Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-7099

Query for AclRightsInfos can throw an exception due to invalid attribute description

    XMLWordPrintable

Details

    • Bug
    • Status: Done
    • Critical
    • Resolution: Fixed
    • 6.5.2, 6.5.3, 7.0.0
    • 7.0.0
    • access control

    Description

      Install the server with the dsEvaluation profile.
      Run the following search operation querying for the aclRightsInfos.

       ldapsearch --getEffectiveRightsAuthzid "dn:uid=user.1,ou=people,dc=example,dc=com" --getEffectiveRightsAttribute member -p 1389 -D uid=admin -w secret12 -b dc=example,dc=com '(uid=user.1)' aclRights aclRightsInfo
      

      The search fails with an exception:

       # The LDAP search request failed: 80 (Other)
       # Additional Information: StorageRuntimeException(org.forgerock.i18n.LocalizedIllegalArgumentException: The attribute description "aclRightsInfo;logs;attributeLevel;selfwrite_add;member" could not be parsed because it contains an invalid character "_" at position 43)
      

      The issue lies in the selfwrite_add (and selfwrite_delete ) ACI rights that do not represent compliant attribute options due to the underscore character.

      The value is expressed with an underscore ( _ ) for compatibility reason with Sun Directory Services family of products.

      Here's the whole stack trace (from master, 7.0.0 as of today, a6c441083413c930d483de6b357da690a529144b):

       "Worker Thread 0@6049" prio=5 tid=0x2a nid=NA runnable
       java.lang.Thread.State: RUNNABLE
       at org.forgerock.opendj.ldap.AttributeDescription.valueOf0(AttributeDescription.java:1080)
       at org.forgerock.opendj.ldap.AttributeDescription.valueOf(AttributeDescription.java:830)
       at org.forgerock.opendj.ldap.AttributeDescription.valueOf(AttributeDescription.java:795)
       at org.forgerock.opendj.ldap.Attributes.singletonAttribute(Attributes.java:753)
       at org.opends.server.authorization.dseecompat.AciEffectiveRights.addAttributeIfPossible(AciEffectiveRights.java:629)
       at org.opends.server.authorization.dseecompat.AciEffectiveRights.addAttrLevelRightsInfo(AciEffectiveRights.java:621)
       at org.opends.server.authorization.dseecompat.AciEffectiveRights.addAttributeLevelRights(AciEffectiveRights.java:385)
       at org.opends.server.authorization.dseecompat.AciEffectiveRights.addRightsToEntry(AciEffectiveRights.java:245)
       at org.opends.server.authorization.dseecompat.AciHandler.filterEntry(AciHandler.java:164)
       at org.opends.server.core.SearchOperation.returnEntry(SearchOperation.java:490)
       at org.opends.server.backends.pluggable.EntryContainer.returnEntryOrStop(EntryContainer.java:1246)
       at org.opends.server.backends.pluggable.EntryContainer.searchIndexed(EntryContainer.java:1445)
       at org.opends.server.backends.pluggable.EntryContainer$1.run(EntryContainer.java:833)
       at org.opends.server.backends.pluggable.EntryContainer$1.run(EntryContainer.java:697)
       at org.opends.server.backends.jeb.JEStorage.read(JEStorage.java:1053)
       at org.opends.server.backends.pluggable.TracedStorage.read(TracedStorage.java:414)
       at org.opends.server.backends.pluggable.EntryContainer.search(EntryContainer.java:697)
       at org.opends.server.backends.pluggable.BackendImpl.search(BackendImpl.java:476)
       at org.opends.server.core.SearchOperation.processSearch(SearchOperation.java:866)
       at org.opends.server.core.SearchOperation.processLocalSearch(SearchOperation.java:821)
       at org.opends.server.core.SearchOperation.run(SearchOperation.java:760)
       at org.opends.server.extensions.TraditionalWorkQueue$WorkerThread.run(TraditionalWorkQueue.java:347)
       

      Attachments

        Activity

          People

            ondrej.fuchsik Ondrej Fuchsik
            ludo Ludovic Poitou
            Ludovic Poitou Ludovic Poitou
            Ondrej Fuchsik Ondrej Fuchsik
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: