apacheds are you using?

The problem you descripe, looks for me similar to this one:
http://issues.apache.org/jira/browse/DIRSERVER-1001
If you do not use newest 1.5.1-snapshot build or newest 1.0.2-snapshot try to build from trunk. 

HTH
Markus


Zitat von Wayne Johnson <[EMAIL PROTECTED]>:


We start out with a automatically read in LDIF file that has:

# This ACI allows an Admin to read and modify everything for all users
dn: cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com
objectClass: top
objectClass: subentry
objectClass: accessControlSubentry
cn: userAdminPermissions
subtreeSpecification: {}
prescriptiveACI: {
  identificationTag "userAdminPermissions",
  precedence 16,
  authenticationLevel simple,
  itemOrUserFirst userFirst: {
    userClasses {
      name {
        "cn=SA,ou=users,dc=mqsoftware,dc=com",
        "cn=fred,ou=users,dc=mqsoftware,dc=com",
        "cn=BrowserService,ou=users,dc=mqsoftware,dc=com"
      }
    },
    userPermissions
    {
      {
        protectedItems { entry, allUserAttributeTypesAndValues },
        grantsAndDenials { grantAdd, grantDiscloseOnError, grantRead,
          grantRemove, grantBrowse, grantExport, grantImport, grantModify,
          grantRename, grantReturnDN, grantCompare, grantFilterMatch,
          grantInvoke }
      }
    }
  }
 }
I can then do an ldapsearch from users fred and bert and fred shows full access to the user information and bert (who isn't in the Admin list) can not. 

Now the program rewrites the prescriptiveACI with:
2007-08-07 15:41:57,437 [btpool0-1] com.mqsoftware.ws.SWSLdapIETF DEBUG - [Client File=SWSLdapIETF.java, Line=835] Updating cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com with: LDAPModification: (operation=replace,(LDAPAttribute: {type='prescriptiveACI', value='{ 
  identificationTag "userAdminPermissions",
  precedence 16,
  authenticationLevel simple,
  itemOrUserFirst userFirst: {
  userClasses {
      name {
          "cn=BrowserService,ou=users,dc=mqsoftware,dc=com",
          "cn=SA,ou=users,dc=mqsoftware,dc=com"
      }
  },
  userPermissions
  {
      {
          protectedItems { entry, allUserAttributeTypesAndValues },
          grantsAndDenials { grantAdd, grantDiscloseOnError, grantRead,
          grantRemove, grantBrowse, grantExport, grantImport, grantModify,
          grantRename, grantReturnDN, grantCompare, grantFilterMatch,
          grantInvoke }
      }
  }
 }
}
'}))
At this point, fred still can see the user info. I checked the apacheds logs and dont see any exceptions. When I restart the service, things start working right (fred no lonfer has access). 

Is there a place where I can upload the full LDIF file?  It's 411 lines long.

Thanks.


-----Original Message-----
From: Ersin Er [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 07, 2007 4:12 PM
To: [email protected]
Subject: Re: When do changes to ACI take effect?


Hi,

This is not intentional. Can you please give an example? Or
even a test
case?

On 8/8/07, Wayne Johnson <[EMAIL PROTECTED]> wrote:
>
> Our application allows an administrator to change the ACI
to allow or
> disallow users access to some data.  It seems to me that
when we make
> changes to the prescriptiveACI, it doesn't seem to take
effect till we
> restart the LDAP service.  Is this intentional?  Is there a
way to force it
> to be refreshed?
>
> Wayne Johnson
> Senior Software Engineer
> MQSoftware, Inc.
> 1660 S Highway 100
> Minneapolis, MN 55416
> (952) 345-8628
>
>
>


--
Ersin Er

R.A. and Ph.D Student at the Dept. of Computer Eng. in
Hacettepe University
http://www.cs.hacettepe.edu.tr

Committer and PMC Member of The Apache Directory Project
http://directory.apache.org

Reply via email to