-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No data (ldapserch result is empty) while entry-Based ACIs is defined with only "deny" permission #84
Comments
Am I the only one bothered by this problem? 😞 |
hi, Add one more aci and try it to succeed dn: ou = Services, dc = example |
@yavis73 first of all thank you for reply!
You are right... But why?.. Why single ACI Why subject Can anyone explain me, please? |
hi, It seems to be asking why service1 is not accessible. Is that right? If any ACIs is set for a particular entry, it will take precedence over the global ACIs. Try searching for another node that you do not have permission set for. |
hello, @yavis73
you are absolutely right!
Base DN data
As you can see, there are no other ACI except Moreover...getEffectiveRightsAuthziddn:uid=user.1,ou=People,dc=example
uid=service.1,ou=Services,dc=example
But in fact, no one can access. I'm pretty sure it's a bug... |
Oh, I see. First, the aclRights query result and the actual operation result are different. Algorithms for looking up aclRights information and permission checking algorithms for actual entry search permission are different. It should be fix by someone. |
Related bug report |
…ith only "deny" permission without "allow"
fixed 4.7.0 |
…ith only "deny" permission without "allow" (OpenIdentityPlatform#372)
Software version
OS:
Java:
OpenDJ:
Base DN data
Global ACI
they are default/untouched
getEffectiveRightsAuthzid
dn:uid=user.1,ou=People,dc=example
uid=service.1,ou=Services,dc=example
ldapsearch
uid=user.1,ou=People,dc=example (correct behavior)
uid=service.1,ou=Services,dc=example (incorrect behavior)
Expected behavior
uid=service.1,ou=Services,dc=example
Logs
/opt/opendj/data/logs/access
/opt/opendj/data/logs/ldap-access.audit.json
The text was updated successfully, but these errors were encountered: