allUsersSearchAndCompareACI doesn't work on service restart
-----------------------------------------------------------
Key: DIRSERVER-1680
URL: https://issues.apache.org/jira/browse/DIRSERVER-1680
Project: Directory ApacheDS
Issue Type: Bug
Affects Versions: 1.5.7
Environment: server on Windows XP SP3
Reporter: Jason Sachs
I have an allUsersSearchAndCompareACI set up to allow only authenticated users
to read the server, and another ACI directoryManagerFullAccessACI set up to
allow privileged users/services in the group cn=ldap-admin,ou=groups,o=foobar
to access LDAP and have editing rights. I have a number of these privileged
users/services, and they can authenticate, but not see any of the LDAP tree
(just an empty Root DSE), until I rewrite the ACI info, at which point they
work perfectly... until the service or the computer it's on resets, and the
problem re-occurs. (The uid=admin,ou=system account can access everything just
fine.)
The allUsersSearchAndCompareACI ACI source looks like this:
{code}
{
identificationTag "allUsersSearchAndCompareACI",
precedence 10,
authenticationLevel simple,
itemOrUserFirst userFirst:
{
userClasses { allUsers },
userPermissions
{
{
protectedItems { entry, allUserAttributeTypesAndValues },
grantsAndDenials
{
grantDiscloseOnError,
grantRead,
grantReturnDN,
grantBrowse,
grantCompare,
grantFilterMatch
}
}
,
{
protectedItems
{
attributeType { userPassword }
}
,
grantsAndDenials
{
denyFilterMatch,
denyRead,
denyCompare
}
}
}
}
}
{code}
The directoryManagerACI looks like this:
{code}
{
identificationTag "directoryManagerFullAccessACI",
precedence 11,
authenticationLevel simple,
itemOrUserFirst userFirst:
{
userClasses
{
userGroup { "cn=ldap-admin,ou=groups,o=foobar" }
}
,
userPermissions
{
{
protectedItems { entry, allUserAttributeTypesAndValues },
grantsAndDenials
{
grantModify,
grantRead,
grantBrowse,
grantFilterMatch,
grantExport,
grantRemove,
grantDiscloseOnError,
grantAdd,
grantReturnDN,
grantInvoke,
grantRename,
grantImport,
grantCompare
}
}
}
}
}
{code}
My LDAP tree looks like this (my comments in /* */)
{code}
o=foobar
cn=acientry1 /* contains the two ACI above */
ou=groups
/* various groups elided */
cn=ldap-admin
ou=schema
/* other stuff */
ou=system
uid=admin
/* other stuff */
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
