Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-2784

Modify RDN does not work if there ACIs with targetattrfilters deny(write) on ldap:///anyone

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 3.0.0, 2.6.3
    • Fix Version/s: None
    • Component/s: access control
    • Labels:
    • Environment:
      OpenDJ 2.6.3 and 3.0.0
    • Support Ticket IDs:
    • Sprint:
      DJ Sustaining 29, DJ Sustaining 30, DJ Sustaining Sprint 31, DJ Sustaining Sprint 32, DJ Sustaining Sprint 33, DJ Sustaining Sprint 34

      Description

      1. Create a simple dc=example,dc=com directory with say 5 default users (user.0, ... user.5)

      2. Create the following aci

      dn: ou=people,dc=example,dc=com
      changetype: modify
      replace: aci
      aci: (targattrfilters="add=uid:(uid=owner-*)")    (version 3.0; acl "testcase-aci";   deny (add,write)     userdn = "ldap:///anyone"     ; )
      aci: (targetattr="+||*")    (version 3.0; acl "testcase-admin-aci";   allow (all,import,export)     userdn = "ldap:///uid=user.0,ou=people,dc=example,dc=com"     ; )
      

      3. Try to rename user.2 to user.20

      dn: uid=user.2,ou=people,dc=example,dc=com
      changetype: modrdn
      newrdn: uid=user.20
      deleteoldrdn: 1
      newsuperior: ou=people,dc=example,dc=com
      

      one gets

      Result Code:  50 (Insufficient Access Rights)
      Additional Information:  The entry uid=user.2,ou=people,dc=example,dc=com cannot be renamed due to insufficient access rights
      

      The issue seems to be due to this ACI

      aci: (targattrfilters="add=uid:(uid=owner-*)")    (version 3.0; acl "testcase-aci";   deny (add,write)     userdn = "ldap:///anyone"     ; )
      

      Even if the targattrfilters are changed to anything else,
      the access is denied. It seems that this aci is applied
      for modrdn especially compared to normal operations. (
      Normal individual ldap operation like create new users
      works and also those with the deny targattrfilters works
      as expected)

      Ref: http://opendj.forgerock.org/doc/admin-guide/index/chap-privileges-acis.html is check but this behaviour does not sound right.
      (Checked OPENDJ-895 but this looks a bit different from that too).

        Attachments

          Activity

            People

            • Assignee:
              cjr Chris Ridd
              Reporter:
              chee-weng.chea C-Weng C
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: