Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-2748

dsconfig --batch and --batchFilePath fail when configuring the global-aci.

    Details

    • Type: Bug
    • Status: Done
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.0.0, 3.0.1, 3.0.0, 2.6.3
    • Fix Version/s: 4.0.0
    • Component/s: tools
    • Support Ticket IDs:

      Description

      Using dsconfig in "interactive mode" works when removing or adding global-aci's, but the same commands saved with --commandFilePath fail when using --batch or --batchFilePath. The batch sub-commands can fail highlighting syntax errors or silently with no errors at all.

      Related enhancement: OPENDJ-1840

      ds-cfg-global-aci: (targetattr!="userPassword||authPassword||debugsearchindex||changes||changeNumber||changeType||changeTime||targetDN||newRDN||newSuperior||deleteOldRDN")(version 3.0; acl "Anonymous read access"; allow (read,search,compare) userdn="ldap:///anyone"

      If the above were added or removed using dsconfig in interactive mode, the following command file is produced.

      1. dsconfig session start date: 07/Mar/2016:16:14:22 +0000
      1. Session operation number: 1
      2. Operation date: 07/Mar/2016:16:14:46 +0000
        dsconfig set-access-control-handler-prop \
        --remove global-aci:(targetattr!=\"userPassword||authPassword||debugsearchindex||changes||changeNumber||changeType||changeTime||targetDN||newRDN||newSuperior||deleteOldRDN\")(version\ 3.0\;\ acl\ \"Anonymous\ read\ access\"\;\ allow\ (read,search,compare)\ userdn=\"ldap:///anyone\"\;) \
        --no-prompt

      If you remove the comments and process this using --batchFilePath or paste it into an interactive --batch the command fails.

      Example: --batchFilePath

      opendj; bin/$ cat batchfile 
      set-access-control-handler-prop \
                --remove global-aci:\(targetattr!=\"userPassword\|\|authPassword\|\|debugsearchindex\|\|changes\|\|changeNumber\|\|changeType\|\|changeTime\|\|targetDN\|\|newRDN\|\|newSuperior\|\|deleteOldRDN\"\)\(version\ 3.0\;\ acl\ \"Anonymous\ read\ access\"\;\ allow\ \(read,search,compare\)\ userdn=\"ldap:///anyone\"\;\) \
                --no-prompt
      
      opendj; bin/$ ./dsconfig --no-prompt --trustAll --port 4444 --hostname opendj.forgerock.com --bindDN "cn=Directory Manager" --bindPassword password --batchFilePath ./batchfile 
      set-access-control-handler-prop           --remove
      global-aci:\(targetattr!=\userPassword\|\|authPassword\|\|debugsearchindex\|\|changes\|\|changeNumber\|\|changeType\|\|changeTime\|\|targetDN\|\|newRDN\|\|newSuperior\|\|deleteOldRDN\\)\(version##3.0\;##acl##\Anonymous\##read\##access\\;##allow##\(read,search,compare\)##userdn=\ldap:///anyone\\;\)
      --no-prompt
      
      The value
      "\(targetattr!=\userPassword\|\|authPassword\|\|debugsearchindex\|\|changes\|\|changeNumber\|\|changeType\|\|changeTime\|\|targetDN\|\|newRDN\|\|newSuperior\|\|deleteOldRDN\\)\(version
      3.0\; acl \Anonymous\ read\ access\\; allow \(read,search,compare\)
      userdn=\ldap:///anyone\\;\)" is not a valid value for the "global-aci"
      property, which must have the following syntax: ACI
      

      Example: --batch (same command)

      opendj; bin/$ ./dsconfig --no-prompt --trustAll --port 4444 --hostname opendj.forgerock.com --bindDN "cn=Directory Manager" --bindPassword password --batch
      set-access-control-handler-prop \
                --remove global-aci:\(targetattr!=\"userPassword\|\|authPassword\|\|debugsearchindex\|\|changes\|\|changeNumber\|\|changeType\|\|changeTime\|\|targetDN\|\|newRDN\|\|newSuperior\|\|deleteOldRDN\"\)\(version\ 3.0\;\ acl\ \"Anonymous\ read\ access\"\;\ allow\ \(read,search,compare\)\ userdn=\"ldap:///anyone\"\;\) 
      set-access-control-handler-prop           --remove
      global-aci:\(targetattr!=\userPassword\|\|authPassword\|\|debugsearchindex\|\|changes\|\|changeNumber\|\|changeType\|\|changeTime\|\|targetDN\|\|newRDN\|\|newSuperior\|\|deleteOldRDN\\)\(version##3.0\;##acl##\Anonymous\##read\##access\\;##allow##\(read,search,compare\)##userdn=\ldap:///anyone\\;\)
      The value
      "\(targetattr!=\userPassword\|\|authPassword\|\|debugsearchindex\|\|changes\|\|changeNumber\|\|changeType\|\|changeTime\|\|targetDN\|\|newRDN\|\|newSuperior\|\|deleteOldRDN\\)\(version
      3.0\; acl \Anonymous\ read\ access\\; allow \(read,search,compare\)
      userdn=\ldap:///anyone\\;\)" is not a valid value for the "global-aci"
      property, which must have the following syntax: ACI
      ---
      

      Example: --batch with the raw un-escaped aci.

      opendj; bin/$ ./dsconfig --no-prompt --trustAll --port 4444 --hostname opendj.forgerock.com --bindDN "cn=Directory Manager" --bindPassword password --batch
      set-access-control-handler-prop --remove global-aci:(targetattr!="userPassword||authPassword||debugsearchindex||changes||changeNumber||changeType||changeTime||targetDN||newRDN||newSuperior||deleteOldRDN")(version 3.0; acl "Anonymous read access"; allow (read,search,compare) userdn="ldap:///anyone";)
      set-access-control-handler-prop --remove
      global-aci:(targetattr!=userPassword||authPassword||debugsearchindex||changes||changeNumber||changeType||changeTime||targetDN||newRDN||newSuperior||deleteOldRDN)(version
      3.0; acl Anonymous##read##access; allow (read,search,compare)
      userdn=ldap:///anyone;)
      An error occurred while parsing the command-line arguments: Argument "3.0;"
      does not start with one or two dashes and unnamed trailing arguments are not
      allowed
      
      See "dsconfig --help" to get more usage help
      ---
      
      All non-global-aci based batch files process properly
      
      opendj; bin/$ cat batch.db-cache 
      set-backend-prop \
                --backend-name userRoot \
                --set db-cache-percent:80 \
                --no-prompt
      opendj; bin/$ ./dsconfig --no-prompt --trustAll --port 4444 --hostname opendj.forgerock.com --bindDN "cn=Directory Manager" --bindPassword password --batchFilePath ./batch.db-cache 
      set-backend-prop           --backend-name userRoot           --set
      db-cache-percent:80           --no-prompt
      
      [07/Mar/2016:09:46:03 -0700] MODIFY REQ conn=5 op=6 msgID=7 dn="ds-cfg-backend-id=userRoot,cn=Backends,cn=config"
      [07/Mar/2016:09:46:03 -0700] MODIFY RES conn=5 op=6 msgID=7 result=0 etime=13
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                fabiop Fabio Pistolesi
                Reporter:
                lee.trujillo Lee Trujillo
                QA Assignee:
                Ondrej Fuchsik
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: