LDAP ACI Debugging
Posted
by user13332755
on Oracle Blogs
See other posts from Oracle Blogs
or by user13332755
Published on Fri, 24 Jun 2011 00:04:25 -0700
Indexed on
2011/06/24
8:27 UTC
Read the original article
Hit count: 247
/Other
If you've ever wondered which ACI in LDAP is used for a special ADD/DELETE/MODIFY/SEARCH request you need to enable ACI debugging to get details about this.
Edit/Modify dse.ldif
nsslapd-infolog-area: 128
nsslapd-infolog-level: 1
ACI Logging will be placed at 'errors' file, looks like:
[22/Jun/2011:15:25:08 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Num of ALLOW Handles:15, DENY handles:0
[22/Jun/2011:15:25:08 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Processed attr:nswmExtendedUserPrefs for entry:uid=mparis,ou=people,o=vmdomain.tld,o=isp
[22/Jun/2011:15:25:08 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - Evaluating ALLOW aci index:33
[22/Jun/2011:15:25:08 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - ALLOW:Found READ ALLOW in cache
[22/Jun/2011:15:25:08 +0200] - INFORMATION - NSACLPlugin - conn=-1 op=-1 msgId=-1 - acl_summary(main): access_allowed(read) on entry/attr(uid=mparis,ou=people,o=vmdomain.tld,o=isp, nswmExtendedUserPrefs) to (uid=msg-admin-redzone.vmdomain.tld-20100927093314,ou=people,o=vmdomain.tld,o=isp) (not proxied) (reason: result cached allow , deciding_aci "DA anonymous access rights", index 33)
© Oracle Blogs or respective owner