We're using the stable 1.0.2.
> -----Original Message----- > From: Markus Pohle [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 07, 2007 4:43 PM > To: [email protected] > Cc: Wayne Johnson > Subject: RE: When do changes to ACI take effect? > > > > Hi Wayne, > > what version of apacheds are you using? > > The problem you descripe, looks for me similar to this one: > http://issues.apache.org/jira/browse/DIRSERVER-1001 > > If you do not use newest 1.5.1-snapshot build or newest > 1.0.2-snapshot > try to build from trunk. > > HTH > Markus > > > Zitat von Wayne Johnson <[EMAIL PROTECTED]>: > > > We start out with a automatically read in LDIF file that has: > > > > # This ACI allows an Admin to read and modify everything > for all users > > dn: cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com > > objectClass: top > > objectClass: subentry > > objectClass: accessControlSubentry > > cn: userAdminPermissions > > subtreeSpecification: {} > > prescriptiveACI: { > > identificationTag "userAdminPermissions", > > precedence 16, > > authenticationLevel simple, > > itemOrUserFirst userFirst: { > > userClasses { > > name { > > "cn=SA,ou=users,dc=mqsoftware,dc=com", > > "cn=fred,ou=users,dc=mqsoftware,dc=com", > > "cn=BrowserService,ou=users,dc=mqsoftware,dc=com" > > } > > }, > > userPermissions > > { > > { > > protectedItems { entry, allUserAttributeTypesAndValues }, > > grantsAndDenials { grantAdd, grantDiscloseOnError, > grantRead, > > grantRemove, grantBrowse, grantExport, > grantImport, grantModify, > > grantRename, grantReturnDN, grantCompare, > grantFilterMatch, > > grantInvoke } > > } > > } > > } > > } > > > > I can then do an ldapsearch from users fred and bert and > fred shows > > full access to the user information and bert (who isn't in > the Admin > > list) can not. > > > > Now the program rewrites the prescriptiveACI with: > > > > 2007-08-07 15:41:57,437 [btpool0-1] com.mqsoftware.ws.SWSLdapIETF > > DEBUG - [Client File=SWSLdapIETF.java, Line=835] Updating > > cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com with: > > LDAPModification: (operation=replace,(LDAPAttribute: > > {type='prescriptiveACI', value='{ > > identificationTag "userAdminPermissions", > > precedence 16, > > authenticationLevel simple, > > itemOrUserFirst userFirst: { > > userClasses { > > name { > > "cn=BrowserService,ou=users,dc=mqsoftware,dc=com", > > "cn=SA,ou=users,dc=mqsoftware,dc=com" > > } > > }, > > userPermissions > > { > > { > > protectedItems { entry, allUserAttributeTypesAndValues }, > > grantsAndDenials { grantAdd, > grantDiscloseOnError, grantRead, > > grantRemove, grantBrowse, grantExport, > grantImport, grantModify, > > grantRename, grantReturnDN, grantCompare, > grantFilterMatch, > > grantInvoke } > > } > > } > > } > > } > > '})) > > > > At this point, fred still can see the user info. I checked the > > apacheds logs and dont see any exceptions. When I restart the > > service, things start working right (fred no lonfer has access). > > > > Is there a place where I can upload the full LDIF file? > It's 411 lines long. > > > > Thanks. > > > >> -----Original Message----- > >> From: Ersin Er [mailto:[EMAIL PROTECTED] > >> Sent: Tuesday, August 07, 2007 4:12 PM > >> To: [email protected] > >> Subject: Re: When do changes to ACI take effect? > >> > >> > >> Hi, > >> > >> This is not intentional. Can you please give an example? Or > >> even a test > >> case? > >> > >> On 8/8/07, Wayne Johnson <[EMAIL PROTECTED]> wrote: > >> > > >> > Our application allows an administrator to change the ACI > >> to allow or > >> > disallow users access to some data. It seems to me that > >> when we make > >> > changes to the prescriptiveACI, it doesn't seem to take > >> effect till we > >> > restart the LDAP service. Is this intentional? Is there a > >> way to force it > >> > to be refreshed? > >> > > >> > Wayne Johnson > >> > Senior Software Engineer > >> > MQSoftware, Inc. > >> > 1660 S Highway 100 > >> > Minneapolis, MN 55416 > >> > (952) 345-8628 > >> > > >> > > >> > > >> > >> > >> -- > >> Ersin Er > >> > >> R.A. and Ph.D Student at the Dept. of Computer Eng. in > >> Hacettepe University > >> http://www.cs.hacettepe.edu.tr > >> > >> Committer and PMC Member of The Apache Directory Project > >> http://directory.apache.org > >> > >> > > > > > > > >
