You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by Mark Swanson <ma...@ScheduleWorld.com> on 2007/04/18 21:07:39 UTC

Overflowing the stack with ACI

Hello,

I enabled ACI and ldapsearch now puts the server into an infinite loop:

ldapsearch -h rock -p 11389 -x -D "uid=70,dc=home2,dc=mark" -b 
"dc=home2,dc=mark" -v -W "objectClass=*"

org.apache.directory.server.core.interceptor.InterceptorException: 
Unexpected exception. [Root exception is java.lang.StackOverflowError]
     at 
org.apache.directory.server.core.interceptor.InterceptorChain.throwInterceptorException(InterceptorChain.java:1510)
     at 
org.apache.directory.server.core.interceptor.InterceptorChain.access$700(InterceptorChain.java:52)
     at 
org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.getMatchedName(InterceptorChain.java:1106)
     at 
org.apache.directory.server.core.interceptor.BaseInterceptor.getMatchedName(BaseInterceptor.java:116)
     at 
org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.getMatchedName(InterceptorChain.java:1098)
     at 
org.apache.directory.server.core.interceptor.BaseInterceptor.getMatchedName(BaseInterceptor.java:116)
     at 
org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.getMatchedName(InterceptorChain.java:1098)

Configured with this:

dn: cn=swAuthorizationRequirementsACISubentry,dc=home2,dc=mark
changetype: add
objectclass: top
objectclass: subentry
objectclass: accessControlSubentry
cn: swAuthorizationRequirementsACISubentry
subtreeSpecification: {}
prescriptiveACI: {
     identificationTag "directoryManagerFullAccessACI",
     precedence 11,
     authenticationLevel simple,
     itemOrUserFirst userFirst:
     {
       userClasses
       {
         name { "uid=44,dc=home2,dc=mark" }
       },
       userPermissions {
         {
           protectedItems { entry, allUserAttributeTypesAndValues },
           grantsAndDenials {
             grantAdd, grantDiscloseOnError, grantRead,
             grantRemove, grantBrowse, grantExport, grantImport,
             grantModify, grantRename, grantReturnDN,
             grantCompare, grantFilterMatch, grantInvoke
           }
         }
       }
     }
   }
prescriptiveACI: {
     identificationTag "allUsersACI",
     precedence 10,
     authenticationLevel none,
     itemOrUserFirst userFirst:
     {
       userClasses {
         allUsers
       },
       userPermissions {
         {
           protectedItems { entry, allUserAttributeTypesAndValues },
           grantsAndDenials { grantRead, grantBrowse, grantReturnDN,
                              grantCompare, grantFilterMatch, 
grantDiscloseOnError }
         },
         {
           protectedItems { attributeType { userPassword } },
           grantsAndDenials { denyRead, denyCompare, denyFilterMatch }
         }
       }
     }
   }

Should I log this as a bug or is my config causing this?

Cheers.

-- 
http://www.ScheduleWorld.com/
Free Google Calendar synchronization with Outlook, Evolution,
cell phones, BlackBerry, PalmOS, Exchange, Mozilla, Thunderbird,
Pocket PC/Windows Mobile. Also sync tasks, notes and contacts!
WebDAV, vfreebusy, RSS, LDAP, iCalendar, iTIP, iMIP support.

Re: Overflowing the stack with ACI

Posted by Mark Swanson <ma...@ScheduleWorld.com>.

Emmanuel Lecharny wrote:
> Mark Swanson a écrit :
> 
> Hi Mark,
> 
> feel free to open an issue, with the log, the ACI, so that we will not 
> forget to fix it.
> 
> If it's not a bug (not likely :), no problem :  we can close the JIRA 
> immediatly.

It is done. Sorry for the delay.

OT: Whoa... creating my own partition was unexpectedly difficult if you 
also want searching/filters to work well. I totally understand why this 
has been put off.

Cheers.

-- 
http://www.ScheduleWorld.com/
Free Google Calendar synchronization with Outlook, Evolution,
cell phones, BlackBerry, PalmOS, Exchange, Mozilla, Thunderbird,
Pocket PC/Windows Mobile. Also sync tasks, notes and contacts!
WebDAV, vfreebusy, RSS, LDAP, iCalendar, iTIP, iMIP support.

Re: Overflowing the stack with ACI

Posted by Emmanuel Lecharny <el...@gmail.com>.

Mark Swanson a écrit :

Hi Mark,

feel free to open an issue, with the log, the ACI, so that we will not 
forget to fix it.

If it's not a bug (not likely :), no problem :  we can close the JIRA 
immediatly.

Thanks !

> Hello,
>
> I enabled ACI and ldapsearch now puts the server into an infinite loop:
>
> ldapsearch -h rock -p 11389 -x -D "uid=70,dc=home2,dc=mark" -b 
> "dc=home2,dc=mark" -v -W "objectClass=*"
>
> org.apache.directory.server.core.interceptor.InterceptorException: 
> Unexpected exception. [Root exception is java.lang.StackOverflowError]
>     at 
> org.apache.directory.server.core.interceptor.InterceptorChain.throwInterceptorException(InterceptorChain.java:1510) 
>
>     at 
> org.apache.directory.server.core.interceptor.InterceptorChain.access$700(InterceptorChain.java:52) 
>
>     at 
> org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.getMatchedName(InterceptorChain.java:1106) 
>
>     at 
> org.apache.directory.server.core.interceptor.BaseInterceptor.getMatchedName(BaseInterceptor.java:116) 
>
>     at 
> org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.getMatchedName(InterceptorChain.java:1098) 
>
>     at 
> org.apache.directory.server.core.interceptor.BaseInterceptor.getMatchedName(BaseInterceptor.java:116) 
>
>     at 
> org.apache.directory.server.core.interceptor.InterceptorChain$Entry$1.getMatchedName(InterceptorChain.java:1098) 
>
>
> Configured with this:
>
> dn: cn=swAuthorizationRequirementsACISubentry,dc=home2,dc=mark
> changetype: add
> objectclass: top
> objectclass: subentry
> objectclass: accessControlSubentry
> cn: swAuthorizationRequirementsACISubentry
> subtreeSpecification: {}
> prescriptiveACI: {
>     identificationTag "directoryManagerFullAccessACI",
>     precedence 11,
>     authenticationLevel simple,
>     itemOrUserFirst userFirst:
>     {
>       userClasses
>       {
>         name { "uid=44,dc=home2,dc=mark" }
>       },
>       userPermissions {
>         {
>           protectedItems { entry, allUserAttributeTypesAndValues },
>           grantsAndDenials {
>             grantAdd, grantDiscloseOnError, grantRead,
>             grantRemove, grantBrowse, grantExport, grantImport,
>             grantModify, grantRename, grantReturnDN,
>             grantCompare, grantFilterMatch, grantInvoke
>           }
>         }
>       }
>     }
>   }
> prescriptiveACI: {
>     identificationTag "allUsersACI",
>     precedence 10,
>     authenticationLevel none,
>     itemOrUserFirst userFirst:
>     {
>       userClasses {
>         allUsers
>       },
>       userPermissions {
>         {
>           protectedItems { entry, allUserAttributeTypesAndValues },
>           grantsAndDenials { grantRead, grantBrowse, grantReturnDN,
>                              grantCompare, grantFilterMatch, 
> grantDiscloseOnError }
>         },
>         {
>           protectedItems { attributeType { userPassword } },
>           grantsAndDenials { denyRead, denyCompare, denyFilterMatch }
>         }
>       }
>     }
>   }
>
> Should I log this as a bug or is my config causing this?
>
> Cheers.
>