Directory ApacheDS
  1. Directory ApacheDS
  2. DIRSERVER-1680

allUsersSearchAndCompareACI doesn't work on service restart

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Duplicate
    • Affects Version/s: 1.5.7
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Environment:
      server on Windows XP SP3

      Description

      I have an allUsersSearchAndCompareACI set up to allow only authenticated users to read the server, and another ACI directoryManagerFullAccessACI set up to allow privileged users/services in the group cn=ldap-admin,ou=groups,o=foobar to access LDAP and have editing rights. I have a number of these privileged users/services, and they can authenticate, but not see any of the LDAP tree (just an empty Root DSE), until I rewrite the ACI info, at which point they work perfectly... until the service or the computer it's on resets, and the problem re-occurs. (The uid=admin,ou=system account can access everything just fine.)

      The allUsersSearchAndCompareACI ACI source looks like this:

      {
          identificationTag "allUsersSearchAndCompareACI",
          precedence 10,
          authenticationLevel simple,
          itemOrUserFirst userFirst: 
          {
              userClasses { allUsers },
              userPermissions 
              {
                  {
                      protectedItems { entry, allUserAttributeTypesAndValues },
                      grantsAndDenials 
                      {
                          grantDiscloseOnError,
                          grantRead,
                          grantReturnDN,
                          grantBrowse,
                          grantCompare,
                          grantFilterMatch 
                      }
                  }
                  ,
                  {
                      protectedItems 
                      {
                          attributeType { userPassword } 
                      }
                      ,
                      grantsAndDenials 
                      {
                          denyFilterMatch,
                          denyRead,
                          denyCompare 
                      }
                  }
              }
          }
      }
      

      The directoryManagerACI looks like this:

      {
          identificationTag "directoryManagerFullAccessACI",
          precedence 11,
          authenticationLevel simple,
          itemOrUserFirst userFirst: 
          {
              userClasses 
              {
                  userGroup { "cn=ldap-admin,ou=groups,o=foobar" } 
              }
              ,
              userPermissions 
              {
                  {
                      protectedItems { entry, allUserAttributeTypesAndValues },
                      grantsAndDenials 
                      {
                          grantModify,
                          grantRead,
                          grantBrowse,
                          grantFilterMatch,
                          grantExport,
                          grantRemove,
                          grantDiscloseOnError,
                          grantAdd,
                          grantReturnDN,
                          grantInvoke,
                          grantRename,
                          grantImport,
                          grantCompare 
                      }
                  }
              }
          }
      }
      

      My LDAP tree looks like this (my comments in /* */)

      
      

      o=foobar
      cn=acientry1 /* contains the two ACI above */
      ou=groups
      /* various groups elided */
      cn=ldap-admin
      ou=schema
      /* other stuff */
      ou=system
      uid=admin
      /* other stuff */

        Activity

        Hide
        Jason Sachs added a comment -

        Hmm, might be a duplicate of DIRSERVER-1524 (sorry, I should have searched more carefully before posting)

        Show
        Jason Sachs added a comment - Hmm, might be a duplicate of DIRSERVER-1524 (sorry, I should have searched more carefully before posting)
        Hide
        Emmanuel Lecharny added a comment -

        Duplicate of DIRSERVER-1524

        Show
        Emmanuel Lecharny added a comment - Duplicate of DIRSERVER-1524

          People

          • Assignee:
            Unassigned
            Reporter:
            Jason Sachs
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development