> On 18 Nov 2019, at 09:27, Graham Leggett <minfrin@xxxxxxxx> wrote:
>
> Hi all,
>
> After adding the Get Effective Rights control to some java code as follows, everything is worked as before, except neither the entryLevelRights nor the attributeLevelRights attributes are returned to me.
>
> 389-ds-base-1.2.11.15-97.el6_10.x86_64 is logging the following, which looks hopeful:
>
> [18/Nov/2019:00:41:16 +0200] conn=1567060 op=5 SRCH base="dc=x,dc=x,dc=x" scope=2 filter="(&(objectClass=mailRec
> ipient)(mail=mail@xxxxxxxxxxx))" attrs="* entrylevelrights attributelevelrights aci" authzid="mail=minfrin@xxxxxxxxxxx,ou=
> external,dc=x,dc=x,dc=x"
> [18/Nov/2019:00:41:16 +0200] conn=1567060 op=5 RESULT err=0 tag=101 nentries=1 etime=0 - entryLevelRights: vadn
>
> However neither the entrylevelrights nor the attributelevelrights attributes are being returned in the response, and I have run out of ideas - what am I missing?
>
> The java code to add the control is as follows:
>
> BerByteArrayOutputStream berStream = new BerByteArrayOutputStream(
> dn.length() + 50, true);
> BerOctetString berString = new BerOctetString(
> ("dn:" + dn).getBytes());
> berString.encode(berStream, true);
> berStream.close();
>
> List<Control> controls = new ArrayList<Control>(Arrays.asList(ctx
> .getRequestControls()));
> controls.add(new BasicControl("1.3.6.1.4.1.42.2.27.9.5.2", true,
> berStream.getArray()));
> ctx.setRequestControls(controls.toArray(new Control[controls.size()]));
>
As I'm sure you're aware, the docs are here:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/viewing_the_acis_for_an_entry-get_effective_rights_control
I think you don't need to request the entrylevelrights or attributelevelrights on the search (the log looks like you're requesting them). You probably just want * or + here instead.
Otherwise I'm not 100% sure here. Perhaps the best thing is actually to attach gdb to the server and break on:
br _ger_parse_control
And then step through with: "next" to see what logic paths are being taken on the dn parser - or if you even reach that stage.
You could alternately break on acl_get_effective_rights to see the full extended op processing logic too.
Sorry I can't give a more concrete piece of advice here :(
> Regards,
> Graham
> —
>
> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
—
Sincerely,
William Brown
Senior Software Engineer, 389 Directory Server
SUSE Labs
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
