You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Wayne Johnson <wj...@mqsoftware.com> on 2007/08/07 23:01:34 UTC
When do changes to ACI take effect?
Our application allows an administrator to change the ACI to allow or disallow users access to some data. It seems to me that when we make changes to the prescriptiveACI, it doesn't seem to take effect till we restart the LDAP service. Is this intentional? Is there a way to force it to be refreshed?
Wayne Johnson
Senior Software Engineer
MQSoftware, Inc.
1660 S Highway 100
Minneapolis, MN 55416
(952) 345-8628
RE: Where can I find a apacheds-1.0.2 snapshot (was: RE: When do changes to ACI take effect?)
Posted by Wayne Johnson <wj...@mqsoftware.com>.
I had tried that, but your fix seems to have cleared that up. Thanks.
> -----Original Message-----
> From: chris.custine@gmail.com
> [mailto:chris.custine@gmail.com]On Behalf
> Of Chris Custine
> Sent: Thursday, August 09, 2007 9:46 AM
> To: users@directory.apache.org
> Cc: elecharny@iktek.com
> Subject: Re: Where can I find a apacheds-1.0.2 snapshot (was: RE: When
> do changes to ACI take effect?)
>
>
> Hi Wayne,
> You can run "mvn package" in the server-installers project and in the
> server-installers/target/images directory you will find all
> of the install
> images for each platform and daemon type, so which one you
> use depends on
> which one you based your product on. I also just checked in
> a fix to the
> 1.0.3-SNAPSHOT code that will disable downloading of the
> source for the
> installer packages so this should speed up building the installers.
>
> Thanks,
> Chris
>
> On 8/9/07, Wayne Johnson <wj...@mqsoftware.com> wrote:
> >
> > Already started. Thanks.
> >
> > One question:
> >
> > We embed ApacheDS. I'd rather not have to go through the
> step of creating
> > a install package, only to have to install it and copy over
> the files. The
> > main install goal only appears to leave the jars in various target
> > directories. Is there a goal that will give simply an
> image of what the
> > installed package will look like? Something with the lib
> directory already
> > assembled?
> >
> > Thanks for everyone's help.
> >
> > > -----Original Message-----
> > > From: Emmanuel Lecharny [mailto:elecharny@gmail.com]
> > > Sent: Thursday, August 09, 2007 4:41 AM
> > > To: users@directory.apache.org
> > > Subject: Re: Where can I find a apacheds-1.0.2 snapshot
> (was: RE: When
> > > do changes to ACI take effect?)
> > >
> > >
> > > Hi Wayne,
> > >
> > > we don't produce nighty builds. I'm sorry to say that you
> will have to
> > > build the snapshot by yourself, but this should not be a difficult
> > > task :
> > >
> > > http://directory.apache.org/apacheds/1.0/building.html
> > >
> > > If you have any pb building the project, just post a mail, we will
> > > provide help !
> > >
> > > Emmanuel
> > >
> > > On 8/8/07, Wayne Johnson < wjohnson@mqsoftware.com> wrote:
> > > > Forgive me for reposting this, but I'm hoping the change in
> > > subject will get a few more people to look, and I'm in a crunch.
> > > >
> > > > I need a snapshop build of ApacheDS 1.0.2 with the current
> > > fixes. Is there a nightly build posted someplace? I'd
> > > rather not have to build it myself.
> > > >
> > > >
> > > > Thanks.
> > > >
> > > > > -----Original Message-----
> > > > > From: Wayne Johnson
> > > > > Sent: Wednesday, August 08, 2007 8:47 AM
> > > > > To: ' users@directory.apache.org'
> > > > > Subject: RE: When do changes to ACI take effect?
> > > > >
> > > > >
> > > > > OK, thanks. Where can I download the snapshot from. I don't
> > > > > see it in the regular location.
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Ersin Er [mailto:ersin.er@gmail.com ]
> > > > > > Sent: Wednesday, August 08, 2007 8:37 AM
> > > > > > To: users@directory.apache.org
> > > > > > Subject: Re: When do changes to ACI take effect?
> > > > > >
> > > > > >
> > > > > > On 8/8/07, Wayne Johnson <wj...@mqsoftware.com> wrote:
> > > > > > >
> > > > > > > We're using 1.0.2.
> > > > > > >
> > > > > > > THat does look like the issue though. I dislike switching
> > > > > > releases at
> > > > > > > this point (we're releasing our product in 2 weeks). Is
> > > > > > there any sort of a
> > > > > > > bypass besides picking up the new code?
> > > > > >
> > > > > >
> > > > > > I don't think that you can simply fix this on a previous
> > > > > > version with some
> > > > > > tricks. As it's all open source you may apply hte patches to
> > > > > > your own custom
> > > > > > version of ApacheDS if you wish.
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > > From: Ersin Er [mailto:ersin.er@gmail.com]
> > > > > > > > Sent: Tuesday, August 07, 2007 4:45 PM
> > > > > > > > To: users@directory.apache.org
> > > > > > > > Subject: Re: When do changes to ACI take effect?
> > > > > > > >
> > > > > > > >
> > > > > > > > BTW, which version of ApacheDS are you using? I
> had recently
> > > > > > > > fixed such a
> > > > > > > > bug:
> > > > > > > >
> > > > > > > > https://issues.apache.org/jira/browse/DIRSERVER-988
> > > > > > > >
> > > >
> > >
> > >
> > > --
> > > Regards,
> > > Cordialement,
> > > Emmanuel Lécharny
> > > www.iktek.com
> > >
> >
>
>
Re: Where can I find a apacheds-1.0.2 snapshot (was: RE: When do changes to ACI take effect?)
Posted by Chris Custine <cc...@apache.org>.
Hi Wayne,
You can run "mvn package" in the server-installers project and in the
server-installers/target/images directory you will find all of the install
images for each platform and daemon type, so which one you use depends on
which one you based your product on. I also just checked in a fix to the
1.0.3-SNAPSHOT code that will disable downloading of the source for the
installer packages so this should speed up building the installers.
Thanks,
Chris
On 8/9/07, Wayne Johnson <wj...@mqsoftware.com> wrote:
>
> Already started. Thanks.
>
> One question:
>
> We embed ApacheDS. I'd rather not have to go through the step of creating
> a install package, only to have to install it and copy over the files. The
> main install goal only appears to leave the jars in various target
> directories. Is there a goal that will give simply an image of what the
> installed package will look like? Something with the lib directory already
> assembled?
>
> Thanks for everyone's help.
>
> > -----Original Message-----
> > From: Emmanuel Lecharny [mailto:elecharny@gmail.com]
> > Sent: Thursday, August 09, 2007 4:41 AM
> > To: users@directory.apache.org
> > Subject: Re: Where can I find a apacheds-1.0.2 snapshot (was: RE: When
> > do changes to ACI take effect?)
> >
> >
> > Hi Wayne,
> >
> > we don't produce nighty builds. I'm sorry to say that you will have to
> > build the snapshot by yourself, but this should not be a difficult
> > task :
> >
> > http://directory.apache.org/apacheds/1.0/building.html
> >
> > If you have any pb building the project, just post a mail, we will
> > provide help !
> >
> > Emmanuel
> >
> > On 8/8/07, Wayne Johnson < wjohnson@mqsoftware.com> wrote:
> > > Forgive me for reposting this, but I'm hoping the change in
> > subject will get a few more people to look, and I'm in a crunch.
> > >
> > > I need a snapshop build of ApacheDS 1.0.2 with the current
> > fixes. Is there a nightly build posted someplace? I'd
> > rather not have to build it myself.
> > >
> > >
> > > Thanks.
> > >
> > > > -----Original Message-----
> > > > From: Wayne Johnson
> > > > Sent: Wednesday, August 08, 2007 8:47 AM
> > > > To: ' users@directory.apache.org'
> > > > Subject: RE: When do changes to ACI take effect?
> > > >
> > > >
> > > > OK, thanks. Where can I download the snapshot from. I don't
> > > > see it in the regular location.
> > > >
> > > > > -----Original Message-----
> > > > > From: Ersin Er [mailto:ersin.er@gmail.com ]
> > > > > Sent: Wednesday, August 08, 2007 8:37 AM
> > > > > To: users@directory.apache.org
> > > > > Subject: Re: When do changes to ACI take effect?
> > > > >
> > > > >
> > > > > On 8/8/07, Wayne Johnson <wj...@mqsoftware.com> wrote:
> > > > > >
> > > > > > We're using 1.0.2.
> > > > > >
> > > > > > THat does look like the issue though. I dislike switching
> > > > > releases at
> > > > > > this point (we're releasing our product in 2 weeks). Is
> > > > > there any sort of a
> > > > > > bypass besides picking up the new code?
> > > > >
> > > > >
> > > > > I don't think that you can simply fix this on a previous
> > > > > version with some
> > > > > tricks. As it's all open source you may apply hte patches to
> > > > > your own custom
> > > > > version of ApacheDS if you wish.
> > > > >
> > > > > > -----Original Message-----
> > > > > > > From: Ersin Er [mailto:ersin.er@gmail.com]
> > > > > > > Sent: Tuesday, August 07, 2007 4:45 PM
> > > > > > > To: users@directory.apache.org
> > > > > > > Subject: Re: When do changes to ACI take effect?
> > > > > > >
> > > > > > >
> > > > > > > BTW, which version of ApacheDS are you using? I had recently
> > > > > > > fixed such a
> > > > > > > bug:
> > > > > > >
> > > > > > > https://issues.apache.org/jira/browse/DIRSERVER-988
> > > > > > >
> > >
> >
> >
> > --
> > Regards,
> > Cordialement,
> > Emmanuel Lécharny
> > www.iktek.com
> >
>
RE: Where can I find a apacheds-1.0.2 snapshot (was: RE: When do changes to ACI take effect?)
Posted by Wayne Johnson <wj...@mqsoftware.com>.
Already started. Thanks.
One question:
We embed ApacheDS. I'd rather not have to go through the step of creating a install package, only to have to install it and copy over the files. The main install goal only appears to leave the jars in various target directories. Is there a goal that will give simply an image of what the installed package will look like? Something with the lib directory already assembled?
Thanks for everyone's help.
> -----Original Message-----
> From: Emmanuel Lecharny [mailto:elecharny@gmail.com]
> Sent: Thursday, August 09, 2007 4:41 AM
> To: users@directory.apache.org
> Subject: Re: Where can I find a apacheds-1.0.2 snapshot (was: RE: When
> do changes to ACI take effect?)
>
>
> Hi Wayne,
>
> we don't produce nighty builds. I'm sorry to say that you will have to
> build the snapshot by yourself, but this should not be a difficult
> task :
>
> http://directory.apache.org/apacheds/1.0/building.html
>
> If you have any pb building the project, just post a mail, we will
> provide help !
>
> Emmanuel
>
> On 8/8/07, Wayne Johnson <wj...@mqsoftware.com> wrote:
> > Forgive me for reposting this, but I'm hoping the change in
> subject will get a few more people to look, and I'm in a crunch.
> >
> > I need a snapshop build of ApacheDS 1.0.2 with the current
> fixes. Is there a nightly build posted someplace? I'd
> rather not have to build it myself.
> >
> >
> > Thanks.
> >
> > > -----Original Message-----
> > > From: Wayne Johnson
> > > Sent: Wednesday, August 08, 2007 8:47 AM
> > > To: 'users@directory.apache.org'
> > > Subject: RE: When do changes to ACI take effect?
> > >
> > >
> > > OK, thanks. Where can I download the snapshot from. I don't
> > > see it in the regular location.
> > >
> > > > -----Original Message-----
> > > > From: Ersin Er [mailto:ersin.er@gmail.com]
> > > > Sent: Wednesday, August 08, 2007 8:37 AM
> > > > To: users@directory.apache.org
> > > > Subject: Re: When do changes to ACI take effect?
> > > >
> > > >
> > > > On 8/8/07, Wayne Johnson <wj...@mqsoftware.com> wrote:
> > > > >
> > > > > We're using 1.0.2.
> > > > >
> > > > > THat does look like the issue though. I dislike switching
> > > > releases at
> > > > > this point (we're releasing our product in 2 weeks). Is
> > > > there any sort of a
> > > > > bypass besides picking up the new code?
> > > >
> > > >
> > > > I don't think that you can simply fix this on a previous
> > > > version with some
> > > > tricks. As it's all open source you may apply hte patches to
> > > > your own custom
> > > > version of ApacheDS if you wish.
> > > >
> > > > > -----Original Message-----
> > > > > > From: Ersin Er [mailto:ersin.er@gmail.com]
> > > > > > Sent: Tuesday, August 07, 2007 4:45 PM
> > > > > > To: users@directory.apache.org
> > > > > > Subject: Re: When do changes to ACI take effect?
> > > > > >
> > > > > >
> > > > > > BTW, which version of ApacheDS are you using? I had recently
> > > > > > fixed such a
> > > > > > bug:
> > > > > >
> > > > > > https://issues.apache.org/jira/browse/DIRSERVER-988
> > > > > >
> >
>
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
Re: Where can I find a apacheds-1.0.2 snapshot (was: RE: When do changes to ACI take effect?)
Posted by Emmanuel Lecharny <el...@gmail.com>.
Hi Wayne,
we don't produce nighty builds. I'm sorry to say that you will have to
build the snapshot by yourself, but this should not be a difficult
task :
http://directory.apache.org/apacheds/1.0/building.html
If you have any pb building the project, just post a mail, we will
provide help !
Emmanuel
On 8/8/07, Wayne Johnson <wj...@mqsoftware.com> wrote:
> Forgive me for reposting this, but I'm hoping the change in subject will get a few more people to look, and I'm in a crunch.
>
> I need a snapshop build of ApacheDS 1.0.2 with the current fixes. Is there a nightly build posted someplace? I'd rather not have to build it myself.
>
>
> Thanks.
>
> > -----Original Message-----
> > From: Wayne Johnson
> > Sent: Wednesday, August 08, 2007 8:47 AM
> > To: 'users@directory.apache.org'
> > Subject: RE: When do changes to ACI take effect?
> >
> >
> > OK, thanks. Where can I download the snapshot from. I don't
> > see it in the regular location.
> >
> > > -----Original Message-----
> > > From: Ersin Er [mailto:ersin.er@gmail.com]
> > > Sent: Wednesday, August 08, 2007 8:37 AM
> > > To: users@directory.apache.org
> > > Subject: Re: When do changes to ACI take effect?
> > >
> > >
> > > On 8/8/07, Wayne Johnson <wj...@mqsoftware.com> wrote:
> > > >
> > > > We're using 1.0.2.
> > > >
> > > > THat does look like the issue though. I dislike switching
> > > releases at
> > > > this point (we're releasing our product in 2 weeks). Is
> > > there any sort of a
> > > > bypass besides picking up the new code?
> > >
> > >
> > > I don't think that you can simply fix this on a previous
> > > version with some
> > > tricks. As it's all open source you may apply hte patches to
> > > your own custom
> > > version of ApacheDS if you wish.
> > >
> > > > -----Original Message-----
> > > > > From: Ersin Er [mailto:ersin.er@gmail.com]
> > > > > Sent: Tuesday, August 07, 2007 4:45 PM
> > > > > To: users@directory.apache.org
> > > > > Subject: Re: When do changes to ACI take effect?
> > > > >
> > > > >
> > > > > BTW, which version of ApacheDS are you using? I had recently
> > > > > fixed such a
> > > > > bug:
> > > > >
> > > > > https://issues.apache.org/jira/browse/DIRSERVER-988
> > > > >
>
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Where can I find a apacheds-1.0.2 snapshot (was: RE: When do changes to ACI take effect?)
Posted by Wayne Johnson <wj...@mqsoftware.com>.
Forgive me for reposting this, but I'm hoping the change in subject will get a few more people to look, and I'm in a crunch.
I need a snapshop build of ApacheDS 1.0.2 with the current fixes. Is there a nightly build posted someplace? I'd rather not have to build it myself.
Thanks.
> -----Original Message-----
> From: Wayne Johnson
> Sent: Wednesday, August 08, 2007 8:47 AM
> To: 'users@directory.apache.org'
> Subject: RE: When do changes to ACI take effect?
>
>
> OK, thanks. Where can I download the snapshot from. I don't
> see it in the regular location.
>
> > -----Original Message-----
> > From: Ersin Er [mailto:ersin.er@gmail.com]
> > Sent: Wednesday, August 08, 2007 8:37 AM
> > To: users@directory.apache.org
> > Subject: Re: When do changes to ACI take effect?
> >
> >
> > On 8/8/07, Wayne Johnson <wj...@mqsoftware.com> wrote:
> > >
> > > We're using 1.0.2.
> > >
> > > THat does look like the issue though. I dislike switching
> > releases at
> > > this point (we're releasing our product in 2 weeks). Is
> > there any sort of a
> > > bypass besides picking up the new code?
> >
> >
> > I don't think that you can simply fix this on a previous
> > version with some
> > tricks. As it's all open source you may apply hte patches to
> > your own custom
> > version of ApacheDS if you wish.
> >
> > > -----Original Message-----
> > > > From: Ersin Er [mailto:ersin.er@gmail.com]
> > > > Sent: Tuesday, August 07, 2007 4:45 PM
> > > > To: users@directory.apache.org
> > > > Subject: Re: When do changes to ACI take effect?
> > > >
> > > >
> > > > BTW, which version of ApacheDS are you using? I had recently
> > > > fixed such a
> > > > bug:
> > > >
> > > > https://issues.apache.org/jira/browse/DIRSERVER-988
> > > >
RE: When do changes to ACI take effect?
Posted by Wayne Johnson <wj...@mqsoftware.com>.
OK, thanks. Where can I download the snapshot from. I don't see it in the regular location.
> -----Original Message-----
> From: Ersin Er [mailto:ersin.er@gmail.com]
> Sent: Wednesday, August 08, 2007 8:37 AM
> To: users@directory.apache.org
> Subject: Re: When do changes to ACI take effect?
>
>
> On 8/8/07, Wayne Johnson <wj...@mqsoftware.com> wrote:
> >
> > We're using 1.0.2.
> >
> > THat does look like the issue though. I dislike switching
> releases at
> > this point (we're releasing our product in 2 weeks). Is
> there any sort of a
> > bypass besides picking up the new code?
>
>
> I don't think that you can simply fix this on a previous
> version with some
> tricks. As it's all open source you may apply hte patches to
> your own custom
> version of ApacheDS if you wish.
>
> > -----Original Message-----
> > > From: Ersin Er [mailto:ersin.er@gmail.com]
> > > Sent: Tuesday, August 07, 2007 4:45 PM
> > > To: users@directory.apache.org
> > > Subject: Re: When do changes to ACI take effect?
> > >
> > >
> > > BTW, which version of ApacheDS are you using? I had recently
> > > fixed such a
> > > bug:
> > >
> > > https://issues.apache.org/jira/browse/DIRSERVER-988
> > >
> > > On 8/8/07, Wayne Johnson <wj...@mqsoftware.com> wrote:
> > > >
> > > > We start out with a automatically read in LDIF file that has:
> > > >
> > > > # This ACI allows an Admin to read and modify everything
> > > for all users
> > > > dn: cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com
> > > > objectClass: top
> > > > objectClass: subentry
> > > > objectClass: accessControlSubentry
> > > > cn: userAdminPermissions
> > > > subtreeSpecification: {}
> > > > prescriptiveACI: {
> > > > identificationTag "userAdminPermissions",
> > > > precedence 16,
> > > > authenticationLevel simple,
> > > > itemOrUserFirst userFirst: {
> > > > userClasses {
> > > > name {
> > > > "cn=SA,ou=users,dc=mqsoftware,dc=com",
> > > > "cn=fred,ou=users,dc=mqsoftware,dc=com",
> > > > "cn=BrowserService,ou=users,dc=mqsoftware,dc=com"
> > > > }
> > > > },
> > > > userPermissions
> > > > {
> > > > {
> > > > protectedItems { entry,
> allUserAttributeTypesAndValues },
> > > > grantsAndDenials { grantAdd, grantDiscloseOnError,
> > > grantRead,
> > > > grantRemove, grantBrowse, grantExport,
> > > grantImport, grantModify,
> > > > grantRename, grantReturnDN, grantCompare,
> > > grantFilterMatch,
> > > > grantInvoke }
> > > > }
> > > > }
> > > > }
> > > > }
> > > >
> > > > I can then do an ldapsearch from users fred and bert and
> > > fred shows full
> > > > access to the user information and bert (who isn't in the
> > > Admin list) can
> > > > not.
> > > >
> > > > Now the program rewrites the prescriptiveACI with:
> > > >
> > > > 2007-08-07 15:41:57,437 [btpool0-1]
> > > com.mqsoftware.ws.SWSLdapIETF DEBUG -
> > > > [Client File=SWSLdapIETF.java, Line=835] Updating
> > > > cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com with:
> > > > LDAPModification: (operation=replace,(LDAPAttribute:
> > > > {type='prescriptiveACI', value='{
> > > > identificationTag "userAdminPermissions",
> > > > precedence 16,
> > > > authenticationLevel simple,
> > > > itemOrUserFirst userFirst: {
> > > > userClasses {
> > > > name {
> > > > "cn=BrowserService,ou=users,dc=mqsoftware,dc=com",
> > > > "cn=SA,ou=users,dc=mqsoftware,dc=com"
> > > > }
> > > > },
> > > > userPermissions
> > > > {
> > > > {
> > > > protectedItems { entry,
> allUserAttributeTypesAndValues },
> > > > grantsAndDenials { grantAdd,
> > > grantDiscloseOnError, grantRead,
> > > > grantRemove, grantBrowse, grantExport,
> > > grantImport, grantModify,
> > > > grantRename, grantReturnDN, grantCompare,
> > > grantFilterMatch,
> > > > grantInvoke }
> > > > }
> > > > }
> > > > }
> > > > }
> > > > '}))
> > > >
> > > > At this point, fred still can see the user info. I checked
> > > the apacheds
> > > > logs and dont see any exceptions. When I restart the
> > > service, things start
> > > > working right (fred no lonfer has access).
> > > >
> > > > Is there a place where I can upload the full LDIF file?
> > > It's 411 lines
> > > > long.
> > > >
> > > > Thanks.
> > > >
> > > > > -----Original Message-----
> > > > > From: Ersin Er [mailto:ersin.er@gmail.com]
> > > > > Sent: Tuesday, August 07, 2007 4:12 PM
> > > > > To: users@directory.apache.org
> > > > > Subject: Re: When do changes to ACI take effect?
> > > > >
> > > > >
> > > > > Hi,
> > > > >
> > > > > This is not intentional. Can you please give an example? Or
> > > > > even a test
> > > > > case?
> > > > >
> > > > > On 8/8/07, Wayne Johnson <wj...@mqsoftware.com> wrote:
> > > > > >
> > > > > > Our application allows an administrator to change the ACI
> > > > > to allow or
> > > > > > disallow users access to some data. It seems to me that
> > > > > when we make
> > > > > > changes to the prescriptiveACI, it doesn't seem to take
> > > > > effect till we
> > > > > > restart the LDAP service. Is this intentional? Is there a
> > > > > way to force it
> > > > > > to be refreshed?
> > > > > >
> > > > > > Wayne Johnson
> > > > > > Senior Software Engineer
> > > > > > MQSoftware, Inc.
> > > > > > 1660 S Highway 100
> > > > > > Minneapolis, MN 55416
> > > > > > (952) 345-8628
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Ersin Er
> > > > >
> > > > > R.A. and Ph.D Student at the Dept. of Computer Eng. in
> > > > > Hacettepe University
> > > > > http://www.cs.hacettepe.edu.tr
> > > > >
> > > > > Committer and PMC Member of The Apache Directory Project
> > > > > http://directory.apache.org
> > > > >
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Ersin Er
> > >
> > > R.A. and Ph.D Student at the Dept. of Computer Eng. in
> > > Hacettepe University
> > > http://www.cs.hacettepe.edu.tr
> > >
> > > Committer and PMC Member of The Apache Directory Project
> > > http://directory.apache.org
> > >
> > >
> >
>
>
>
> --
> Ersin Er
>
> R.A. and Ph.D Student at the Dept. of Computer Eng. in
> Hacettepe University
> http://www.cs.hacettepe.edu.tr
>
> Committer and PMC Member of The Apache Directory Project
> http://directory.apache.org
>
>
Re: When do changes to ACI take effect?
Posted by Ersin Er <er...@gmail.com>.
On 8/8/07, Wayne Johnson <wj...@mqsoftware.com> wrote:
>
> We're using 1.0.2.
>
> THat does look like the issue though. I dislike switching releases at
> this point (we're releasing our product in 2 weeks). Is there any sort of a
> bypass besides picking up the new code?
I don't think that you can simply fix this on a previous version with some
tricks. As it's all open source you may apply hte patches to your own custom
version of ApacheDS if you wish.
> -----Original Message-----
> > From: Ersin Er [mailto:ersin.er@gmail.com]
> > Sent: Tuesday, August 07, 2007 4:45 PM
> > To: users@directory.apache.org
> > Subject: Re: When do changes to ACI take effect?
> >
> >
> > BTW, which version of ApacheDS are you using? I had recently
> > fixed such a
> > bug:
> >
> > https://issues.apache.org/jira/browse/DIRSERVER-988
> >
> > On 8/8/07, Wayne Johnson <wj...@mqsoftware.com> wrote:
> > >
> > > We start out with a automatically read in LDIF file that has:
> > >
> > > # This ACI allows an Admin to read and modify everything
> > for all users
> > > dn: cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com
> > > objectClass: top
> > > objectClass: subentry
> > > objectClass: accessControlSubentry
> > > cn: userAdminPermissions
> > > subtreeSpecification: {}
> > > prescriptiveACI: {
> > > identificationTag "userAdminPermissions",
> > > precedence 16,
> > > authenticationLevel simple,
> > > itemOrUserFirst userFirst: {
> > > userClasses {
> > > name {
> > > "cn=SA,ou=users,dc=mqsoftware,dc=com",
> > > "cn=fred,ou=users,dc=mqsoftware,dc=com",
> > > "cn=BrowserService,ou=users,dc=mqsoftware,dc=com"
> > > }
> > > },
> > > userPermissions
> > > {
> > > {
> > > protectedItems { entry, allUserAttributeTypesAndValues },
> > > grantsAndDenials { grantAdd, grantDiscloseOnError,
> > grantRead,
> > > grantRemove, grantBrowse, grantExport,
> > grantImport, grantModify,
> > > grantRename, grantReturnDN, grantCompare,
> > grantFilterMatch,
> > > grantInvoke }
> > > }
> > > }
> > > }
> > > }
> > >
> > > I can then do an ldapsearch from users fred and bert and
> > fred shows full
> > > access to the user information and bert (who isn't in the
> > Admin list) can
> > > not.
> > >
> > > Now the program rewrites the prescriptiveACI with:
> > >
> > > 2007-08-07 15:41:57,437 [btpool0-1]
> > com.mqsoftware.ws.SWSLdapIETF DEBUG -
> > > [Client File=SWSLdapIETF.java, Line=835] Updating
> > > cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com with:
> > > LDAPModification: (operation=replace,(LDAPAttribute:
> > > {type='prescriptiveACI', value='{
> > > identificationTag "userAdminPermissions",
> > > precedence 16,
> > > authenticationLevel simple,
> > > itemOrUserFirst userFirst: {
> > > userClasses {
> > > name {
> > > "cn=BrowserService,ou=users,dc=mqsoftware,dc=com",
> > > "cn=SA,ou=users,dc=mqsoftware,dc=com"
> > > }
> > > },
> > > userPermissions
> > > {
> > > {
> > > protectedItems { entry, allUserAttributeTypesAndValues },
> > > grantsAndDenials { grantAdd,
> > grantDiscloseOnError, grantRead,
> > > grantRemove, grantBrowse, grantExport,
> > grantImport, grantModify,
> > > grantRename, grantReturnDN, grantCompare,
> > grantFilterMatch,
> > > grantInvoke }
> > > }
> > > }
> > > }
> > > }
> > > '}))
> > >
> > > At this point, fred still can see the user info. I checked
> > the apacheds
> > > logs and dont see any exceptions. When I restart the
> > service, things start
> > > working right (fred no lonfer has access).
> > >
> > > Is there a place where I can upload the full LDIF file?
> > It's 411 lines
> > > long.
> > >
> > > Thanks.
> > >
> > > > -----Original Message-----
> > > > From: Ersin Er [mailto:ersin.er@gmail.com]
> > > > Sent: Tuesday, August 07, 2007 4:12 PM
> > > > To: users@directory.apache.org
> > > > Subject: Re: When do changes to ACI take effect?
> > > >
> > > >
> > > > Hi,
> > > >
> > > > This is not intentional. Can you please give an example? Or
> > > > even a test
> > > > case?
> > > >
> > > > On 8/8/07, Wayne Johnson <wj...@mqsoftware.com> wrote:
> > > > >
> > > > > Our application allows an administrator to change the ACI
> > > > to allow or
> > > > > disallow users access to some data. It seems to me that
> > > > when we make
> > > > > changes to the prescriptiveACI, it doesn't seem to take
> > > > effect till we
> > > > > restart the LDAP service. Is this intentional? Is there a
> > > > way to force it
> > > > > to be refreshed?
> > > > >
> > > > > Wayne Johnson
> > > > > Senior Software Engineer
> > > > > MQSoftware, Inc.
> > > > > 1660 S Highway 100
> > > > > Minneapolis, MN 55416
> > > > > (952) 345-8628
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > Ersin Er
> > > >
> > > > R.A. and Ph.D Student at the Dept. of Computer Eng. in
> > > > Hacettepe University
> > > > http://www.cs.hacettepe.edu.tr
> > > >
> > > > Committer and PMC Member of The Apache Directory Project
> > > > http://directory.apache.org
> > > >
> > > >
> > >
> >
> >
> >
> > --
> > Ersin Er
> >
> > R.A. and Ph.D Student at the Dept. of Computer Eng. in
> > Hacettepe University
> > http://www.cs.hacettepe.edu.tr
> >
> > Committer and PMC Member of The Apache Directory Project
> > http://directory.apache.org
> >
> >
>
--
Ersin Er
R.A. and Ph.D Student at the Dept. of Computer Eng. in Hacettepe University
http://www.cs.hacettepe.edu.tr
Committer and PMC Member of The Apache Directory Project
http://directory.apache.org
RE: When do changes to ACI take effect?
Posted by Wayne Johnson <wj...@mqsoftware.com>.
We're using 1.0.2.
THat does look like the issue though. I dislike switching releases at this point (we're releasing our product in 2 weeks). Is there any sort of a bypass besides picking up the new code?
> -----Original Message-----
> From: Ersin Er [mailto:ersin.er@gmail.com]
> Sent: Tuesday, August 07, 2007 4:45 PM
> To: users@directory.apache.org
> Subject: Re: When do changes to ACI take effect?
>
>
> BTW, which version of ApacheDS are you using? I had recently
> fixed such a
> bug:
>
> https://issues.apache.org/jira/browse/DIRSERVER-988
>
> On 8/8/07, Wayne Johnson <wj...@mqsoftware.com> wrote:
> >
> > We start out with a automatically read in LDIF file that has:
> >
> > # This ACI allows an Admin to read and modify everything
> for all users
> > dn: cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com
> > objectClass: top
> > objectClass: subentry
> > objectClass: accessControlSubentry
> > cn: userAdminPermissions
> > subtreeSpecification: {}
> > prescriptiveACI: {
> > identificationTag "userAdminPermissions",
> > precedence 16,
> > authenticationLevel simple,
> > itemOrUserFirst userFirst: {
> > userClasses {
> > name {
> > "cn=SA,ou=users,dc=mqsoftware,dc=com",
> > "cn=fred,ou=users,dc=mqsoftware,dc=com",
> > "cn=BrowserService,ou=users,dc=mqsoftware,dc=com"
> > }
> > },
> > userPermissions
> > {
> > {
> > protectedItems { entry, allUserAttributeTypesAndValues },
> > grantsAndDenials { grantAdd, grantDiscloseOnError,
> grantRead,
> > grantRemove, grantBrowse, grantExport,
> grantImport, grantModify,
> > grantRename, grantReturnDN, grantCompare,
> grantFilterMatch,
> > grantInvoke }
> > }
> > }
> > }
> > }
> >
> > I can then do an ldapsearch from users fred and bert and
> fred shows full
> > access to the user information and bert (who isn't in the
> Admin list) can
> > not.
> >
> > Now the program rewrites the prescriptiveACI with:
> >
> > 2007-08-07 15:41:57,437 [btpool0-1]
> com.mqsoftware.ws.SWSLdapIETF DEBUG -
> > [Client File=SWSLdapIETF.java, Line=835] Updating
> > cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com with:
> > LDAPModification: (operation=replace,(LDAPAttribute:
> > {type='prescriptiveACI', value='{
> > identificationTag "userAdminPermissions",
> > precedence 16,
> > authenticationLevel simple,
> > itemOrUserFirst userFirst: {
> > userClasses {
> > name {
> > "cn=BrowserService,ou=users,dc=mqsoftware,dc=com",
> > "cn=SA,ou=users,dc=mqsoftware,dc=com"
> > }
> > },
> > userPermissions
> > {
> > {
> > protectedItems { entry, allUserAttributeTypesAndValues },
> > grantsAndDenials { grantAdd,
> grantDiscloseOnError, grantRead,
> > grantRemove, grantBrowse, grantExport,
> grantImport, grantModify,
> > grantRename, grantReturnDN, grantCompare,
> grantFilterMatch,
> > grantInvoke }
> > }
> > }
> > }
> > }
> > '}))
> >
> > At this point, fred still can see the user info. I checked
> the apacheds
> > logs and dont see any exceptions. When I restart the
> service, things start
> > working right (fred no lonfer has access).
> >
> > Is there a place where I can upload the full LDIF file?
> It's 411 lines
> > long.
> >
> > Thanks.
> >
> > > -----Original Message-----
> > > From: Ersin Er [mailto:ersin.er@gmail.com]
> > > Sent: Tuesday, August 07, 2007 4:12 PM
> > > To: users@directory.apache.org
> > > Subject: Re: When do changes to ACI take effect?
> > >
> > >
> > > Hi,
> > >
> > > This is not intentional. Can you please give an example? Or
> > > even a test
> > > case?
> > >
> > > On 8/8/07, Wayne Johnson <wj...@mqsoftware.com> wrote:
> > > >
> > > > Our application allows an administrator to change the ACI
> > > to allow or
> > > > disallow users access to some data. It seems to me that
> > > when we make
> > > > changes to the prescriptiveACI, it doesn't seem to take
> > > effect till we
> > > > restart the LDAP service. Is this intentional? Is there a
> > > way to force it
> > > > to be refreshed?
> > > >
> > > > Wayne Johnson
> > > > Senior Software Engineer
> > > > MQSoftware, Inc.
> > > > 1660 S Highway 100
> > > > Minneapolis, MN 55416
> > > > (952) 345-8628
> > > >
> > > >
> > > >
> > >
> > >
> > > --
> > > Ersin Er
> > >
> > > R.A. and Ph.D Student at the Dept. of Computer Eng. in
> > > Hacettepe University
> > > http://www.cs.hacettepe.edu.tr
> > >
> > > Committer and PMC Member of The Apache Directory Project
> > > http://directory.apache.org
> > >
> > >
> >
>
>
>
> --
> Ersin Er
>
> R.A. and Ph.D Student at the Dept. of Computer Eng. in
> Hacettepe University
> http://www.cs.hacettepe.edu.tr
>
> Committer and PMC Member of The Apache Directory Project
> http://directory.apache.org
>
>
Re: When do changes to ACI take effect?
Posted by Ersin Er <er...@gmail.com>.
BTW, which version of ApacheDS are you using? I had recently fixed such a
bug:
https://issues.apache.org/jira/browse/DIRSERVER-988
On 8/8/07, Wayne Johnson <wj...@mqsoftware.com> wrote:
>
> We start out with a automatically read in LDIF file that has:
>
> # This ACI allows an Admin to read and modify everything for all users
> dn: cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com
> objectClass: top
> objectClass: subentry
> objectClass: accessControlSubentry
> cn: userAdminPermissions
> subtreeSpecification: {}
> prescriptiveACI: {
> identificationTag "userAdminPermissions",
> precedence 16,
> authenticationLevel simple,
> itemOrUserFirst userFirst: {
> userClasses {
> name {
> "cn=SA,ou=users,dc=mqsoftware,dc=com",
> "cn=fred,ou=users,dc=mqsoftware,dc=com",
> "cn=BrowserService,ou=users,dc=mqsoftware,dc=com"
> }
> },
> userPermissions
> {
> {
> protectedItems { entry, allUserAttributeTypesAndValues },
> grantsAndDenials { grantAdd, grantDiscloseOnError, grantRead,
> grantRemove, grantBrowse, grantExport, grantImport, grantModify,
> grantRename, grantReturnDN, grantCompare, grantFilterMatch,
> grantInvoke }
> }
> }
> }
> }
>
> I can then do an ldapsearch from users fred and bert and fred shows full
> access to the user information and bert (who isn't in the Admin list) can
> not.
>
> Now the program rewrites the prescriptiveACI with:
>
> 2007-08-07 15:41:57,437 [btpool0-1] com.mqsoftware.ws.SWSLdapIETF DEBUG -
> [Client File=SWSLdapIETF.java, Line=835] Updating
> cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com with:
> LDAPModification: (operation=replace,(LDAPAttribute:
> {type='prescriptiveACI', value='{
> identificationTag "userAdminPermissions",
> precedence 16,
> authenticationLevel simple,
> itemOrUserFirst userFirst: {
> userClasses {
> name {
> "cn=BrowserService,ou=users,dc=mqsoftware,dc=com",
> "cn=SA,ou=users,dc=mqsoftware,dc=com"
> }
> },
> userPermissions
> {
> {
> protectedItems { entry, allUserAttributeTypesAndValues },
> grantsAndDenials { grantAdd, grantDiscloseOnError, grantRead,
> grantRemove, grantBrowse, grantExport, grantImport, grantModify,
> grantRename, grantReturnDN, grantCompare, grantFilterMatch,
> grantInvoke }
> }
> }
> }
> }
> '}))
>
> At this point, fred still can see the user info. I checked the apacheds
> logs and dont see any exceptions. When I restart the service, things start
> working right (fred no lonfer has access).
>
> Is there a place where I can upload the full LDIF file? It's 411 lines
> long.
>
> Thanks.
>
> > -----Original Message-----
> > From: Ersin Er [mailto:ersin.er@gmail.com]
> > Sent: Tuesday, August 07, 2007 4:12 PM
> > To: users@directory.apache.org
> > Subject: Re: When do changes to ACI take effect?
> >
> >
> > Hi,
> >
> > This is not intentional. Can you please give an example? Or
> > even a test
> > case?
> >
> > On 8/8/07, Wayne Johnson <wj...@mqsoftware.com> wrote:
> > >
> > > Our application allows an administrator to change the ACI
> > to allow or
> > > disallow users access to some data. It seems to me that
> > when we make
> > > changes to the prescriptiveACI, it doesn't seem to take
> > effect till we
> > > restart the LDAP service. Is this intentional? Is there a
> > way to force it
> > > to be refreshed?
> > >
> > > Wayne Johnson
> > > Senior Software Engineer
> > > MQSoftware, Inc.
> > > 1660 S Highway 100
> > > Minneapolis, MN 55416
> > > (952) 345-8628
> > >
> > >
> > >
> >
> >
> > --
> > Ersin Er
> >
> > R.A. and Ph.D Student at the Dept. of Computer Eng. in
> > Hacettepe University
> > http://www.cs.hacettepe.edu.tr
> >
> > Committer and PMC Member of The Apache Directory Project
> > http://directory.apache.org
> >
> >
>
--
Ersin Er
R.A. and Ph.D Student at the Dept. of Computer Eng. in Hacettepe University
http://www.cs.hacettepe.edu.tr
Committer and PMC Member of The Apache Directory Project
http://directory.apache.org
RE: When do changes to ACI take effect?
Posted by Wayne Johnson <wj...@mqsoftware.com>.
We're using the stable 1.0.2.
> -----Original Message-----
> From: Markus Pohle [mailto:apacheds.users@webunity.de]
> Sent: Tuesday, August 07, 2007 4:43 PM
> To: users@directory.apache.org
> Cc: Wayne Johnson
> Subject: RE: When do changes to ACI take effect?
>
>
>
> Hi Wayne,
>
> what version of apacheds are you using?
>
> The problem you descripe, looks for me similar to this one:
> http://issues.apache.org/jira/browse/DIRSERVER-1001
>
> If you do not use newest 1.5.1-snapshot build or newest
> 1.0.2-snapshot
> try to build from trunk.
>
> HTH
> Markus
>
>
> Zitat von Wayne Johnson <wj...@mqsoftware.com>:
>
> > We start out with a automatically read in LDIF file that has:
> >
> > # This ACI allows an Admin to read and modify everything
> for all users
> > dn: cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com
> > objectClass: top
> > objectClass: subentry
> > objectClass: accessControlSubentry
> > cn: userAdminPermissions
> > subtreeSpecification: {}
> > prescriptiveACI: {
> > identificationTag "userAdminPermissions",
> > precedence 16,
> > authenticationLevel simple,
> > itemOrUserFirst userFirst: {
> > userClasses {
> > name {
> > "cn=SA,ou=users,dc=mqsoftware,dc=com",
> > "cn=fred,ou=users,dc=mqsoftware,dc=com",
> > "cn=BrowserService,ou=users,dc=mqsoftware,dc=com"
> > }
> > },
> > userPermissions
> > {
> > {
> > protectedItems { entry, allUserAttributeTypesAndValues },
> > grantsAndDenials { grantAdd, grantDiscloseOnError,
> grantRead,
> > grantRemove, grantBrowse, grantExport,
> grantImport, grantModify,
> > grantRename, grantReturnDN, grantCompare,
> grantFilterMatch,
> > grantInvoke }
> > }
> > }
> > }
> > }
> >
> > I can then do an ldapsearch from users fred and bert and
> fred shows
> > full access to the user information and bert (who isn't in
> the Admin
> > list) can not.
> >
> > Now the program rewrites the prescriptiveACI with:
> >
> > 2007-08-07 15:41:57,437 [btpool0-1] com.mqsoftware.ws.SWSLdapIETF
> > DEBUG - [Client File=SWSLdapIETF.java, Line=835] Updating
> > cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com with:
> > LDAPModification: (operation=replace,(LDAPAttribute:
> > {type='prescriptiveACI', value='{
> > identificationTag "userAdminPermissions",
> > precedence 16,
> > authenticationLevel simple,
> > itemOrUserFirst userFirst: {
> > userClasses {
> > name {
> > "cn=BrowserService,ou=users,dc=mqsoftware,dc=com",
> > "cn=SA,ou=users,dc=mqsoftware,dc=com"
> > }
> > },
> > userPermissions
> > {
> > {
> > protectedItems { entry, allUserAttributeTypesAndValues },
> > grantsAndDenials { grantAdd,
> grantDiscloseOnError, grantRead,
> > grantRemove, grantBrowse, grantExport,
> grantImport, grantModify,
> > grantRename, grantReturnDN, grantCompare,
> grantFilterMatch,
> > grantInvoke }
> > }
> > }
> > }
> > }
> > '}))
> >
> > At this point, fred still can see the user info. I checked the
> > apacheds logs and dont see any exceptions. When I restart the
> > service, things start working right (fred no lonfer has access).
> >
> > Is there a place where I can upload the full LDIF file?
> It's 411 lines long.
> >
> > Thanks.
> >
> >> -----Original Message-----
> >> From: Ersin Er [mailto:ersin.er@gmail.com]
> >> Sent: Tuesday, August 07, 2007 4:12 PM
> >> To: users@directory.apache.org
> >> Subject: Re: When do changes to ACI take effect?
> >>
> >>
> >> Hi,
> >>
> >> This is not intentional. Can you please give an example? Or
> >> even a test
> >> case?
> >>
> >> On 8/8/07, Wayne Johnson <wj...@mqsoftware.com> wrote:
> >> >
> >> > Our application allows an administrator to change the ACI
> >> to allow or
> >> > disallow users access to some data. It seems to me that
> >> when we make
> >> > changes to the prescriptiveACI, it doesn't seem to take
> >> effect till we
> >> > restart the LDAP service. Is this intentional? Is there a
> >> way to force it
> >> > to be refreshed?
> >> >
> >> > Wayne Johnson
> >> > Senior Software Engineer
> >> > MQSoftware, Inc.
> >> > 1660 S Highway 100
> >> > Minneapolis, MN 55416
> >> > (952) 345-8628
> >> >
> >> >
> >> >
> >>
> >>
> >> --
> >> Ersin Er
> >>
> >> R.A. and Ph.D Student at the Dept. of Computer Eng. in
> >> Hacettepe University
> >> http://www.cs.hacettepe.edu.tr
> >>
> >> Committer and PMC Member of The Apache Directory Project
> >> http://directory.apache.org
> >>
> >>
> >
>
>
>
>
>
>
RE: When do changes to ACI take effect?
Posted by Markus Pohle <ap...@webunity.de>.
Hi Wayne,
what version of apacheds are you using?
The problem you descripe, looks for me similar to this one:
http://issues.apache.org/jira/browse/DIRSERVER-1001
If you do not use newest 1.5.1-snapshot build or newest 1.0.2-snapshot
try to build from trunk.
HTH
Markus
Zitat von Wayne Johnson <wj...@mqsoftware.com>:
> We start out with a automatically read in LDIF file that has:
>
> # This ACI allows an Admin to read and modify everything for all users
> dn: cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com
> objectClass: top
> objectClass: subentry
> objectClass: accessControlSubentry
> cn: userAdminPermissions
> subtreeSpecification: {}
> prescriptiveACI: {
> identificationTag "userAdminPermissions",
> precedence 16,
> authenticationLevel simple,
> itemOrUserFirst userFirst: {
> userClasses {
> name {
> "cn=SA,ou=users,dc=mqsoftware,dc=com",
> "cn=fred,ou=users,dc=mqsoftware,dc=com",
> "cn=BrowserService,ou=users,dc=mqsoftware,dc=com"
> }
> },
> userPermissions
> {
> {
> protectedItems { entry, allUserAttributeTypesAndValues },
> grantsAndDenials { grantAdd, grantDiscloseOnError, grantRead,
> grantRemove, grantBrowse, grantExport, grantImport, grantModify,
> grantRename, grantReturnDN, grantCompare, grantFilterMatch,
> grantInvoke }
> }
> }
> }
> }
>
> I can then do an ldapsearch from users fred and bert and fred shows
> full access to the user information and bert (who isn't in the Admin
> list) can not.
>
> Now the program rewrites the prescriptiveACI with:
>
> 2007-08-07 15:41:57,437 [btpool0-1] com.mqsoftware.ws.SWSLdapIETF
> DEBUG - [Client File=SWSLdapIETF.java, Line=835] Updating
> cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com with:
> LDAPModification: (operation=replace,(LDAPAttribute:
> {type='prescriptiveACI', value='{
> identificationTag "userAdminPermissions",
> precedence 16,
> authenticationLevel simple,
> itemOrUserFirst userFirst: {
> userClasses {
> name {
> "cn=BrowserService,ou=users,dc=mqsoftware,dc=com",
> "cn=SA,ou=users,dc=mqsoftware,dc=com"
> }
> },
> userPermissions
> {
> {
> protectedItems { entry, allUserAttributeTypesAndValues },
> grantsAndDenials { grantAdd, grantDiscloseOnError, grantRead,
> grantRemove, grantBrowse, grantExport, grantImport, grantModify,
> grantRename, grantReturnDN, grantCompare, grantFilterMatch,
> grantInvoke }
> }
> }
> }
> }
> '}))
>
> At this point, fred still can see the user info. I checked the
> apacheds logs and dont see any exceptions. When I restart the
> service, things start working right (fred no lonfer has access).
>
> Is there a place where I can upload the full LDIF file? It's 411 lines long.
>
> Thanks.
>
>> -----Original Message-----
>> From: Ersin Er [mailto:ersin.er@gmail.com]
>> Sent: Tuesday, August 07, 2007 4:12 PM
>> To: users@directory.apache.org
>> Subject: Re: When do changes to ACI take effect?
>>
>>
>> Hi,
>>
>> This is not intentional. Can you please give an example? Or
>> even a test
>> case?
>>
>> On 8/8/07, Wayne Johnson <wj...@mqsoftware.com> wrote:
>> >
>> > Our application allows an administrator to change the ACI
>> to allow or
>> > disallow users access to some data. It seems to me that
>> when we make
>> > changes to the prescriptiveACI, it doesn't seem to take
>> effect till we
>> > restart the LDAP service. Is this intentional? Is there a
>> way to force it
>> > to be refreshed?
>> >
>> > Wayne Johnson
>> > Senior Software Engineer
>> > MQSoftware, Inc.
>> > 1660 S Highway 100
>> > Minneapolis, MN 55416
>> > (952) 345-8628
>> >
>> >
>> >
>>
>>
>> --
>> Ersin Er
>>
>> R.A. and Ph.D Student at the Dept. of Computer Eng. in
>> Hacettepe University
>> http://www.cs.hacettepe.edu.tr
>>
>> Committer and PMC Member of The Apache Directory Project
>> http://directory.apache.org
>>
>>
>
RE: When do changes to ACI take effect?
Posted by Wayne Johnson <wj...@mqsoftware.com>.
We start out with a automatically read in LDIF file that has:
# This ACI allows an Admin to read and modify everything for all users
dn: cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com
objectClass: top
objectClass: subentry
objectClass: accessControlSubentry
cn: userAdminPermissions
subtreeSpecification: {}
prescriptiveACI: {
identificationTag "userAdminPermissions",
precedence 16,
authenticationLevel simple,
itemOrUserFirst userFirst: {
userClasses {
name {
"cn=SA,ou=users,dc=mqsoftware,dc=com",
"cn=fred,ou=users,dc=mqsoftware,dc=com",
"cn=BrowserService,ou=users,dc=mqsoftware,dc=com"
}
},
userPermissions
{
{
protectedItems { entry, allUserAttributeTypesAndValues },
grantsAndDenials { grantAdd, grantDiscloseOnError, grantRead,
grantRemove, grantBrowse, grantExport, grantImport, grantModify,
grantRename, grantReturnDN, grantCompare, grantFilterMatch,
grantInvoke }
}
}
}
}
I can then do an ldapsearch from users fred and bert and fred shows full access to the user information and bert (who isn't in the Admin list) can not.
Now the program rewrites the prescriptiveACI with:
2007-08-07 15:41:57,437 [btpool0-1] com.mqsoftware.ws.SWSLdapIETF DEBUG - [Client File=SWSLdapIETF.java, Line=835] Updating cn=userAdminPermissions,ou=users,dc=mqsoftware,dc=com with:
LDAPModification: (operation=replace,(LDAPAttribute: {type='prescriptiveACI', value='{
identificationTag "userAdminPermissions",
precedence 16,
authenticationLevel simple,
itemOrUserFirst userFirst: {
userClasses {
name {
"cn=BrowserService,ou=users,dc=mqsoftware,dc=com",
"cn=SA,ou=users,dc=mqsoftware,dc=com"
}
},
userPermissions
{
{
protectedItems { entry, allUserAttributeTypesAndValues },
grantsAndDenials { grantAdd, grantDiscloseOnError, grantRead,
grantRemove, grantBrowse, grantExport, grantImport, grantModify,
grantRename, grantReturnDN, grantCompare, grantFilterMatch,
grantInvoke }
}
}
}
}
'}))
At this point, fred still can see the user info. I checked the apacheds logs and dont see any exceptions. When I restart the service, things start working right (fred no lonfer has access).
Is there a place where I can upload the full LDIF file? It's 411 lines long.
Thanks.
> -----Original Message-----
> From: Ersin Er [mailto:ersin.er@gmail.com]
> Sent: Tuesday, August 07, 2007 4:12 PM
> To: users@directory.apache.org
> Subject: Re: When do changes to ACI take effect?
>
>
> Hi,
>
> This is not intentional. Can you please give an example? Or
> even a test
> case?
>
> On 8/8/07, Wayne Johnson <wj...@mqsoftware.com> wrote:
> >
> > Our application allows an administrator to change the ACI
> to allow or
> > disallow users access to some data. It seems to me that
> when we make
> > changes to the prescriptiveACI, it doesn't seem to take
> effect till we
> > restart the LDAP service. Is this intentional? Is there a
> way to force it
> > to be refreshed?
> >
> > Wayne Johnson
> > Senior Software Engineer
> > MQSoftware, Inc.
> > 1660 S Highway 100
> > Minneapolis, MN 55416
> > (952) 345-8628
> >
> >
> >
>
>
> --
> Ersin Er
>
> R.A. and Ph.D Student at the Dept. of Computer Eng. in
> Hacettepe University
> http://www.cs.hacettepe.edu.tr
>
> Committer and PMC Member of The Apache Directory Project
> http://directory.apache.org
>
>
Re: When do changes to ACI take effect?
Posted by Ersin Er <er...@gmail.com>.
Hi,
This is not intentional. Can you please give an example? Or even a test
case?
On 8/8/07, Wayne Johnson <wj...@mqsoftware.com> wrote:
>
> Our application allows an administrator to change the ACI to allow or
> disallow users access to some data. It seems to me that when we make
> changes to the prescriptiveACI, it doesn't seem to take effect till we
> restart the LDAP service. Is this intentional? Is there a way to force it
> to be refreshed?
>
> Wayne Johnson
> Senior Software Engineer
> MQSoftware, Inc.
> 1660 S Highway 100
> Minneapolis, MN 55416
> (952) 345-8628
>
>
>
--
Ersin Er
R.A. and Ph.D Student at the Dept. of Computer Eng. in Hacettepe University
http://www.cs.hacettepe.edu.tr
Committer and PMC Member of The Apache Directory Project
http://directory.apache.org