[
https://issues.apache.org/jira/browse/DIRSERVER-1966?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13947704#comment-13947704
]
Pierre Smits commented on DIRSERVER-1966:
-----------------------------------------
I also surmised that the subtreeSpecification in the second ACI was the culprit.
I thought that setting it like so would prevent the users to not see the data
of other partitions when in Studio in the connection the flag 'Get base DNs
from root DSE' was set to 'true'.
> Delete of ACI generates NPE
> ---------------------------
>
> Key: DIRSERVER-1966
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1966
> Project: Directory ApacheDS
> Issue Type: Bug
> Affects Versions: 2.0.0-M16
> Environment: Studio 2.0.0.v20130628
> Reporter: Pierre Smits
>
> I have created two ACI for a partition.
> The first ACI has following content:
> dn: cn=orrtizACISubEntry,dc=orrtiz,dc=com
> objectClass: top
> objectClass: accessControlSubentry
> objectClass: subentry
> cn: orrtizACISubEntry
> prescriptiveACI: { identificationTag "directoryManagerFullAccessACI", preced
> ence 11, authenticationLevel simple, itemOrUserFirst userFirst: { userClass
> es { name { "cn=nl04748,ou=users,dc=orrtiz,dc=com" } }, userPermissions { {
> protectedItems { allUserAttributeTypesAndValues, entry }, grantsAndDenials
> { grantReturnDN, grantFilterMatch, grantBrowse, grantCompare, grantAdd, gr
> antInvoke, grantModify, grantImport, grantDiscloseOnError, grantRename, gra
> ntRemove, grantRead, grantExport } } } } }
> prescriptiveACI: { identificationTag "allUsersACI", precedence 10, authentic
> ationLevel none, itemOrUserFirst userFirst: { userClasses { allUsers }, use
> rPermissions { { protectedItems { allUserAttributeTypesAndValues, entry },
> grantsAndDenials { grantReturnDN, grantFilterMatch, grantBrowse, grantCompa
> re, grantDiscloseOnError, grantRead } }, { protectedItems { attributeType {
> userPassword } }, grantsAndDenials { denyRead, denyFilterMatch, denyCompar
> e } } } } }
> subtreeSpecification: { }
> accessControlSubentries: 2.5.4.3=orrtizacisubentry,0.9.2342.19200300.100.1.2
> 5=orrtiz,0.9.2342.19200300.100.1.25=com
> createTimestamp: 20140325202223.905Z
> creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> entryCSN: 20140325202223.905000Z#000000#001#000000
> entryDN: cn=orrtizACISubEntry,dc=orrtiz,dc=com
> entryParentId: a22442b4-f41f-46bb-89d8-e567ed1a5800
> entryUUID:: ZWE0MTQxNTMtMzdjYS00NWU5LWE2ZTItODhkZTU2YTUzYzE2
> The second ACI has following content:
> dn: cn=orrtizAuthReqACISubEntry,dc=orrtiz,dc=com
> objectClass: top
> objectClass: accessControlSubentry
> objectClass: subentry
> cn: orrtizAuthReqACISubEntry
> prescriptiveACI: { identificationTag "directoryManagerFullAccessACI", preced
> ence 11, authenticationLevel simple, itemOrUserFirst userFirst: { userClass
> es { name { "cn=nl04748,ou=users,dc=orrtiz,dc=com" } }, userPermissions { {
> protectedItems { allUserAttributeTypesAndValues, entry }, grantsAndDenials
> { grantReturnDN, grantFilterMatch, grantBrowse, grantCompare, grantAdd, gr
> antInvoke, grantModify, grantImport, grantDiscloseOnError, grantRename, gra
> ntRemove, grantRead, grantExport } } } } }
> prescriptiveACI: { identificationTag "allUsersACI", precedence 10, authentic
> ationLevel none, itemOrUserFirst userFirst: { userClasses { allUsers }, use
> rPermissions { { protectedItems { allUserAttributeTypesAndValues, entry },
> grantsAndDenials { grantReturnDN, grantFilterMatch, grantBrowse, grantCompa
> re, grantDiscloseOnError, grantRead } }, { protectedItems { attributeType {
> userPassword } }, grantsAndDenials { denyRead, denyFilterMatch, denyCompar
> e } } } } }
> subtreeSpecification: { base "dc=orrtiz,dc=com" }
> accessControlSubentries: 2.5.4.3=orrtizacisubentry,0.9.2342.19200300.100.1.2
> 5=orrtiz,0.9.2342.19200300.100.1.25=com
> createTimestamp: 20140325182443.296Z
> creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> entryCSN: 20140325200009.087000Z#000000#001#000000
> entryDN: cn=orrtizAuthReqACISubEntry,dc=orrtiz,dc=com
> entryParentId: a22442b4-f41f-46bb-89d8-e567ed1a5800
> entryUUID:: MWViMTQxMDktNzEzOC00NzFkLTlmYzEtZTgyMTM1NzI1ZDU1
> modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
> modifyTimestamp: 20140325200009.087Z
> The difference between the two is the subtreeSpecifications whereby the first
> is {}, and the second { base "dc=orrtiz,dc=com" }
> Deleting the first ACI generates no problem. Deleting the second ACI
> generates following error:
> #!RESULT ERROR
> #!CONNECTION ldap://director.somonar.prd:389
> #!DATE 2014-03-25T20:38:04.044
> #!ERROR [LDAP: error code 80 - OTHER: failed for MessageType : DEL_REQUEST
> Message ID : 23 Del request Entry :
> 'cn=orrtizAuthReqACISubEntry,dc=orrtiz,dc=com'
> org.apache.directory.api.ldap.model.message.DeleteRequestImpl@90241f8: null:
> java.lang.NullPointerException at
> org.apache.directory.server.core.subtree.SubentryInterceptor.delete(SubentryInterceptor.java:1043)
> at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:490)
> at
> org.apache.directory.server.core.operational.OperationalAttributeInterceptor.delete(OperationalAttributeInterceptor.java:462)
> at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:490)
> at
> org.apache.directory.server.core.exception.ExceptionInterceptor.delete(ExceptionInterceptor.java:207)
> at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:490)
> at
> org.apache.directory.server.core.admin.AdministrativePointInterceptor.delete(AdministrativePointInterceptor.java:1261)
> at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:490)
> at
> org.apache.directory.server.core.authz.DefaultAuthorizationInterceptor.delete(DefaultAuthorizationInterceptor.java:172)
> at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:490)
> at
> org.apache.directory.server.core.authz.AciAuthorizationInterceptor.delete(AciAuthorizationInterceptor.java:678)
> at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:490)
> at
> org.apache.directory.server.core.referral.ReferralInterceptor.delete(ReferralInterceptor.java:288)
> at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:490)
> at
> org.apache.directory.server.core.authn.AuthenticationInterceptor.delete(AuthenticationInterceptor.java:749)
> at
> org.apache.directory.server.core.api.interceptor.BaseInterceptor.next(BaseInterceptor.java:490)
> at
> org.apache.directory.server.core.normalization.NormalizationInterceptor.delete(NormalizationInterceptor.java:174)
> at
> org.apache.directory.server.core.DefaultOperationManager.delete(DefaultOperationManager.java:641)
> at
> org.apache.directory.server.core.shared.DefaultCoreSession.delete(DefaultCoreSession.java:923)
> at
> org.apache.directory.server.core.shared.DefaultCoreSession.delete(DefaultCoreSession.java:906)
> at
> org.apache.directory.server.ldap.handlers.request.DeleteRequestHandler.handle(DeleteRequestHandler.java:55)
> at
> org.apache.directory.server.ldap.handlers.request.DeleteRequestHandler.handle(DeleteRequestHandler.java:39)
> at
> org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:207)
> at
> org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56)
> at
> org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:221)
> at
> org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:217)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:690)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
> at
> org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:74) at
> org.apache.mina.core.session.IoEvent.run(IoEvent.java:63) at
> org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:474)
> at
> org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:428)
> at java.lang.Thread.run(Thread.java:662) ]
> dn: cn=orrtizAuthReqACISubEntry,dc=orrtiz,dc=com
> changetype: delete
> I did this with uid=admin,ou=system.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
