BTW, which version of ApacheDS are you using? I had recently fixed such a bug:
https://issues.apache.org/jira/browse/DIRSERVER-988 On 8/8/07, Wayne Johnson <[EMAIL PROTECTED]> wrote: > > We start out with a automatically read in LDIF file that has: > > # This ACI allows an Admin to read and modify everything for all users > dn: cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com > objectClass: top > objectClass: subentry > objectClass: accessControlSubentry > cn: userAdminPermissions > subtreeSpecification: {} > prescriptiveACI: { > identificationTag "userAdminPermissions", > precedence 16, > authenticationLevel simple, > itemOrUserFirst userFirst: { > userClasses { > name { > "cn=SA,ou=users,dc=mqsoftware,dc=com", > "cn=fred,ou=users,dc=mqsoftware,dc=com", > "cn=BrowserService,ou=users,dc=mqsoftware,dc=com" > } > }, > userPermissions > { > { > protectedItems { entry, allUserAttributeTypesAndValues }, > grantsAndDenials { grantAdd, grantDiscloseOnError, grantRead, > grantRemove, grantBrowse, grantExport, grantImport, grantModify, > grantRename, grantReturnDN, grantCompare, grantFilterMatch, > grantInvoke } > } > } > } > } > > I can then do an ldapsearch from users fred and bert and fred shows full > access to the user information and bert (who isn't in the Admin list) can > not. > > Now the program rewrites the prescriptiveACI with: > > 2007-08-07 15:41:57,437 [btpool0-1] com.mqsoftware.ws.SWSLdapIETF DEBUG - > [Client File=SWSLdapIETF.java, Line=835] Updating > cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com with: > LDAPModification: (operation=replace,(LDAPAttribute: > {type='prescriptiveACI', value='{ > identificationTag "userAdminPermissions", > precedence 16, > authenticationLevel simple, > itemOrUserFirst userFirst: { > userClasses { > name { > "cn=BrowserService,ou=users,dc=mqsoftware,dc=com", > "cn=SA,ou=users,dc=mqsoftware,dc=com" > } > }, > userPermissions > { > { > protectedItems { entry, allUserAttributeTypesAndValues }, > grantsAndDenials { grantAdd, grantDiscloseOnError, grantRead, > grantRemove, grantBrowse, grantExport, grantImport, grantModify, > grantRename, grantReturnDN, grantCompare, grantFilterMatch, > grantInvoke } > } > } > } > } > '})) > > At this point, fred still can see the user info. I checked the apacheds > logs and dont see any exceptions. When I restart the service, things start > working right (fred no lonfer has access). > > Is there a place where I can upload the full LDIF file? It's 411 lines > long. > > Thanks. > > > -----Original Message----- > > From: Ersin Er [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, August 07, 2007 4:12 PM > > To: [email protected] > > Subject: Re: When do changes to ACI take effect? > > > > > > Hi, > > > > This is not intentional. Can you please give an example? Or > > even a test > > case? > > > > On 8/8/07, Wayne Johnson <[EMAIL PROTECTED]> wrote: > > > > > > Our application allows an administrator to change the ACI > > to allow or > > > disallow users access to some data. It seems to me that > > when we make > > > changes to the prescriptiveACI, it doesn't seem to take > > effect till we > > > restart the LDAP service. Is this intentional? Is there a > > way to force it > > > to be refreshed? > > > > > > Wayne Johnson > > > Senior Software Engineer > > > MQSoftware, Inc. > > > 1660 S Highway 100 > > > Minneapolis, MN 55416 > > > (952) 345-8628 > > > > > > > > > > > > > > > -- > > Ersin Er > > > > R.A. and Ph.D Student at the Dept. of Computer Eng. in > > Hacettepe University > > http://www.cs.hacettepe.edu.tr > > > > Committer and PMC Member of The Apache Directory Project > > http://directory.apache.org > > > > > -- Ersin Er R.A. and Ph.D Student at the Dept. of Computer Eng. in Hacettepe University http://www.cs.hacettepe.edu.tr Committer and PMC Member of The Apache Directory Project http://directory.apache.org
