> On 18 Nov 2019, at 10:09, Graham Leggett <minfrin@xxxxxxxx> wrote: > > On 18 Nov 2019, at 01:19, William Brown <wbrown@xxxxxxx> wrote: > >> As I'm sure you're aware, the docs are here: >> >> https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/viewing_the_acis_for_an_entry-get_effective_rights_control >> >> I think you don't need to request the entrylevelrights or attributelevelrights on the search (the log looks like you're requesting them). You probably just want * or + here instead. > > I tried that, but it made no difference. I also noticed that despite asking for attributes “*” and “+”, the java code didn’t give me any operational attributes back at all. > > I’m assuming that entryLevelRights/attributeLevelRights are operational attributes and 389ds won’t return them with a “*” attribute on it’s own? The attributes you "request" are the attributes it will do an effective rights check on, and the server just "puts" the *rights attributes in your response without asking (well, you did ask because of the control) > > I’m trying to work out whether this is a java issue or a 389ds issue. Why not both? > > Are there any known issues when trying to return operational attributes from 389ds to java JNDI calls? Controls and extended ops are difficult to get right at the best of times - I had to do so recently with python for something and it was a few days of hair tearing. So the error could be ... anywhere. > >> Otherwise I'm not 100% sure here. Perhaps the best thing is actually to attach gdb to the server and break on: >> >> br _ger_parse_control >> >> And then step through with: "next" to see what logic paths are being taken on the dn parser - or if you even reach that stage. >> >> You could alternately break on acl_get_effective_rights to see the full extended op processing logic too. >> >> Sorry I can't give a more concrete piece of advice here :( > > gdb stops on these breakpoints, so the logic is definitely triggered, although I don't have any debuginfos configured to step through the code. Let me dig further on this. If you are on RH/Fedora, it will issue you a command such as "missing debuginfo ....." and a command you can run to install them :) > > Regards, > Graham > — > > _______________________________________________ > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx — Sincerely, William Brown Senior Software Engineer, 389 Directory Server SUSE Labs _______________________________________________ 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
