> On 18 Nov 2019, at 10:09, Graham Leggett <minf...@sharp.fm> wrote: > > On 18 Nov 2019, at 01:19, William Brown <wbr...@suse.de> wrote: > >> As I'm sure you're aware, the docs are here: >> >> https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/viewing_the_acis_for_an_entry-get_effective_rights_control >> >> I think you don't need to request the entrylevelrights or >> attributelevelrights on the search (the log looks like you're requesting >> them). You probably just want * or + here instead. > > I tried that, but it made no difference. I also noticed that despite asking > for attributes “*” and “+”, the java code didn’t give me any operational > attributes back at all. > > I’m assuming that entryLevelRights/attributeLevelRights are operational > attributes and 389ds won’t return them with a “*” attribute on it’s own?
The attributes you "request" are the attributes it will do an effective rights check on, and the server just "puts" the *rights attributes in your response without asking (well, you did ask because of the control) > > I’m trying to work out whether this is a java issue or a 389ds issue. Why not both? > > Are there any known issues when trying to return operational attributes from > 389ds to java JNDI calls? Controls and extended ops are difficult to get right at the best of times - I had to do so recently with python for something and it was a few days of hair tearing. So the error could be ... anywhere. > >> Otherwise I'm not 100% sure here. Perhaps the best thing is actually to >> attach gdb to the server and break on: >> >> br _ger_parse_control >> >> And then step through with: "next" to see what logic paths are being taken >> on the dn parser - or if you even reach that stage. >> >> You could alternately break on acl_get_effective_rights to see the full >> extended op processing logic too. >> >> Sorry I can't give a more concrete piece of advice here :( > > gdb stops on these breakpoints, so the logic is definitely triggered, > although I don't have any debuginfos configured to step through the code. Let > me dig further on this. If you are on RH/Fedora, it will issue you a command such as "missing debuginfo ....." and a command you can run to install them :) > > Regards, > Graham > — > > _______________________________________________ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
