Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-7429

Adding an aci for a user to see effective rights on a branch does not seem to work

    XMLWordPrintable

    Details

    • Bug
    • Status: Done
    • Major
    • Resolution: Duplicate
    • 6.5.4
    • 6.5.4
    • access control
    • None

      Description

      Found with 6.5.4-SNAPSHOT (75e2c512002)

      We are using aci to allow a user to see effective rights on a branch:

      Run command:	
      ./DJ2/opendj/bin/ldapmodify -h openam.example.com -p 1401 -D "cn=myself" -w password 	
      dn: ou=People,dc=example,dc=com
      changetype: modify
      add: aci
      aci: (targetcontrol="1.3.6.1.4.1.42.2.27.9.5.2")(version 3.0; acl "Allow Bob to getEffectiveRights"; allow (read) (userdn = "ldap:///uid=bob,ou=People,dc=example,dc=com");)	
      
      # MODIFY operation successful for DN ou=People,dc=example,dc=com
      
      
      ./DJ2/opendj/bin/ldapmodify -h openam.example.com -p 1401 -D "cn=myself" -w password 	
      dn: dc=example,dc=com
      changetype: modify
      add: aci
      aci: (targetattr="*||+")(version 3.0; acl "Allow all"; allow (all) (userdn = "ldap:///uid=bob,ou=People,dc=example,dc=com");)	
      
      # MODIFY operation successful for DN dc=example,dc=com
      

      Then we try to get these effective rights:

      ./DJ2/opendj/bin/ldapsearch -h openam.example.com -p 1401 -D "uid=bob,ou=People,dc=example,dc=com" -w password -b "ou=People,dc=example,dc=com" --getEffectiveRightsAuthzid "dn:" ""uid=*"" aclRights aclRightsInfo	
      
      dn: uid=alice,ou=People,dc=example,dc=com
      
      dn: uid=bob,ou=People,dc=example,dc=com
      
      dn: uid=charlie,ou=People,dc=example,dc=com
      
      dn: uid=dave,ou=People,dc=example,dc=com
      
      

      but they do not show up.
      This is working fine with 6.5.3 and 7.0.0

      with 7.0.0:
      
      ./DJ2/opendj/bin/ldapsearch -h openam.example.com -p 1399 -D "uid=bob,ou=People,dc=example,dc=com" -w password --useStartTls  -X  -b "ou=People,dc=example,dc=com" --getEffectiveRightsAuthzid "dn:" ""uid=*"" aclRights aclRightsInfo	
      
      dn: uid=alice,ou=People,dc=example,dc=com
      aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0
      aclRightsInfo;logs;entryLevel;add: acl_summary(main): access not allowed(add) on entry/attr(uid=alice,ou=People,dc=example,dc=com, NULL) to (anonymous) (not proxied) ( reason: no acis matched the subject )
      aclRightsInfo;logs;entryLevel;delete: acl_summary(main): access not allowed(delete) on entry/attr(uid=alice,ou=People,dc=example,dc=com, NULL) to (anonymous) (not proxied) ( reason: no acis matched the subject )
      aclRightsInfo;logs;entryLevel;proxy: acl_summary(main): access not allowed(proxy) on entry/attr(uid=alice,ou=People,dc=example,dc=com, NULL) to (anonymous) (not proxied) ( reason: no acis matched the subject )
      aclRightsInfo;logs;entryLevel;read: acl_summary(main): access allowed(read) on entry/attr(uid=alice,ou=People,dc=example,dc=com, entryDN) to (anonymous) (not proxied) ( reason: evaluated allow , deciding_aci: User-Visible Operational Attributes)
      aclRightsInfo;logs;entryLevel;write: acl_summary(main): access not allowed(write) on entry/attr(uid=alice,ou=People,dc=example,dc=com, NULL) to (anonymous) (not proxied) ( reason: no acis matched the subject )
      
      dn: uid=bob,ou=People,dc=example,dc=com
      aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0
      aclRightsInfo;logs;entryLevel;add: acl_summary(main): access not allowed(add) on entry/attr(uid=bob,ou=People,dc=example,dc=com, NULL) to (anonymous) (not proxied) ( reason: no acis matched the subject )
      aclRightsInfo;logs;entryLevel;delete: acl_summary(main): access not allowed(delete) on entry/attr(uid=bob,ou=People,dc=example,dc=com, NULL) to (anonymous) (not proxied) ( reason: no acis matched the subject )
      aclRightsInfo;logs;entryLevel;proxy: acl_summary(main): access not allowed(proxy) on entry/attr(uid=bob,ou=People,dc=example,dc=com, NULL) to (anonymous) (not proxied) ( reason: no acis matched the subject )
      aclRightsInfo;logs;entryLevel;read: acl_summary(main): access allowed(read) on entry/attr(uid=bob,ou=People,dc=example,dc=com, entryDN) to (anonymous) (not proxied) ( reason: evaluated allow , deciding_aci: User-Visible Operational Attributes)
      aclRightsInfo;logs;entryLevel;write: acl_summary(main): access not allowed(write) on entry/attr(uid=bob,ou=People,dc=example,dc=com, NULL) to (anonymous) (not proxied) ( reason: no acis matched the subject )
      
      dn: uid=charlie,ou=People,dc=example,dc=com
      aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0
      aclRightsInfo;logs;entryLevel;add: acl_summary(main): access not allowed(add) on entry/attr(uid=charlie,ou=People,dc=example,dc=com, NULL) to (anonymous) (not proxied) ( reason: no acis matched the subject )
      aclRightsInfo;logs;entryLevel;delete: acl_summary(main): access not allowed(delete) on entry/attr(uid=charlie,ou=People,dc=example,dc=com, NULL) to (anonymous) (not proxied) ( reason: no acis matched the subject )
      aclRightsInfo;logs;entryLevel;proxy: acl_summary(main): access not allowed(proxy) on entry/attr(uid=charlie,ou=People,dc=example,dc=com, NULL) to (anonymous) (not proxied) ( reason: no acis matched the subject )
      aclRightsInfo;logs;entryLevel;read: acl_summary(main): access allowed(read) on entry/attr(uid=charlie,ou=People,dc=example,dc=com, entryDN) to (anonymous) (not proxied) ( reason: evaluated allow , deciding_aci: User-Visible Operational Attributes)
      aclRightsInfo;logs;entryLevel;write: acl_summary(main): access not allowed(write) on entry/attr(uid=charlie,ou=People,dc=example,dc=com, NULL) to (anonymous) (not proxied) ( reason: no acis matched the subject )
      
      dn: uid=dave,ou=People,dc=example,dc=com
      aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0
      aclRightsInfo;logs;entryLevel;add: acl_summary(main): access not allowed(add) on entry/attr(uid=dave,ou=People,dc=example,dc=com, NULL) to (anonymous) (not proxied) ( reason: no acis matched the subject )
      aclRightsInfo;logs;entryLevel;delete: acl_summary(main): access not allowed(delete) on entry/attr(uid=dave,ou=People,dc=example,dc=com, NULL) to (anonymous) (not proxied) ( reason: no acis matched the subject )
      aclRightsInfo;logs;entryLevel;proxy: acl_summary(main): access not allowed(proxy) on entry/attr(uid=dave,ou=People,dc=example,dc=com, NULL) to (anonymous) (not proxied) ( reason: no acis matched the subject )
      aclRightsInfo;logs;entryLevel;read: acl_summary(main): access allowed(read) on entry/attr(uid=dave,ou=People,dc=example,dc=com, entryDN) to (anonymous) (not proxied) ( reason: evaluated allow , deciding_aci: User-Visible Operational Attributes)
      aclRightsInfo;logs;entryLevel;write: acl_summary(main): access not allowed(write) on entry/attr(uid=dave,ou=People,dc=example,dc=com, NULL) to (anonymous) (not proxied) ( reason: no acis matched the subject )
      
      

      pyforge test to reproduce:

      ./run-pybot.py -nv -s aci_group -t Test_Case_004 opendj
      

        Attachments

          Issue Links

            Activity

              People

              cjr Chris Ridd
              cforel carole forel
              Chris Ridd Chris Ridd
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: