You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Pontus Freyhult <po...@soua.net> on 2014/04/23 15:55:23 UTC
Replication issues when using accessControlSubentry (with 2.0.0-M16)
Hi all,
I'm trying to do a multi-master set up with special permissions
(access controls), but I see replications issues.
As this is multi master, any way I go about replicating both the
consumer and the provider will have an accessControlSubentry governing
the replicated area.
Log excerpt from the replication client (server where the change wasn't done):
DEBUG [org.apache.directory.server.CONSUMER_LOG] - -------------
starting handleSearchResult ------------
DEBUG [org.apache.directory.server.CONSUMER_LOG] - assigning the
cookie from sync state value control:
rid=001,csn=20140423074926.153000Z#000000#001#000000
DEBUG [org.apache.directory.server.CONSUMER_LOG] - state name MODIFY
DEBUG [org.apache.directory.server.CONSUMER_LOG] - entryUUID =
a4037097-de9a-486d-a069-2d0fe75ceda4
DEBUG [org.apache.directory.server.CONSUMER_LOG] - modifying entry
with dn uid=pontusf,ou=People,dc=uppmax,dc=uu,dc=se
ERROR [org.apache.directory.server.CONSUMER_LOG] - ERR_52 Cannot
modify the attribute : attributetype ( 1.3.6.1.4.1.18060.0.4.1.2.11
NAME 'accessControlSubentries'
#011DESC 'Used to track a subentry associated with access control areas'
#011EQUALITY distinguishedNameMatch
#011SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
#011NO-USER-MODIFICATION
#011USAGE directoryOperation
)
org.apache.directory.api.ldap.model.exception.LdapNoPermissionException:
ERR_52 Cannot modify the attribute : attributetype (
1.3.6.1.4.1.18060.0.4.1.2.11 NAME 'accessControlSubentries'
#011DESC 'Used to track a subentry associated with access control areas'
#011EQUALITY distinguishedNameMatch
#011SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
#011NO-USER-MODIFICATION
#011USAGE directoryOperation
)
#011at org.apache.directory.server.core.schema.SchemaInterceptor.checkModifyEntry(SchemaInterceptor.java:721)
#011at org.apache.directory.server.core.schema.SchemaInterceptor.modify(SchemaInterceptor.java:1186)
#011at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
#011at org.apache.directory.server.core.hash.PasswordHashingInterceptor.modify(PasswordHashingInterceptor.java:131)
#011at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
#011at org.apache.directory.server.core.exception.ExceptionInterceptor.modify(ExceptionInterceptor.java:253)
#011at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
#011at org.apache.directory.server.core.admin.AdministrativePointInterceptor.modify(AdministrativePointInterceptor.java:1456)
#011at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
#011at org.apache.directory.server.core.authz.DefaultAuthorizationInterceptor.modify(DefaultAuthorizationInterceptor.java:277)
#011at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
#011at org.apache.directory.server.core.authz.AciAuthorizationInterceptor.modify(AciAuthorizationInterceptor.java:820)
#011at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
#011at org.apache.directory.server.core.referral.ReferralInterceptor.modify(ReferralInterceptor.java:319)
#011at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
#011at org.apache.directory.server.core.authn.AuthenticationInterceptor.modify(AuthenticationInterceptor.java:834)
#011at org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
#011at org.apache.directory.server.core.normalization.NormalizationInterceptor.modify(NormalizationInterceptor.java:216)
#011at org.apache.directory.server.core.DefaultOperationManager.modify(DefaultOperationManager.java:883)
#011at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.modify(ReplicationConsumerImpl.java:1215)
#011at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.handleSearchResultEntry(ReplicationConsumerImpl.java:416)
#011at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.doSyncSearch(ReplicationConsumerImpl.java:778)
#011at org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.startSync(ReplicationConsumerImpl.java:565)
#011at org.apache.directory.server.ldap.LdapServer$2.run(LdapServer.java:739)
#011at java.lang.Thread.run(Thread.java:744)
DEBUG [org.apache.directory.server.CONSUMER_LOG] - -------------
Ending handleSearchResult ------------
I would have expected these to go away after setting
ads-replattributes for the consumer (and restarting), but that didn't
seem to affect it. That seems odd, but I really don't want to list all
the attributes to replicate anyway so I haven't investigated further.
Looking at protocol-ldap/src/main/java/org/apache/directory/server/ldap/replication/consumer/ReplicationConsumerImpl.java
in directory-server, the obvious fix seems to be adding a
SchemaConstants.ACCESS_CONTROL_SUBENTRIES_AT in MOD_IGNORE_AT as I can
see no reason these should ever be replicated.
Am I missing something or should I just go ahead and file a bug about this?
cheers, Pontus
Re: Replication issues when using accessControlSubentry (with 2.0.0-M16)
Posted by Kiran Ayyagari <ka...@apache.org>.
Hi Pontus,
I have committed a fix in the trunk, see
https://issues.apache.org/jira/browse/DIRSERVER-1971 for
more details.
thanks for reporting.
On Wed, Apr 23, 2014 at 7:25 PM, Pontus Freyhult
<po...@soua.net>wrote:
> Hi all,
>
> I'm trying to do a multi-master set up with special permissions
> (access controls), but I see replications issues.
>
> As this is multi master, any way I go about replicating both the
> consumer and the provider will have an accessControlSubentry governing
> the replicated area.
>
> Log excerpt from the replication client (server where the change wasn't
> done):
>
> DEBUG [org.apache.directory.server.CONSUMER_LOG] - -------------
> starting handleSearchResult ------------
> DEBUG [org.apache.directory.server.CONSUMER_LOG] - assigning the
> cookie from sync state value control:
> rid=001,csn=20140423074926.153000Z#000000#001#000000
> DEBUG [org.apache.directory.server.CONSUMER_LOG] - state name MODIFY
> DEBUG [org.apache.directory.server.CONSUMER_LOG] - entryUUID =
> a4037097-de9a-486d-a069-2d0fe75ceda4
> DEBUG [org.apache.directory.server.CONSUMER_LOG] - modifying entry
> with dn uid=pontusf,ou=People,dc=uppmax,dc=uu,dc=se
> ERROR [org.apache.directory.server.CONSUMER_LOG] - ERR_52 Cannot
> modify the attribute : attributetype ( 1.3.6.1.4.1.18060.0.4.1.2.11
> NAME 'accessControlSubentries'
> #011DESC 'Used to track a subentry associated with access control areas'
> #011EQUALITY distinguishedNameMatch
> #011SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
> #011NO-USER-MODIFICATION
> #011USAGE directoryOperation
> )
> org.apache.directory.api.ldap.model.exception.LdapNoPermissionException:
> ERR_52 Cannot modify the attribute : attributetype (
> 1.3.6.1.4.1.18060.0.4.1.2.11 NAME 'accessControlSubentries'
> #011DESC 'Used to track a subentry associated with access control areas'
> #011EQUALITY distinguishedNameMatch
> #011SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
> #011NO-USER-MODIFICATION
> #011USAGE directoryOperation
> )
> #011at
> org.apache.directory.server.core.schema.SchemaInterceptor.checkModifyEntry(SchemaInterceptor.java:721)
> #011at
> org.apache.directory.server.core.schema.SchemaInterceptor.modify(SchemaInterceptor.java:1186)
> #011at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
> #011at
> org.apache.directory.server.core.hash.PasswordHashingInterceptor.modify(PasswordHashingInterceptor.java:131)
> #011at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
> #011at
> org.apache.directory.server.core.exception.ExceptionInterceptor.modify(ExceptionInterceptor.java:253)
> #011at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
> #011at
> org.apache.directory.server.core.admin.AdministrativePointInterceptor.modify(AdministrativePointInterceptor.java:1456)
> #011at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
> #011at
> org.apache.directory.server.core.authz.DefaultAuthorizationInterceptor.modify(DefaultAuthorizationInterceptor.java:277)
> #011at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
> #011at
> org.apache.directory.server.core.authz.AciAuthorizationInterceptor.modify(AciAuthorizationInterceptor.java:820)
> #011at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
> #011at
> org.apache.directory.server.core.referral.ReferralInterceptor.modify(ReferralInterceptor.java:319)
> #011at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
> #011at
> org.apache.directory.server.core.authn.AuthenticationInterceptor.modify(AuthenticationInterceptor.java:834)
> #011at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:587)
> #011at
> org.apache.directory.server.core.normalization.NormalizationInterceptor.modify(NormalizationInterceptor.java:216)
> #011at
> org.apache.directory.server.core.DefaultOperationManager.modify(DefaultOperationManager.java:883)
> #011at
> org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.modify(ReplicationConsumerImpl.java:1215)
> #011at
> org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.handleSearchResultEntry(ReplicationConsumerImpl.java:416)
> #011at
> org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.doSyncSearch(ReplicationConsumerImpl.java:778)
> #011at
> org.apache.directory.server.ldap.replication.consumer.ReplicationConsumerImpl.startSync(ReplicationConsumerImpl.java:565)
> #011at
> org.apache.directory.server.ldap.LdapServer$2.run(LdapServer.java:739)
> #011at java.lang.Thread.run(Thread.java:744)
> DEBUG [org.apache.directory.server.CONSUMER_LOG] - -------------
> Ending handleSearchResult ------------
>
> I would have expected these to go away after setting
> ads-replattributes for the consumer (and restarting), but that didn't
> seem to affect it. That seems odd, but I really don't want to list all
> the attributes to replicate anyway so I haven't investigated further.
>
> Looking at
> protocol-ldap/src/main/java/org/apache/directory/server/ldap/replication/consumer/ReplicationConsumerImpl.java
> in directory-server, the obvious fix seems to be adding a
> SchemaConstants.ACCESS_CONTROL_SUBENTRIES_AT in MOD_IGNORE_AT as I can
> see no reason these should ever be replicated.
>
> Am I missing something or should I just go ahead and file a bug about this?
>
> cheers, Pontus
>
--
Kiran Ayyagari
http://keydap.com