Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-7430

Backport OPENDJ-5851: ACI: getEffectiveRights with authz do not print out acl rights

    XMLWordPrintable

Details

    • Bug
    • Status: Done
    • Major
    • Resolution: Fixed
    • 7.0.0
    • 6.5.4
    • access control

    Description

      Found with rev (8fc7b781970)

      We have a test that checks aci with multiple controls.
      We set up a server with some users.
      We add an ACI to allow Alice to proxy Bob:

      ./DJ2/opendj/bin/ldapmodify -h nameserver.example.com -p 1391 -D "cn=myself" -w password 	
      dn: ou=People,dc=example,dc=com
      changetype: modify
      add: aci
      aci: (target="ldap:///uid=bob,ou=People,dc=example,dc=com")(targetattr="*||+")(version 3.0; acl "Allow Alice to proxy auth Bob"; allow (proxy) (userdn = "ldap:///uid=alice,ou=People,dc=example,dc=com");)
      

      The we change privileges for Bob to allow him to get effective rights:

      ./DJ2/opendj/bin/ldapmodify -h nameserver.example.com -p 1391 -D "cn=myself" -w password 	
      dn: ou=People,dc=example,dc=com
      changetype: modify
      add: aci
      aci: (targetcontrol="1.3.6.1.4.1.42.2.27.9.5.2")(version 3.0; acl "Allow Bob to getEffectiveRights"; allow (read) (userdn = "ldap:///uid=bob,ou=People,dc=example,dc=com");) 	
      
      
      ./DJ2/opendj/bin/ldapmodify -h nameserver.example.com -p 1391 -D "cn=myself" -w password 	
      dn: dc=example,dc=com
      changetype: modify
      add: aci
      aci: (targetattr="*||+")(version 3.0; acl "Allow all"; allow (all) (userdn = "ldap:///uid=bob,ou=People,dc=example,dc=com");)
      

      and we perform the following search:

      ./DJ2/opendj/bin/ldapsearch -h nameserver.example.com -p 1391 -D "uid=bob,ou=People,dc=example,dc=com" -w password -b "ou=People,dc=example,dc=com" --getEffectiveRightsAuthzid "dn:" ""uid=*"" aclRights aclRightsInfo
      
      dn: uid=alice,ou=People,dc=example,dc=com 
      
      dn: uid=bob,ou=People,dc=example,dc=com 
      
      dn: uid=charlie,ou=People,dc=example,dc=com 
      ...
      

      We were expecting to have aclRights in the output but they do not appear.
      This is a regression.

      Attachments

        Issue Links

          Activity

            People

              cforel carole forel
              cjr Chris Ridd
              Chris Ridd Chris Ridd
              carole forel carole forel
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: