> On 18 Nov 2019, at 09:27, Graham Leggett <minf...@sharp.fm> wrote:
>
> Hi all,
>
> After adding the Get Effective Rights control to some java code as follows,
> everything is worked as before, except neither the entryLevelRights nor the
> attributeLevelRights attributes are returned to me.
>
> 389-ds-base-1.2.11.15-97.el6_10.x86_64 is logging the following, which looks
> hopeful:
>
> [18/Nov/2019:00:41:16 +0200] conn=1567060 op=5 SRCH base="dc=x,dc=x,dc=x"
> scope=2 filter="(&(objectClass=mailRec
> ipient)(mail=m...@example.com))" attrs="* entrylevelrights
> attributelevelrights aci" authzid="mail=minf...@example.com,ou=
> external,dc=x,dc=x,dc=x"
> [18/Nov/2019:00:41:16 +0200] conn=1567060 op=5 RESULT err=0 tag=101
> nentries=1 etime=0 - entryLevelRights: vadn
>
> However neither the entrylevelrights nor the attributelevelrights attributes
> are being returned in the response, and I have run out of ideas - what am I
> missing?
>
> The java code to add the control is as follows:
>
> BerByteArrayOutputStream berStream = new
> BerByteArrayOutputStream(
> dn.length() + 50, true);
> BerOctetString berString = new BerOctetString(
> ("dn:" + dn).getBytes());
> berString.encode(berStream, true);
> berStream.close();
>
> List<Control> controls = new
> ArrayList<Control>(Arrays.asList(ctx
> .getRequestControls()));
> controls.add(new
> BasicControl("1.3.6.1.4.1.42.2.27.9.5.2", true,
> berStream.getArray()));
> ctx.setRequestControls(controls.toArray(new
> Control[controls.size()]));
>
As I'm sure you're aware, the docs are here:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/viewing_the_acis_for_an_entry-get_effective_rights_control
I think you don't need to request the entrylevelrights or attributelevelrights
on the search (the log looks like you're requesting them). You probably just
want * or + here instead.
Otherwise I'm not 100% sure here. Perhaps the best thing is actually to attach
gdb to the server and break on:
br _ger_parse_control
And then step through with: "next" to see what logic paths are being taken on
the dn parser - or if you even reach that stage.
You could alternately break on acl_get_effective_rights to see the full
extended op processing logic too.
Sorry I can't give a more concrete piece of advice here :(
> Regards,
> Graham
> —
>
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
