|
If you were logged in you would be able to see more operations.
|
|
|
| Resolution Date: |
17/Aug/06 08:54 PM
|
|
As mentioned by Gianmaria Clerici,
the use of com.sun.jndi.ldap.LdapCtxFactory instead of org.apache.ldap.server.jndi.CoreContextFactory as the INITIAL_CONTEXT_FACTORY makes ACIs not working.
Here is an explanationof the problem I sent on the list :
I have some troubles to add some ACIs on ou=system to enable users to do
what they want with their own entry.
I added an "accessControlSpecificArea" value to the "administrativeRole"
attribute on ou=system.
I used the following subtree specification : "{}" and the following
value for my prescriptiveACI on the accesControlSubentry I created
under ou=system :
" { identificationTag "enableUserSelfModification", precedence 1,
authenticationLevel simple, itemOrUserFirst userFirst:{ userClasses {
thisEntry }, userPermissions { { protectedItems { entry,
allUserAttributeTypesAndValues }, grantsAndDenials { grantAdd,
grantRemove, grantModify, grantFilterMatch, grantCompare, grantRead,
grantReturnDN, grantBrowse } } } } }"
When i create a new user with admin rights and try to log under this
user, i get a 50 error code : noPermission. This is not an 49 error code
: AuthenticationException
|
|
Description
|
As mentioned by Gianmaria Clerici,
the use of com.sun.jndi.ldap.LdapCtxFactory instead of org.apache.ldap.server.jndi.CoreContextFactory as the INITIAL_CONTEXT_FACTORY makes ACIs not working.
Here is an explanationof the problem I sent on the list :
I have some troubles to add some ACIs on ou=system to enable users to do
what they want with their own entry.
I added an "accessControlSpecificArea" value to the "administrativeRole"
attribute on ou=system.
I used the following subtree specification : "{}" and the following
value for my prescriptiveACI on the accesControlSubentry I created
under ou=system :
" { identificationTag "enableUserSelfModification", precedence 1,
authenticationLevel simple, itemOrUserFirst userFirst:{ userClasses {
thisEntry }, userPermissions { { protectedItems { entry,
allUserAttributeTypesAndValues }, grantsAndDenials { grantAdd,
grantRemove, grantModify, grantFilterMatch, grantCompare, grantRead,
grantReturnDN, grantBrowse } } } } }"
When i create a new user with admin rights and try to log under this
user, i get a 50 error code : noPermission. This is not an 49 error code
: AuthenticationException |
Show » |
made changes - 17/Aug/06 08:54 PM
| Field |
Original Value |
New Value |
|
Resolution
|
|
Won't Fix
[ 2
]
|
|
Status
|
Open
[ 1
]
|
Closed
[ 6
]
|
|
Bug
Closed
Major
ACI problem when using com.sun.jndi.ldap.LdapCtxFactory as the INITIAL_CONTEXT_FACTORY
Just addiing my original email:
================================================
I have been testing some of the examples from AddAuthorizationTest,java and I am not able to get them to work when I have an actual LDAP server running.
The examples in AddAuthorizationTest.java will use the class org.apache.ldap.server.jndi.CoreContextFactory as the INITIAL_CONTEXT_FACTORY, and they seem to work fine.
But if I start my own LDAP server (with accessControlEnabled set to true) and change AddAuthorizationTest.java to use com.sun.jndi.ldap.LdapCtxFactory instead, the tests will fail when trying to bind with:
javax.naming.NoPermissionException: [LDAP: error code 50 - Bind failed]
I wonder if they have never been tested with com.sun.jndi.ldap.LdapCtxFactory.
================================================
I did debug the issue a bit and it seems related to the fact that when we try to look up the tuples in AuthorizationService.addPerscriptiveAciTuples(), we do not find them.
And we don't find them because the parameter name is set to "".
I do not fully understand why but it seems to me that this value is coming from:
java.naming.provider.url=""
But instead it should be:
java.naming.provider.url="ou=system"
When I changed AbstractAuthorizationTest.getContextAs(), this is what I did to make the connection use LDAP contact factory.
And in this case dn="ou=system"
So I was expecting java.naming.provider.url to be "ou=system".
Anyway, I am not sure but this is all I found.
public DirContext getContextAs( Name user, String password, String dn ) throws NamingException
{
Hashtable env = ( Hashtable ) sysRoot.getEnvironment().clone();
if (useLDAP) {
env.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
env.put( DirContext.PROVIDER_URL, "ldap://localhost:389/" + dn );
} else {
env.put( DirContext.PROVIDER_URL, dn );
}
env.put( DirContext.SECURITY_AUTHENTICATION, "simple" );
env.put( DirContext.SECURITY_PRINCIPAL, user.toString() );
env.put( DirContext.SECURITY_CREDENTIALS, password );
return new InitialDirContext( env );
}