On 8/8/07, Wayne Johnson <[EMAIL PROTECTED]> wrote: > > We're using 1.0.2. > > THat does look like the issue though. I dislike switching releases at > this point (we're releasing our product in 2 weeks). Is there any sort of a > bypass besides picking up the new code?
I don't think that you can simply fix this on a previous version with some tricks. As it's all open source you may apply hte patches to your own custom version of ApacheDS if you wish. > -----Original Message----- > > From: Ersin Er [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, August 07, 2007 4:45 PM > > To: [email protected] > > Subject: Re: When do changes to ACI take effect? > > > > > > BTW, which version of ApacheDS are you using? I had recently > > fixed such a > > bug: > > > > https://issues.apache.org/jira/browse/DIRSERVER-988 > > > > On 8/8/07, Wayne Johnson <[EMAIL PROTECTED]> wrote: > > > > > > We start out with a automatically read in LDIF file that has: > > > > > > # This ACI allows an Admin to read and modify everything > > for all users > > > dn: cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com > > > objectClass: top > > > objectClass: subentry > > > objectClass: accessControlSubentry > > > cn: userAdminPermissions > > > subtreeSpecification: {} > > > prescriptiveACI: { > > > identificationTag "userAdminPermissions", > > > precedence 16, > > > authenticationLevel simple, > > > itemOrUserFirst userFirst: { > > > userClasses { > > > name { > > > "cn=SA,ou=users,dc=mqsoftware,dc=com", > > > "cn=fred,ou=users,dc=mqsoftware,dc=com", > > > "cn=BrowserService,ou=users,dc=mqsoftware,dc=com" > > > } > > > }, > > > userPermissions > > > { > > > { > > > protectedItems { entry, allUserAttributeTypesAndValues }, > > > grantsAndDenials { grantAdd, grantDiscloseOnError, > > grantRead, > > > grantRemove, grantBrowse, grantExport, > > grantImport, grantModify, > > > grantRename, grantReturnDN, grantCompare, > > grantFilterMatch, > > > grantInvoke } > > > } > > > } > > > } > > > } > > > > > > I can then do an ldapsearch from users fred and bert and > > fred shows full > > > access to the user information and bert (who isn't in the > > Admin list) can > > > not. > > > > > > Now the program rewrites the prescriptiveACI with: > > > > > > 2007-08-07 15:41:57,437 [btpool0-1] > > com.mqsoftware.ws.SWSLdapIETF DEBUG - > > > [Client File=SWSLdapIETF.java, Line=835] Updating > > > cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com with: > > > LDAPModification: (operation=replace,(LDAPAttribute: > > > {type='prescriptiveACI', value='{ > > > identificationTag "userAdminPermissions", > > > precedence 16, > > > authenticationLevel simple, > > > itemOrUserFirst userFirst: { > > > userClasses { > > > name { > > > "cn=BrowserService,ou=users,dc=mqsoftware,dc=com", > > > "cn=SA,ou=users,dc=mqsoftware,dc=com" > > > } > > > }, > > > userPermissions > > > { > > > { > > > protectedItems { entry, allUserAttributeTypesAndValues }, > > > grantsAndDenials { grantAdd, > > grantDiscloseOnError, grantRead, > > > grantRemove, grantBrowse, grantExport, > > grantImport, grantModify, > > > grantRename, grantReturnDN, grantCompare, > > grantFilterMatch, > > > grantInvoke } > > > } > > > } > > > } > > > } > > > '})) > > > > > > At this point, fred still can see the user info. I checked > > the apacheds > > > logs and dont see any exceptions. When I restart the > > service, things start > > > working right (fred no lonfer has access). > > > > > > Is there a place where I can upload the full LDIF file? > > It's 411 lines > > > long. > > > > > > Thanks. > > > > > > > -----Original Message----- > > > > From: Ersin Er [mailto:[EMAIL PROTECTED] > > > > Sent: Tuesday, August 07, 2007 4:12 PM > > > > To: [email protected] > > > > Subject: Re: When do changes to ACI take effect? > > > > > > > > > > > > Hi, > > > > > > > > This is not intentional. Can you please give an example? Or > > > > even a test > > > > case? > > > > > > > > On 8/8/07, Wayne Johnson <[EMAIL PROTECTED]> wrote: > > > > > > > > > > Our application allows an administrator to change the ACI > > > > to allow or > > > > > disallow users access to some data. It seems to me that > > > > when we make > > > > > changes to the prescriptiveACI, it doesn't seem to take > > > > effect till we > > > > > restart the LDAP service. Is this intentional? Is there a > > > > way to force it > > > > > to be refreshed? > > > > > > > > > > Wayne Johnson > > > > > Senior Software Engineer > > > > > MQSoftware, Inc. > > > > > 1660 S Highway 100 > > > > > Minneapolis, MN 55416 > > > > > (952) 345-8628 > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Ersin Er > > > > > > > > R.A. and Ph.D Student at the Dept. of Computer Eng. in > > > > Hacettepe University > > > > http://www.cs.hacettepe.edu.tr > > > > > > > > Committer and PMC Member of The Apache Directory Project > > > > http://directory.apache.org > > > > > > > > > > > > > > > > > > > -- > > Ersin Er > > > > R.A. and Ph.D Student at the Dept. of Computer Eng. in > > Hacettepe University > > http://www.cs.hacettepe.edu.tr > > > > Committer and PMC Member of The Apache Directory Project > > http://directory.apache.org > > > > > -- Ersin Er R.A. and Ph.D Student at the Dept. of Computer Eng. in Hacettepe University http://www.cs.hacettepe.edu.tr Committer and PMC Member of The Apache Directory Project http://directory.apache.org
