We're using 1.0.2. THat does look like the issue though. I dislike switching releases at this point (we're releasing our product in 2 weeks). Is there any sort of a bypass besides picking up the new code?
> -----Original Message----- > From: Ersin Er [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 07, 2007 4:45 PM > To: [email protected] > Subject: Re: When do changes to ACI take effect? > > > BTW, which version of ApacheDS are you using? I had recently > fixed such a > bug: > > https://issues.apache.org/jira/browse/DIRSERVER-988 > > On 8/8/07, Wayne Johnson <[EMAIL PROTECTED]> wrote: > > > > We start out with a automatically read in LDIF file that has: > > > > # This ACI allows an Admin to read and modify everything > for all users > > dn: cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com > > objectClass: top > > objectClass: subentry > > objectClass: accessControlSubentry > > cn: userAdminPermissions > > subtreeSpecification: {} > > prescriptiveACI: { > > identificationTag "userAdminPermissions", > > precedence 16, > > authenticationLevel simple, > > itemOrUserFirst userFirst: { > > userClasses { > > name { > > "cn=SA,ou=users,dc=mqsoftware,dc=com", > > "cn=fred,ou=users,dc=mqsoftware,dc=com", > > "cn=BrowserService,ou=users,dc=mqsoftware,dc=com" > > } > > }, > > userPermissions > > { > > { > > protectedItems { entry, allUserAttributeTypesAndValues }, > > grantsAndDenials { grantAdd, grantDiscloseOnError, > grantRead, > > grantRemove, grantBrowse, grantExport, > grantImport, grantModify, > > grantRename, grantReturnDN, grantCompare, > grantFilterMatch, > > grantInvoke } > > } > > } > > } > > } > > > > I can then do an ldapsearch from users fred and bert and > fred shows full > > access to the user information and bert (who isn't in the > Admin list) can > > not. > > > > Now the program rewrites the prescriptiveACI with: > > > > 2007-08-07 15:41:57,437 [btpool0-1] > com.mqsoftware.ws.SWSLdapIETF DEBUG - > > [Client File=SWSLdapIETF.java, Line=835] Updating > > cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com with: > > LDAPModification: (operation=replace,(LDAPAttribute: > > {type='prescriptiveACI', value='{ > > identificationTag "userAdminPermissions", > > precedence 16, > > authenticationLevel simple, > > itemOrUserFirst userFirst: { > > userClasses { > > name { > > "cn=BrowserService,ou=users,dc=mqsoftware,dc=com", > > "cn=SA,ou=users,dc=mqsoftware,dc=com" > > } > > }, > > userPermissions > > { > > { > > protectedItems { entry, allUserAttributeTypesAndValues }, > > grantsAndDenials { grantAdd, > grantDiscloseOnError, grantRead, > > grantRemove, grantBrowse, grantExport, > grantImport, grantModify, > > grantRename, grantReturnDN, grantCompare, > grantFilterMatch, > > grantInvoke } > > } > > } > > } > > } > > '})) > > > > At this point, fred still can see the user info. I checked > the apacheds > > logs and dont see any exceptions. When I restart the > service, things start > > working right (fred no lonfer has access). > > > > Is there a place where I can upload the full LDIF file? > It's 411 lines > > long. > > > > Thanks. > > > > > -----Original Message----- > > > From: Ersin Er [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday, August 07, 2007 4:12 PM > > > To: [email protected] > > > Subject: Re: When do changes to ACI take effect? > > > > > > > > > Hi, > > > > > > This is not intentional. Can you please give an example? Or > > > even a test > > > case? > > > > > > On 8/8/07, Wayne Johnson <[EMAIL PROTECTED]> wrote: > > > > > > > > Our application allows an administrator to change the ACI > > > to allow or > > > > disallow users access to some data. It seems to me that > > > when we make > > > > changes to the prescriptiveACI, it doesn't seem to take > > > effect till we > > > > restart the LDAP service. Is this intentional? Is there a > > > way to force it > > > > to be refreshed? > > > > > > > > Wayne Johnson > > > > Senior Software Engineer > > > > MQSoftware, Inc. > > > > 1660 S Highway 100 > > > > Minneapolis, MN 55416 > > > > (952) 345-8628 > > > > > > > > > > > > > > > > > > > > > -- > > > Ersin Er > > > > > > R.A. and Ph.D Student at the Dept. of Computer Eng. in > > > Hacettepe University > > > http://www.cs.hacettepe.edu.tr > > > > > > Committer and PMC Member of The Apache Directory Project > > > http://directory.apache.org > > > > > > > > > > > > -- > Ersin Er > > R.A. and Ph.D Student at the Dept. of Computer Eng. in > Hacettepe University > http://www.cs.hacettepe.edu.tr > > Committer and PMC Member of The Apache Directory Project > http://directory.apache.org > >
