[
https://issues.apache.org/jira/browse/DIRSERVER-1966?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13947681#comment-13947681
]
Emmanuel Lecharny commented on DIRSERVER-1966:
----------------------------------------------
Note : the subtreeSpecification of the second ACI is incorrect : { base
"dc=orrtiz,dc=com" } should be {}, as it's required to be relative to the
subentry root, which is already dc=orrtiz,dc=com. Here, the addition of this
subentry will lead to an error, as the server will try to create a
dc=orrtiz,dc=com,dc=orrtiz,dc=com base.
Now, you should NOT get a NPE here...
> Delete of ACI generates NPE
> ---------------------------
>
> Key: DIRSERVER-1966
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1966
> Project: Directory ApacheDS
> Issue Type: Bug
> Affects Versions: 2.0.0-M16
> Environment: Studio 2.0.0.v20130628
> Reporter: Pierre Smits
>
> I have created two ACI for a partition.
> The first ACI has following content:
> dn: cn=orrtizACISubEntry,dc=orrtiz,dc=com
> objectClass: top
> objectClass: accessControlSubentry
> objectClass: subentry
> cn: orrtizACISubEntry
> prescriptiveACI: { identificationTag "directoryManagerFullAccessACI", preced
> ence 11, authenticationLevel simple, itemOrUserFirst userFirst: { userClass
> es { name { "cn=nl04748,ou=users,dc=orrtiz,dc=com" } }, userPermissions { {
> protectedItems { allUserAttributeTypesAndValues, entry }, grantsAndDenials
> { grantReturnDN, grantFilterMatch, grantBrowse, grantCompare, grantAdd, gr
> antInvoke, grantModify, grantImport, grantDiscloseOnError, grantRename, gra
> ntRemove, grantRead, grantExport } } } } }
> prescriptiveACI: { identificationTag "allUsersACI", precedence 10, authentic
> ationLevel none, itemOrUserFirst userFirst: { userClasses { allUsers }, use
> rPermissions { { protectedItems { allUserAttributeTypesAndValues, entry },
> grantsAndDenials { grantReturnDN, grantFilterMatch, grantBrowse, grantCompa
> re, grantDiscloseOnError, grantRead } }, { protectedItems { attributeType {
> userPassword } }, grantsAndDenials { denyRead, denyFilterMatch, denyCompar
> e } } } } }
> subtreeSpecification: { }
> accessControlSubentries: 2.5.4.3=orrtizacisubentry,0.9.2342.19200300.100.1.2
> 5=orrtiz,0.9.2342.19200300.100.1.25=com
> createTimestamp: 20140325202223.905Z
> creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> entryCSN: 20140325202223.905000Z#000000#001#000000
> entryDN: cn=orrtizACISubEntry,dc=orrtiz,dc=com
> entryParentId: a22442b4-f41f-46bb-89d8-e567ed1a5800
> entryUUID:: ZWE0MTQxNTMtMzdjYS00NWU5LWE2ZTItODhkZTU2YTUzYzE2
> The second ACI has following content:
> dn: cn=orrtizAuthReqACISubEntry,dc=orrtiz,dc=com
> objectClass: top
> objectClass: accessControlSubentry
> objectClass: subentry
> cn: orrtizAuthReqACISubEntry
> prescriptiveACI: { identificationTag "directoryManagerFullAccessACI", preced
> ence 11, authenticationLevel simple, itemOrUserFirst userFirst: { userClass
> es { name { "cn=nl04748,ou=users,dc=orrtiz,dc=com" } }, userPermissions { {
> protectedItems { allUserAttributeTypesAndValues, entry }, grantsAndDenials
> { grantReturnDN, grantFilterMatch, grantBrowse, grantCompare, grantAdd, gr
> antInvoke, grantModify, grantImport, grantDiscloseOnError, grantRename, gra
> ntRemove, grantRead, grantExport } } } } }
> prescriptiveACI: { identificationTag "allUsersACI", precedence 10, authentic
> ationLevel none, itemOrUserFirst userFirst: { userClasses { allUsers }, use
> rPermissions { { protectedItems { allUserAttributeTypesAndValues, entry },
> grantsAndDenials { grantReturnDN, grantFilterMatch, grantBrowse, grantCompa
> re, grantDiscloseOnError, grantRead } }, { protectedItems { attributeType {
> userPassword } }, grantsAndDenials { denyRead, denyFilterMatch, denyCompar
> e } } } } }
> subtreeSpecification: { base "dc=orrtiz,dc=com" }
> accessControlSubentries: 2.5.4.3=orrtizacisubentry,0.9.2342.19200300.100.1.2
> 5=orrtiz,0.9.2342.19200300.100.1.25=com
> createTimestamp: 20140325182443.296Z
> creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> entryCSN: 20140325200009.087000Z#000000#001#000000
> entryDN: cn=orrtizAuthReqACISubEntry,dc=orrtiz,dc=com
> entryParentId: a22442b4-f41f-46bb-89d8-e567ed1a5800
> entryUUID:: MWViMTQxMDktNzEzOC00NzFkLTlmYzEtZTgyMTM1NzI1ZDU1
> modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> modifyTimestamp: 20140325200009.087Z
> The difference between the two is the subtreeSpecifications whereby the first
> is {}, and the second { base "dc=orrtiz,dc=com" }
> Deleting the first ACI generates no problem. Deleting the second ACI
> generates following error:
> #!RESULT ERROR
> #!CONNECTION ldap://director.somonar.prd:389
> #!DATE 2014-03-25T20:38:04.044
> #!ERROR [LDAP: error code 80 - OTHER: failed for MessageType : DEL_REQUEST
> Message ID : 23 Del request Entry :
> 'cn=orrtizAuthReqACISubEntry,dc=orrtiz,dc=com'
> org.apache.directory.api.ldap.model.message.DeleteRequestImpl@90241f8: null:
> java.lang.NullPointerException at
> org.apache.directory.server.core.subtree.SubentryInterceptor.delete(SubentryInterceptor.java:1043)
> at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:490)
> at
> org.apache.directory.server.core.operational.OperationalAttributeInterceptor.delete(OperationalAttributeInterceptor.java:462)
> at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:490)
> at
> org.apache.directory.server.core.exception.ExceptionInterceptor.delete(ExceptionInterceptor.java:207)
> at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:490)
> at
> org.apache.directory.server.core.admin.AdministrativePointInterceptor.delete(AdministrativePointInterceptor.java:1261)
> at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:490)
> at
> org.apache.directory.server.core.authz.DefaultAuthorizationInterceptor.delete(DefaultAuthorizationInterceptor.java:172)
> at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:490)
> at
> org.apache.directory.server.core.authz.AciAuthorizationInterceptor.delete(AciAuthorizationInterceptor.java:678)
> at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:490)
> at
> org.apache.directory.server.core.referral.ReferralInterceptor.delete(ReferralInterceptor.java:288)
> at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:490)
> at
> org.apache.directory.server.core.authn.AuthenticationInterceptor.delete(AuthenticationInterceptor.java:749)
> at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:490)
> at
> org.apache.directory.server.core.normalization.NormalizationInterceptor.delete(NormalizationInterceptor.java:174)
> at
> org.apache.directory.server.core.DefaultOperationManager.delete(DefaultOperationManager.java:641)
> at
> org.apache.directory.server.core.shared.DefaultCoreSession.delete(DefaultCoreSession.java:923)
> at
> org.apache.directory.server.core.shared.DefaultCoreSession.delete(DefaultCoreSession.java:906)
> at
> org.apache.directory.server.ldap.handlers.request.DeleteRequestHandler.handle(DeleteRequestHandler.java:55)
> at
> org.apache.directory.server.ldap.handlers.request.DeleteRequestHandler.handle(DeleteRequestHandler.java:39)
> at
> org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:207)
> at
> org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56)
> at
> org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:221)
> at
> org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:217)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:690)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
> at
> org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:74) at
> org.apache.mina.core.session.IoEvent.run(IoEvent.java:63) at
> org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:474)
> at
> org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:428)
> at java.lang.Thread.run(Thread.java:662) ]
> dn: cn=orrtizAuthReqACISubEntry,dc=orrtiz,dc=com
> changetype: delete
> I did this with uid=admin,ou=system.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
