Michael Przybylski created DIRSERVER-1947:
---------------------------------------------
Summary: maxValueCount not working correctly
Key: DIRSERVER-1947
URL: https://issues.apache.org/jira/browse/DIRSERVER-1947
Project: Directory ApacheDS
Issue Type: Bug
Components: ldap
Affects Versions: 2.0.0-M15
Environment: Server environment:
Oracle JDK 1.7u45
ApacheDS 2.0.0-M15
Debian 7.3, AMD64
Client environment:
Apache Directory Studio 2.0.0.v20130628
Oracle JDK 1.7u45
OS X 10.9.1
Reporter: Michael Przybylski
I’ve been teaching myself how to use Apache Directory Server’s access control
subsystem.
Before getting too cute, I figured I’d try out the recipes here:
http://directory.apache.org/apacheds/advanced-ug/4.2.7-using-acis-trail.html
Both work as advertised, but as I’ve been reading more, some have suggested
refining…
http://directory.apache.org/apacheds/advanced-ug/4.2.7.2-allow-self-password-modify.html
…to use maxValueCount to prevent (someone claiming to be) the user from
inserting multiple userPassword values. However, as soon as I put
maxValueCount in any protectedItems clause of my prescriptiveACI, all of my
unprivileged user’s attributes become invisible to him.
If I weren’t such a n00b, I’d think this was a bug.
Here is the prescriptiveACI that I think should work:
{
identificationTag "userSelfModifyPassword",
precedence 0,
authenticationLevel none,
itemOrUserFirst userFirst:
{
userClasses { thisEntry },
userPermissions
{
{
protectedItems
{
maxValueCount
{
{ type userPassword, maxCount 1 }
}
,
allAttributeValues { userPassword }
}
,
grantsAndDenials { grantAdd, grantRemove }
}
,
{
protectedItems { entry },
grantsAndDenials
{
grantRead,
grantBrowse,
grantModify
}
}
}
}
}
Kiran Ayyagari ( [email protected] ) was able to reproduce and asked me to
file this bug.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
