You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Loading....." <mi...@foxmail.com> on 2019/03/13 02:30:08 UTC
[ApacheDS]How delete "accessControlSubentries" object
Hi guys,
I'm try to do something with ACI , I follow this article
https://directory.apache.org/apacheds/advanced-ug/4.2.7.1-enable-authenticated-users-to-browse-and-read-entries.html
and it's works, but when I try to delete test "accessControlSubentries" object there some error happend
when i click OK there ERROR occured
Here is Details:
Error while executing LDIF
- [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for MessageType : MODIFY_REQUES
java.lang.Exception: [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for MessageType : MODIFY_REQUEST
Message ID : 224
Modify Request
Object : 'dc=example,dc=com'
Modification[0]
Operation : delete
Modification
accessControlSubentries: (null)org.apache.directory.api.ldap.model.message.ModifyRequestImpl@fcdf11fa: ERR_52 Cannot modify the attribute : attributetype ( 1.3.6.1.4.1.18060.0.4.1.2.11 NAME 'accessControlSubentries'
DESC 'Used to track a subentry associated with access control areas'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
NO-USER-MODIFICATION
USAGE directoryOperation )]
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkResponse(DirectoryApiConnectionWrapper.java:1418)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.access$11(DirectoryApiConnectionWrapper.java:1386)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$4.run(DirectoryApiConnectionWrapper.java:787)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1312)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkConnectionAndRunAndMonitor(DirectoryApiConnectionWrapper.java:1256)
at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.modifyEntry(DirectoryApiConnectionWrapper.java:809)
at org.apache.directory.studio.ldapbrowser.core.jobs.ImportLdifRunnable.importLdifRecord(ImportLdifRunnable.java:515)
at org.apache.directory.studio.ldapbrowser.core.jobs.ImportLdifRunnable.importLdif(ImportLdifRunnable.java:272)
at org.apache.directory.studio.ldapbrowser.core.jobs.ExecuteLdifRunnable.executeLdif(ExecuteLdifRunnable.java:157)
at org.apache.directory.studio.ldapbrowser.core.jobs.ExecuteLdifRunnable.run(ExecuteLdifRunnable.java:123)
at org.apache.directory.studio.ldapbrowser.core.jobs.UpdateEntryRunnable.run(UpdateEntryRunnable.java:59)
at org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:129)
at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:119)
[LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for MessageType : MODIFY_REQUEST
Message ID : 224
Modify Request
Object : 'dc=example,dc=com'
Modification[0]
Operation : delete
Modification
accessControlSubentries: (null)org.apache.directory.api.ldap.model.message.ModifyRequestImpl@fcdf11fa: ERR_52 Cannot modify the attribute : attributetype ( 1.3.6.1.4.1.18060.0.4.1.2.11 NAME 'accessControlSubentries'
DESC 'Used to track a subentry associated with access control areas'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
NO-USER-MODIFICATION
USAGE directoryOperation )]
Here is Modification log:
#!RESULT ERROR
#!CONNECTION ldap://172.17.40.137:10636
#!DATE 2019-03-13T02:22:17.423
#!ERROR [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for MessageType : MODIFY_REQUEST Message ID : 224 Modify Request Object : 'dc=example,dc=com' Modification[0] Operation : delete Modification accessControlSubentries: (null)org.apache.directory.api.ldap.model.message.ModifyRequestImpl@fcdf11fa: ERR_52 Cannot modify the attribute : attributetype ( 1.3.6.1.4.1.18060.0.4.1.2.11 NAME 'accessControlSubentries' DESC 'Used to track a subentry associated with access control areas' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 NO-USER-MODIFICATION USAGE directoryOperation )]
dn: dc=example,dc=com
changetype: modify
delete: accessControlSubentries
-
I'm use "uid=admin,ou=system" to login
am i missing something?
look forward your reply! Thanks!
Mike Yoo
Re: [ApacheDS]How delete "accessControlSubentries" object
Posted by Emmanuel Lécharny <el...@gmail.com>.
Hi!
This is not the simplest part of the server...
Basically, accessControlSubentries cannot be deleted by the user - even
by admin -. This operational attribute is automatically injected in an
entry.
If you want to remove it, you have to remove the full entry.
On 13/03/2019 03:30, Loading..... wrote:
> Hi guys,
> I'm try to do something with ACI , I follow this article
> https://directory.apache.org/apacheds/advanced-ug/4.2.7.1-enable-authenticated-users-to-browse-and-read-entries.html
> and it's works, but when I try to delete test
> "accessControlSubentries" object there some error happend
>
> when i click OK there ERROR occured
>
> Here is Details:
>
> Error while executing LDIF
> - [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for
> MessageType : MODIFY_REQUES
> java.lang.Exception: [LDAP: error code 50 -
> INSUFFICIENT_ACCESS_RIGHTS: failed for MessageType : MODIFY_REQUEST
> Message ID : 224
> Modify Request
> Object : 'dc=example,dc=com'
> Modification[0]
> Operation : delete
> Modification
> accessControlSubentries:
> (null)org.apache.directory.api.ldap.model.message.ModifyRequestImpl@fcdf11fa:
> ERR_52 Cannot modify the attribute : attributetype (
> 1.3.6.1.4.1.18060.0.4.1.2.11 NAME 'accessControlSubentries'
> DESC 'Used to track a subentry associated with access control areas'
> EQUALITY distinguishedNameMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
> NO-USER-MODIFICATION
> USAGE directoryOperation )]
> at
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkResponse(DirectoryApiConnectionWrapper.java:1418)
> at
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.access$11(DirectoryApiConnectionWrapper.java:1386)
> at
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$4.run(DirectoryApiConnectionWrapper.java:787)
> at
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1312)
> at
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkConnectionAndRunAndMonitor(DirectoryApiConnectionWrapper.java:1256)
> at
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.modifyEntry(DirectoryApiConnectionWrapper.java:809)
> at
> org.apache.directory.studio.ldapbrowser.core.jobs.ImportLdifRunnable.importLdifRecord(ImportLdifRunnable.java:515)
> at
> org.apache.directory.studio.ldapbrowser.core.jobs.ImportLdifRunnable.importLdif(ImportLdifRunnable.java:272)
> at
> org.apache.directory.studio.ldapbrowser.core.jobs.ExecuteLdifRunnable.executeLdif(ExecuteLdifRunnable.java:157)
> at
> org.apache.directory.studio.ldapbrowser.core.jobs.ExecuteLdifRunnable.run(ExecuteLdifRunnable.java:123)
> at
> org.apache.directory.studio.ldapbrowser.core.jobs.UpdateEntryRunnable.run(UpdateEntryRunnable.java:59)
> at
> org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:129)
> at
> org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:119)
>
> [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for
> MessageType : MODIFY_REQUEST
> Message ID : 224
> Modify Request
> Object : 'dc=example,dc=com'
> Modification[0]
> Operation : delete
> Modification
> accessControlSubentries:
> (null)org.apache.directory.api.ldap.model.message.ModifyRequestImpl@fcdf11fa:
> ERR_52 Cannot modify the attribute : attributetype (
> 1.3.6.1.4.1.18060.0.4.1.2.11 NAME 'accessControlSubentries'
> DESC 'Used to track a subentry associated with access control areas'
> EQUALITY distinguishedNameMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
> NO-USER-MODIFICATION
> USAGE directoryOperation )]
>
>
> Here is Modification log:
>
> #!RESULT ERROR
>
> #!CONNECTION ldap://172.17.40.137:10636
>
> #!DATE 2019-03-13T02:22:17.423
>
> #!ERROR [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for
> MessageType : MODIFY_REQUEST Message ID : 224 Modify Request Object :
> 'dc=example,dc=com' Modification[0] Operation :delete Modification
> accessControlSubentries:
> (null)org.apache.directory.api.ldap.model.message.ModifyRequestImpl@fcdf11fa:
> ERR_52 Cannot modify the attribute : attributetype (
> 1.3.6.1.4.1.18060.0.4.1.2.11 NAME 'accessControlSubentries' DESC 'Used
> to track a subentry associated with access control areas' EQUALITY
> distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
> NO-USER-MODIFICATION USAGE directoryOperation )]
>
> *dn**: **dc=example,dc=com*
>
> *changetype**: **modify*
>
> *delete**: **accessControlSubentries*
>
> *-*
>
>
> I'm use "uid=admin,ou=system" to login
> am i missing something?
> look forward your reply! Thanks!
>
> Mike Yoo
>