On 18 Nov 2019, at 09:27, Graham Leggett <minfrin(a)sharp.fm>
wrote:
Hi all,
After adding the Get Effective Rights control to some java code as follows, everything is
worked as before, except neither the entryLevelRights nor the attributeLevelRights
attributes are returned to me.
389-ds-base-1.2.11.15-97.el6_10.x86_64 is logging the following, which looks hopeful:
[18/Nov/2019:00:41:16 +0200] conn=1567060 op=5 SRCH base="dc=x,dc=x,dc=x"
scope=2 filter="(&(objectClass=mailRec
ipient)(mail=mail(a)example.com))" attrs="* entrylevelrights attributelevelrights
aci" authzid="mail=minfrin(a)example.com,ou=
external,dc=x,dc=x,dc=x"
[18/Nov/2019:00:41:16 +0200] conn=1567060 op=5 RESULT err=0 tag=101 nentries=1 etime=0 -
entryLevelRights: vadn
However neither the entrylevelrights nor the attributelevelrights attributes are being
returned in the response, and I have run out of ideas - what am I missing?
The java code to add the control is as follows:
BerByteArrayOutputStream berStream = new BerByteArrayOutputStream(
dn.length() + 50, true);
BerOctetString berString = new BerOctetString(
("dn:" + dn).getBytes());
berString.encode(berStream, true);
berStream.close();
List<Control> controls = new ArrayList<Control>(Arrays.asList(ctx
.getRequestControls()));
controls.add(new BasicControl("1.3.6.1.4.1.42.2.27.9.5.2", true,
berStream.getArray()));
ctx.setRequestControls(controls.toArray(new Control[controls.size()]));
As I'm sure you're aware, the docs are here:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11...
I think you don't need to request the entrylevelrights or attributelevelrights on the
search (the log looks like you're requesting them). You probably just want * or + here
instead.
Otherwise I'm not 100% sure here. Perhaps the best thing is actually to attach gdb to
the server and break on:
br _ger_parse_control
And then step through with: "next" to see what logic paths are being taken on
the dn parser - or if you even reach that stage.
You could alternately break on acl_get_effective_rights to see the full extended op
processing logic too.
Sorry I can't give a more concrete piece of advice here :(
Regards,
Graham
—
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs