You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by David Filip <df...@colornet.com> on 2021/04/07 18:57:14 UTC
[ApacheDS] Access Control / ACI Errors (even following on-line doc)
Dear ApacheDS Community,
I am having troubles getting Access Control working with a fresh install of ApacheDS.
Given that the online documentation is a little thin around how to configure ACIs, I am trying to follow the example provided (in section 3.2 - Basic Authorization).
I am getting the same error, regardless of whether I use the example as-is in the documentation (The Seven Sea example), or my own, so I figured that I would first reach out to see if anyone has gotten the example to work?
The resulting error is:
LDAP result code 21 - invalidAttributeSyntax] INVALID_ATTRIBUTE_SYNTAX: failed for MessageType : ADD_REQUEST
which is not very descriptive, so I am not sure what attribute it is complaining about the syntax. I am including the full error below. They syntax looks reasonable, the right number of curly braces, etc.
Nonetheless, the example in the online documentation is straight forward enough, once I can get that working, I am confident I should be able to get something similar working in my configuration, but until I am do, I am a bit lost.
[Note: The only functional change I need to make to the example for my configuration is that I want to be able to use a group instead of just a name, but first things first in terms of getting the example to work as-is.]
After clicking '[ ] Enable Access Control' in the server configuration, and restarting the server, I am attempting to load the example (LDIF for this configuration) as-is via Studio (File => Import => LDIF into LDAP) from section '3.2 - Basic Authorization'. And of course I successfully loaded the sample "Seven Seas" LDIF first.
If anyone has gotten this to work, I would appreciate any feedback.
Thanks,
Dave Filip.
====
LDIF I am importing:
# File authz_sevenSeas.ldif
#
# Create an operational attribute "administrativeRole"
# with value "accessControlSpecificArea" in the entry "o=sevenSeas".
#
dn: o=sevenSeas
changetype: modify
add: administrativeRole
administrativeRole: accessControlSpecificArea
# Create a subentry subordinate to "o=sevenSeas" to grant all operations' permissions
# to "cn=Horatio Nelson,ou=people,o=sevenSeas", to grant search and compare permissions
# to all users and to deny search and compare permissions for userPassword attribute to all users.
#
dn: cn=sevenSeasAuthorizationRequirementsACISubentry,o=sevenSeas
changetype: add
objectclass: top
objectclass: subentry
objectclass: accessControlSubentry
cn: sevenSeasAuthorizationRequirementsACISubentry
subtreeSpecification: {}
prescriptiveACI: {
identificationTag "directoryManagerFullAccessACI",
precedence 11,
authenticationLevel simple,
itemOrUserFirst userFirst:
{
userClasses
{
name { "cn=Horatio Nelson,ou=people,o=sevenSeas" }
},
userPermissions
{
{
protectedItems
{
entry, allUserAttributeTypesAndValues
},
grantsAndDenials
{
grantAdd, grantDiscloseOnError, grantRead,
grantRemove, grantBrowse, grantExport, grantImport,
grantModify, grantRename, grantReturnDN,
grantCompare, grantFilterMatch, grantInvoke
}
}
}
}
}
prescriptiveACI: {
identificationTag "allUsersACI",
precedence 10,
authenticationLevel none,
itemOrUserFirst userFirst:
{
userClasses
{
allUsers
},
userPermissions
{
{
protectedItems { entry, allUserAttributeTypesAndValues },
grantsAndDenials { grantRead, grantBrowse, grantReturnDN,
grantCompare, grantFilterMatch, grantDiscloseOnError }
},
{
protectedItems { attributeType { userPassword } },
grantsAndDenials { denyRead, denyCompare, denyFilterMatch }
}
}
}
}
====
Import Pop-Up Error:
Error while importing LDIF
- [LDAP result code 21 - invalidAttributeSyntax] INVALID_ATTRIBUTE_SYNTAX: failed for MessageType : ADD_REQUEST
org.apache.directory.studio.connection.core.io.StudioLdapException: [LDAP result code 21 - invalidAttributeSyntax] INVALID_ATTRIBUTE_SYNTAX: failed for MessageType : ADD_REQUEST
Message ID : 125
Add Request :
Entry
dn: cn=sevenSeasAuthorizationRequirementsACISubentry,o=sevenSeas
objectclass: top
objectclass: subentry
objectclass: accessControlSubentry
