Uploaded image for project: 'Directory ApacheDS'
  1. Directory ApacheDS
  2. DIRSERVER-257

[Access Control] Autonomous areas for AC must not overlap

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Trivial
    • Resolution: Unresolved
    • Affects Version/s: 1.0.2, 1.5.0
    • Fix Version/s: 2.1.0
    • Component/s: core
    • Labels:
      None

      Description

      Presently the subentry subsystem associates entries with all selecting subentries regardless of autonomous area demarcations. What this means is AAA's can overlap. When the AP of an accessControlSpecificArea is the decendent of the AP of another accessControlSpecificArea those areas should not intersect such that the subentries of the first area do not effect entries of the second area. This is not the case. The subentry subsystem associates entries with effecting subentires without checking to see if those subentries are in a different AAA in these configurations where an AAA is under another AAA.

      We need to track all AP of AAA's within the system. Before associating an entry with an AP's subentries checks should be made to determine under which AAA the entry resides. Only those subentries associated with that AAA should be associated with the entry.

        Activity

        Hide
        elecharny Emmanuel Lecharny added a comment -

        This is due to the fact we don't currently support Inner AP. All our AAA are IAP in fact.

        I don't think we can fix that for 2.0, I would rather do it for 2.1.

        Note that it's a problem that can be worked around by adding a chopAfter restriction, where the DN used on the chopAfter is the lower AP DN.

        Show
        elecharny Emmanuel Lecharny added a comment - This is due to the fact we don't currently support Inner AP. All our AAA are IAP in fact. I don't think we can fix that for 2.0, I would rather do it for 2.1. Note that it's a problem that can be worked around by adding a chopAfter restriction, where the DN used on the chopAfter is the lower AP DN.
        Hide
        elecharny Emmanuel Lecharny added a comment -

        Postponed to 2.0.0-RC1

        Show
        elecharny Emmanuel Lecharny added a comment - Postponed to 2.0.0-RC1
        Hide
        elecharny Emmanuel Lecharny added a comment -

        Postponed.

        Show
        elecharny Emmanuel Lecharny added a comment - Postponed.
        Hide
        elecharny Emmanuel Lecharny added a comment -

        Postponed to 1.0.3 and 1.5.2

        Show
        elecharny Emmanuel Lecharny added a comment - Postponed to 1.0.3 and 1.5.2
        Hide
        akarasulu Alex Karasulu added a comment -

        Really this is trivial.

        Show
        akarasulu Alex Karasulu added a comment - Really this is trivial.
        Hide
        akarasulu Alex Karasulu added a comment -

        For now this is acceptable. Until we get users using the standard single AA configuration we should not be worried about this. It's so minor. If users really want this to follow full X.500 standards we can fix this.

        Show
        akarasulu Alex Karasulu added a comment - For now this is acceptable. Until we get users using the standard single AA configuration we should not be worried about this. It's so minor. If users really want this to follow full X.500 standards we can fix this.
        Hide
        akarasulu Alex Karasulu added a comment -

        Note that this bug makes AAA's under other AAA's behave like inner administrative areas.

        Show
        akarasulu Alex Karasulu added a comment - Note that this bug makes AAA's under other AAA's behave like inner administrative areas.

          People

          • Assignee:
            akarasulu Alex Karasulu
            Reporter:
            akarasulu Alex Karasulu
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:

              Development