[
https://issues.apache.org/jira/browse/DIRSERVER-1680?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13176211#comment-13176211
]
Jason Sachs commented on DIRSERVER-1680:
----------------------------------------
Hmm, might be a duplicate of DIRSERVER-1524 (sorry, I should have searched more
carefully before posting)
> allUsersSearchAndCompareACI doesn't work on service restart
> -----------------------------------------------------------
>
> Key: DIRSERVER-1680
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1680
> Project: Directory ApacheDS
> Issue Type: Bug
> Affects Versions: 1.5.7
> Environment: server on Windows XP SP3
> Reporter: Jason Sachs
>
> I have an allUsersSearchAndCompareACI set up to allow only authenticated
> users to read the server, and another ACI directoryManagerFullAccessACI set
> up to allow privileged users/services in the group
> cn=ldap-admin,ou=groups,o=foobar to access LDAP and have editing rights. I
> have a number of these privileged users/services, and they can authenticate,
> but not see any of the LDAP tree (just an empty Root DSE), until I rewrite
> the ACI info, at which point they work perfectly... until the service or the
> computer it's on resets, and the problem re-occurs. (The uid=admin,ou=system
> account can access everything just fine.)
> The allUsersSearchAndCompareACI ACI source looks like this:
> {code}
> {
> identificationTag "allUsersSearchAndCompareACI",
> precedence 10,
> authenticationLevel simple,
> itemOrUserFirst userFirst:
> {
> userClasses { allUsers },
> userPermissions
> {
> {
> protectedItems { entry, allUserAttributeTypesAndValues },
> grantsAndDenials
> {
> grantDiscloseOnError,
> grantRead,
> grantReturnDN,
> grantBrowse,
> grantCompare,
> grantFilterMatch
> }
> }
> ,
> {
> protectedItems
> {
> attributeType { userPassword }
> }
> ,
> grantsAndDenials
> {
> denyFilterMatch,
> denyRead,
> denyCompare
> }
> }
> }
> }
> }
> {code}
> The directoryManagerACI looks like this:
> {code}
> {
> identificationTag "directoryManagerFullAccessACI",
> precedence 11,
> authenticationLevel simple,
> itemOrUserFirst userFirst:
> {
> userClasses
> {
> userGroup { "cn=ldap-admin,ou=groups,o=foobar" }
> }
> ,
> userPermissions
> {
> {
> protectedItems { entry, allUserAttributeTypesAndValues },
> grantsAndDenials
> {
> grantModify,
> grantRead,
> grantBrowse,
> grantFilterMatch,
> grantExport,
> grantRemove,
> grantDiscloseOnError,
> grantAdd,
> grantReturnDN,
> grantInvoke,
> grantRename,
> grantImport,
> grantCompare
> }
> }
> }
> }
> }
> {code}
> My LDAP tree looks like this (my comments in /* */)
> {code}
> o=foobar
> cn=acientry1 /* contains the two ACI above */
> ou=groups
> /* various groups elided */
> cn=ldap-admin
> ou=schema
> /* other stuff */
> ou=system
> uid=admin
> /* other stuff */
>
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