prescriptiveACI: { identificationTag "directoryManagerFullAccessACI", precedence 11, authenticationLevel simple, itemOrUserFirst userFirst: { userClasses { name { "cn=Horatio Nelson,ou=people,o=sevenSeas" } }, userPermissions { { protectedItems { entry, allUserAttributeTypesAndValues }, grantsAndDenials { grantAdd, grantDiscloseOnError, grantRead, grantRemove, grantBrowse, grantExport, grantImport, grantModify, grantRename, grantReturnDN, grantCompare, grantFilterMatch, grantInvoke } } } }
prescriptiveACI: { identificationTag "allUsersACI", precedence 10, authenticationLevel none, itemOrUserFirst userFirst: { userClasses { allUsers }, userPermissions { { protectedItems { entry, allUserAttributeTypesAndValues }, grantsAndDenials { grantRead, grantBrowse, grantReturnDN, grantCompare, grantFilterMatch, grantDiscloseOnError } }, { protectedItems { attributeType { userPassword } }, grantsAndDenials { denyRead, denyCompare, denyFilterMatch } } } } }
subtreeSpecification: {}
cn: sevenSeasAuthorizationRequirementsACISubentry
}: UNKNOWN
: ERR_13246_INVALID_VALUE_PER_SYNTAX Invalid upValue per syntax
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.toStudioLdapException(DirectoryApiConnectionWrapper.java:1356)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.access$4(DirectoryApiConnectionWrapper.java:1348)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$6.run(DirectoryApiConnectionWrapper.java:910)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1265)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkConnectionAndRunAndMonitor(DirectoryApiConnectionWrapper.java:1210)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.createEntry(DirectoryApiConnectionWrapper.java:922)
at org.apache.directory.studio.ldapbrowser.core.jobs.ImportLdifRunnable.importLdifRecord(ImportLdifRunnable.java:445)
at org.apache.directory.studio.ldapbrowser.core.jobs.ImportLdifRunnable.importLdif(ImportLdifRunnable.java:272)
at org.apache.directory.studio.ldapbrowser.core.jobs.ImportLdifRunnable.run(ImportLdifRunnable.java:218)
at org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:109)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:63)
Caused by: org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException: INVALID_ATTRIBUTE_SYNTAX: failed for MessageType : ADD_REQUEST
Message ID : 125
Add Request :
Entry
dn: cn=sevenSeasAuthorizationRequirementsACISubentry,o=sevenSeas
objectclass: top
objectclass: subentry
objectclass: accessControlSubentry
prescriptiveACI: { identificationTag "directoryManagerFullAccessACI", precedence 11, authenticationLevel simple, itemOrUserFirst userFirst: { userClasses { name { "cn=Horatio Nelson,ou=people,o=sevenSeas" } }, userPermissions { { protectedItems { entry, allUserAttributeTypesAndValues }, grantsAndDenials { grantAdd, grantDiscloseOnError, grantRead, grantRemove, grantBrowse, grantExport, grantImport, grantModify, grantRename, grantReturnDN, grantCompare, grantFilterMatch, grantInvoke } } } }
prescriptiveACI: { identificationTag "allUsersACI", precedence 10, authenticationLevel none, itemOrUserFirst userFirst: { userClasses { allUsers }, userPermissions { { protectedItems { entry, allUserAttributeTypesAndValues }, grantsAndDenials { grantRead, grantBrowse, grantReturnDN, grantCompare, grantFilterMatch, grantDiscloseOnError } }, { protectedItems { attributeType { userPassword } }, grantsAndDenials { denyRead, denyCompare, denyFilterMatch } } } } }
subtreeSpecification: {}
cn: sevenSeasAuthorizationRequirementsACISubentry
}: UNKNOWN
: ERR_13246_INVALID_VALUE_PER_SYNTAX Invalid upValue per syntax
at org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:2101)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkResponse(DirectoryApiConnectionWrapper.java:1343)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.access$12(DirectoryApiConnectionWrapper.java:1339)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$6.run(DirectoryApiConnectionWrapper.java:906)
... 8 more
[LDAP result code 21 - invalidAttributeSyntax] INVALID_ATTRIBUTE_SYNTAX: failed for MessageType : ADD_REQUEST
Message ID : 125
Add Request :
Entry
dn: cn=sevenSeasAuthorizationRequirementsACISubentry,o=sevenSeas
objectclass: top
objectclass: subentry
objectclass: accessControlSubentry
prescriptiveACI: { identificationTag "directoryManagerFullAccessACI", precedence 11, authenticationLevel simple, itemOrUserFirst userFirst: { userClasses { name { "cn=Horatio Nelson,ou=people,o=sevenSeas" } }, userPermissions { { protectedItems { entry, allUserAttributeTypesAndValues }, grantsAndDenials { grantAdd, grantDiscloseOnError, grantRead, grantRemove, grantBrowse, grantExport, grantImport, grantModify, grantRename, grantReturnDN, grantCompare, grantFilterMatch, grantInvoke } } } }
prescriptiveACI: { identificationTag "allUsersACI", precedence 10, authenticationLevel none, itemOrUserFirst userFirst: { userClasses { allUsers }, userPermissions { { protectedItems { entry, allUserAttributeTypesAndValues }, grantsAndDenials { grantRead, grantBrowse, grantReturnDN, grantCompare, grantFilterMatch, grantDiscloseOnError } }, { protectedItems { attributeType { userPassword } }, grantsAndDenials { denyRead, denyCompare, denyFilterMatch } } } } }
subtreeSpecification: {}
cn: sevenSeasAuthorizationRequirementsACISubentry
}: UNKNOWN
: ERR_13246_INVALID_VALUE_PER_SYNTAX Invalid upValue per syntax
====
And from the Modification Logs:
#!RESULT OK
#!CONNECTION ldap://mars.colornet.com:10389
#!DATE 2021-04-07T18:30:04.878
dn: o=sevenSeas
changetype: modify
add: administrativeRole
administrativeRole: accessControlSpecificArea
-
#!RESULT ERROR
#!CONNECTION ldap://mars.colornet.com:10389
#!DATE 2021-04-07T18:30:04.905
#!ERROR [LDAP result code 21 - invalidAttributeSyntax] INVALID_ATTRIBUTE_SYNTAX: failed for MessageType : ADD_REQUEST Message ID : 125 Add Request : Entry dn: cn=sevenSeasAuthorizationRequirementsACISubentry,o=sevenSeas objectclass: top objectclass: subentry objectclass: accessControlSubentry prescriptiveACI: { identificationTag "directoryManagerFullAccessACI", precedence 11, authenticationLevel simple, itemOrUserFirst userFirst: { userClasses { name { "cn=Horatio Nelson,ou=people,o=sevenSeas" } }, userPermissions { { protectedItems { entry, allUserAttributeTypesAndValues }, grantsAndDenials { grantAdd, grantDiscloseOnError, grantRead, grantRemove, grantBrowse, grantExport, grantImport, grantModify, grantRename, grantReturnDN, grantCompare, grantFilterMatch, grantInvoke } } } } prescriptiveACI: { identificationTag "allUsersACI", precedence 10, authenticationLevel none, itemOrUserFirst userFirst: { userClasses { allUsers }, userPermissions { { protectedItems { entry, allUserAttributeTypesAndValues }, grantsAndDenials { grantRead, grantBrowse, grantReturnDN, grantCompare, grantFilterMatch, grantDiscloseOnError } }, { protectedItems { attributeType { userPassword } }, grantsAndDenials { denyRead, denyCompare, denyFilterMatch } } } } } subtreeSpecification: {} cn: sevenSeasAuthorizationRequirementsACISubentry }: UNKNOWN : ERR_13246_INVALID_VALUE_PER_SYNTAX Invalid upValue per syntax
dn: cn=sevenSeasAuthorizationRequirementsACISubentry,o=sevenSeas
changetype: add
prescriptiveACI:: eyAgIGlkZW50aWZpY2F0aW9uVGFnICJkaXJlY3RvcnlNYW5hZ2VyRnVsbEFj
Y2Vzc0FDSSIsICAgcHJlY2VkZW5jZSAxMSwgICBhdXRoZW50aWNhdGlvbkxldmVsIHNpbXBsZSwgI
CBpdGVtT3JVc2VyRmlyc3QgdXNlckZpcnN0OiAgIHsgICAgICAgdXNlckNsYXNzZXMgICAgICAgey
AgICAgICAgICAgbmFtZSB7ICJjbj1Ib3JhdGlvIE5lbHNvbixvdT1wZW9wbGUsbz1zZXZlblNlYXM
iIH0gICAgICAgfSwgICAgICAgdXNlclBlcm1pc3Npb25zICAgICAgIHsgICAgICAgICAgICB7ICAg
ICAgICAgICAgICAgcHJvdGVjdGVkSXRlbXMgICAgICAgICAgICAgICB7ICAgICAgICAgICAgICAgI
CAgIGVudHJ5LCBhbGxVc2VyQXR0cmlidXRlVHlwZXNBbmRWYWx1ZXMgICAgICAgICAgICAgICB9LC
AgICAgICAgICAgICAgIGdyYW50c0FuZERlbmlhbHMgICAgICAgICAgICAgICB7ICAgICAgICAgICA
gICAgICAgIGdyYW50QWRkLCBncmFudERpc2Nsb3NlT25FcnJvciwgZ3JhbnRSZWFkLCAgICAgICAg
ICAgICAgICAgICBncmFudFJlbW92ZSwgZ3JhbnRCcm93c2UsIGdyYW50RXhwb3J0LCBncmFudEltc
G9ydCwgICAgICAgICAgICAgICAgICAgZ3JhbnRNb2RpZnksIGdyYW50UmVuYW1lLCBncmFudFJldH
VybkROLCAgICAgICAgICAgICAgICAgICBncmFudENvbXBhcmUsIGdyYW50RmlsdGVyTWF0Y2gsIGd
yYW50SW52b2tlICAgICAgICAgICAgICAgfSAgICAgICAgICAgIH0gICAgICAgfSAgIH0g
prescriptiveACI: { identificationTag "allUsersACI", precedence 10, authe
nticationLevel none, itemOrUserFirst userFirst: { userClasses
{ allUsers }, userPermissions { {
protectedItems { entry, allUserAttributeTypesAndValues },
grantsAndDenials { grantRead, grantBrowse, grantReturnDN,
grantCompare, grantFilterMatch, grantDiscloseOnError } }
, { protectedItems { attributeType { userPassword } }
, grantsAndDenials { denyRead, denyCompare, denyFilterMatch }
} } } }
subtreeSpecification: {}
cn: sevenSeasAuthorizationRequirementsACISubentry
objectclass: top
objectclass: subentry
objectclass: accessControlSubentry
}: UNKNOWN
Re: [ApacheDS] Access Control / ACI Errors (even following on-line
doc)
Posted by David Filip <df...@colornet.com>.
Stefan
> Apologize, I should have written Hi Dave :)
No worries! :-)
I get that all the time! It is a side effect of having a last name that can sometimes be used as a first name.
You wrote under separate cover:
I was able to reproduce that exact same error. The reason is that for
the first prescriptiveACI the last closing curly brace is not indented.
The error returned from the server is quite verbose but the actual
invalid attribute is
}: UNKNOWN
Do you use the Studio LDIF editor and LDIF import? That seems to be a
bug in Studio. It seems it takes the line with the closing curly bracket
and "invents" the "UNKNOWN" value. Can you please file a bug in Jira?
So simple solution it to indent it by one space, that's required by the
LDIF spec.
Yup, that was it! Thanks, by adding a space, it imports now without error, and I've verified that enhanced (advanced?) security is now working as expected.
Actually, I didn't use the Studio LDIF editor, I simply copy-n-pasted from the web page into a plain text file and did a File => Import within Studio.
Personal note: I hate languages where whitespace is significant, which is why I still use PERL over Python. So I had no idea what ' }: UNKNOWN' was compelling about, because all of the curly braces were matched, and I don't normally think about whitespace being important (being a Java / PERL programmer, and working with XML / JSON).
Finally, you wrote under separate cover (regarding my question about root vs. non-root):
Do you use the tar.gz or zip archive? That works, I just unzipped it (as
my normal user so all files are owned by me) and started it.
For the bin/deb/rpm packages installers I don't know.
Actually, I used the binary package, because I was installing ApacheDS on a Raspberry Pi. Since that is an ARM architecture (and not x86_64), I had to use the binary (thankfully, Java's "write once / run anywhere" tag line actually works!).
I am tabling this for now, since after thinking about it, there must have been something that kicked off the Linux systemd .service file while I was in the middle of changing file ownerships / permissions, since the JVM knows nothing about root and is not installed with root priviliges (unlike some programs that are -- e.g., Apache web server, which starts as root and then switches to another user). So I'm assuming this was cockpit error on my part.
Nonetheless, thanks for all your help.
Regards,
Dave.
> On Apr 7, 2021, at 3:31 PM, Stefan Seelmann <ma...@stefan-seelmann.de> wrote:
>
> On 4/7/21 9:28 PM, Stefan Seelmann wrote:
>> Hi Filip,
> Apologize, I should have written Hi Dave :)
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@directory.apache.org
> For additional commands, e-mail: users-help@directory.apache.org
>
Re: [ApacheDS] Access Control / ACI Errors (even following on-line
doc)
Posted by Stefan Seelmann <ma...@stefan-seelmann.de>.
On 4/7/21 9:28 PM, Stefan Seelmann wrote:
> Hi Filip,
Apologize, I should have written Hi Dave :)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@directory.apache.org
For additional commands, e-mail: users-help@directory.apache.org
Re: [ApacheDS] Access Control / ACI Errors (even following on-line
doc)
Posted by Stefan Seelmann <ma...@stefan-seelmann.de>.
Hi Filip,
I was able to reproduce that exact same error. The reason is that for
the first prescriptiveACI the last closing curly brace is not indented.
The error returned from the server is quite verbose but the actual
invalid attribute is
}: UNKNOWN
Do you use the Studio LDIF editor and LDIF import? That seems to be a
bug in Studio. It seems it takes the line with the closing curly bracket
and "invents" the "UNKNOWN" value. Can you please file a bug in Jira?
So simple solution it to indent it by one space, that's required by the
LDIF spec.
Kind Regards,
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@directory.apache.org
For additional commands, e-mail: users-help@directory.apache.org