Hi Pontus, I have committed a fix in the trunk, see https://issues.apache.org/jira/browse/DIRSERVER-1971 for more details.
thanks for reporting. On Wed, Apr 23, 2014 at 7:25 PM, Pontus Freyhult <[email protected]>wrote: > Hi all, > > I'm trying to do a multi-master set up with special permissions > (access controls), but I see replications issues. > > As this is multi master, any way I go about replicating both the > consumer and the provider will have an accessControlSubentry governing > the replicated area. > > Log excerpt from the replication client (server where the change wasn't > done): > > DEBUG [org.apache.directory.server.CONSUMER_LOG] - ------------- > starting handleSearchResult ------------ > DEBUG [org.apache.directory.server.CONSUMER_LOG] - assigning the > cookie from sync state value control: > rid=001,csn=20140423074926.153000Z#000000#001#000000 > DEBUG [org.apache.directory.server.CONSUMER_LOG] - state name MODIFY > DEBUG [org.apache.directory.server.CONSUMER_LOG] - entryUUID = > a4037097-de9a-486d-a069-2d0fe75ceda4 > DEBUG [org.apache.directory.server.CONSUMER_LOG] - modifying entry > with dn uid=pontusf,ou=People,dc=uppmax,dc=uu,dc=se > ERROR [org.apache.directory.server.CONSUMER_LOG] - ERR_52 Cannot > modify the attribute : attributetype ( 1.3.6.1.4.1.18060.0.4.1.2.11 > NAME 'accessControlSubentries' > #011DESC 'Used to track a subentry associated with access control areas' > #011EQUALITY distinguishedNameMatch > #011SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 > #011NO-USER-MODIFICATION > #011USAGE directoryOperation > ) > org.apache.directory.api.ldap.model.exception.LdapNoPermissionException: > ERR_52 Cannot modify the attribute : attributetype ( > 1.3.6.1.4.1.18060.0.4.1.2.11 NAME 'accessControlSubentries' > #011DESC 'Used to track a subentry associated with access control areas' > #011EQUALITY distinguishedNameMatch > #011SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 > #011NO-USER-MODIFICATION > #011USAGE directoryOperation > ) > #011at > org.apache.directory.server.core.schema.SchemaInterceptor.checkModifyEntry(SchemaInterceptor.java:721) > #011at > org.apache.directory.server.core.schema.SchemaInterceptor.modify(SchemaInterceptor.java:1186) > #011at > org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587) > #011at > org.apache.directory.server.core.hash.PasswordHashingInterceptor.modify(PasswordHashingInterceptor.java:131) > #011at > org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587) > #011at > org.apache.directory.server.core.exception.ExceptionInterceptor.modify(ExceptionInterceptor.java:253) > #011at > org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587) > #011at > org.apache.directory.server.core.admin.AdministrativePointInterceptor.modify(AdministrativePointInterceptor.java:1456) > #011at > org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587) > #011at > org.apache.directory.server.core.authz.DefaultAuthorizationInterceptor.modify(DefaultAuthorizationInterceptor.java:277) > #011at > org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587) > #011at > org.apache.directory.server.core.authz.AciAuthorizationInterceptor.modify(AciAuthorizationInterceptor.java:820) > #011at > org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587) > #011at > org.apache.directory.server.core.referral.ReferralInterceptor.modify(ReferralInterceptor.java:319) > #011at > org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587) > #011at > org.apache.directory.server.core.authn.AuthenticationInterceptor.modify(AuthenticationInterceptor.java:834) > #011at > org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587) > #011at > org.apache.directory.server.core.normalization.NormalizationInterceptor.modify(NormalizationInterceptor.java:216) > #011at > org.apache.directory.server.core.DefaultOperationManager.modify(DefaultOperationManager.java:883) > #011at > org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.modify(ReplicationConsumerImpl.java:1215) > #011at > org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.handleSearchResultEntry(ReplicationConsumerImpl.java:416) > #011at > org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.doSyncSearch(ReplicationConsumerImpl.java:778) > #011at > org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.startSync(ReplicationConsumerImpl.java:565) > #011at > org.apache.directory.server.ldap.LdapServer$2.run(LdapServer.java:739) > #011at java.lang.Thread.run(Thread.java:744) > DEBUG [org.apache.directory.server.CONSUMER_LOG] - ------------- > Ending handleSearchResult ------------ > > I would have expected these to go away after setting > ads-replattributes for the consumer (and restarting), but that didn't > seem to affect it. That seems odd, but I really don't want to list all > the attributes to replicate anyway so I haven't investigated further. > > Looking at > protocol-ldap/src/main/java/org/apache/directory/server/ldap/replication/consumer/ReplicationConsumerImpl.java > in directory-server, the obvious fix seems to be adding a > SchemaConstants.ACCESS_CONTROL_SUBENTRIES_AT in MOD_IGNORE_AT as I can > see no reason these should ever be replicated. > > Am I missing something or should I just go ahead and file a bug about this? > > cheers, Pontus > -- Kiran Ayyagari http://keydap.com
