Re: ACI warnings in error log

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> On 01/13/2014 07:27 AM, Chris Chatfield wrote:
> > Hi,
> >
> > I'm seeing a similar situation as was described in the mailing list message "errors
> log - NSACLPlugin - acllas__client_match_URL:" from Feb 2013. The final result of
> this was a suggestion to file a ticket. As far as I can see this wasn't done. Should I
> do this (for my scenario)?
> >
> > On to my case. I'm getting messages like this in my errors log (Centos 6.5,
> 389DS 1.2.11.15):
> What is the exact version?  rpm -q 389-ds-base
389-ds-base-1.2.11.15-30.el6_5.x86_64

> > NSACLPlugin - acllas__client_match_URL: url
> [ldap:///gcUID=0001ab51,o=Teamphone.com??sub?(objectclass=gcsubscriber)]
> scope is subtree but dn [gcUID=0001ab51,o=Teamphone.com] is not a suffix of
> [cn=tp manager,ou=configuration,o=teamphone.com]
> >
> > There are acis at the o=teamphone.com subtree which allow administrators
> access to the whole tree.
> > There are acis at the gcUID=0001ab51,o=Teamphone.com subtree which allow
> gcsubscriber entries within that tree to have limited access to the subtree. Note
> that we have extended the schema such that gcsubscribers extend person,
> amongst other things. I do not believe this makes any difference to the problem.
> >
> > The message happens on a connection bound to cn=tp
> manager,ou=configuration,o=teamphone.com (an administrator) when it searches
> within the subtree gcUID=0001ab51,o=Teamphone.com. It seems the acis at
> gcUID=0001ab51,o=Teamphone.com are being evaluated in the context of this
> administrator. In this case the administrator does not match the aci's userdn url
> path. This is deliberate as this aci is concerned with gcsubscriber access, not
> admin access. Other acis higher up give the correct admin access.
> >
> > So in summary, I think this logging should be downgraded from
> SLAPI_LOG_FATAL to SLAPI_LOG_ACL for the "acllas__client_match_URL: url
> [%s] scope is subtree but dn [%s] is not a suffix of [%s]\n"  message (and I guess
> similarly for the onelevel/base scopes too). I notice that the git comment
> suggested that these lines were debugging.
> >
> > Would that be the right approach? We're moving away from the Sun/Oracle 5.2
> directory server, and this aci is behaving quietly there.
> >
> > Many thanks,
> >
> > Chris
> >
Thanks for the quick reply.
 
> --
> 389 users mailing list
> 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux