From c7f0171f6a027b29dd3791116596be709abb0b6c Mon Sep 17 00:00:00 2001
From: Mark Craig <mark.craig@forgerock.com>
Date: Fri, 20 Jan 2012 08:04:47 +0000
Subject: [PATCH] Note on updating global ACI to allow anonymous access to the simple paged results control

---
 opendj3/src/main/docbkx/admin-guide/chap-troubleshooting.xml |   72 +++++++++++++++++++++++++++++++++++
 1 files changed, 71 insertions(+), 1 deletions(-)

diff --git a/opendj3/src/main/docbkx/admin-guide/chap-troubleshooting.xml b/opendj3/src/main/docbkx/admin-guide/chap-troubleshooting.xml
index d7c4b8b..2ad3d23 100644
--- a/opendj3/src/main/docbkx/admin-guide/chap-troubleshooting.xml
+++ b/opendj3/src/main/docbkx/admin-guide/chap-troubleshooting.xml
@@ -20,7 +20,7 @@
   !
   ! CCPL HEADER END
   !
-  !      Copyright 2011 ForgeRock AS
+  !      Copyright 2011-2012 ForgeRock AS
   !    
 -->
 <chapter xml:id='chap-troubleshooting'
@@ -358,6 +358,76 @@
   <literal>1.3.6.1.4.1.42.2.27.9.5.2</literal>, is not allowed by the default
   global ACIs. You must therefore add access to use the get effective rights
   control when not using it as Directory Manager.</para>
+
+  <section xml:id="troubleshooting-simple-paged-results">
+   <title>Clients Need Simple Paged Results Control</title>
+
+   <para>For Solaris and some versions of Linux you might see a message in
+   the OpenDJ access logs such as the following.</para>
+
+   <literallayout class="monospaced">
+The request control with Object Identifier (OID) "1.2.840.113556.1.4.319"
+cannot be used due to insufficient access rights</literallayout>
+
+   <para>This message means clients are trying to use the <link xlink:show="new"
+   xlink:href="http://tools.ietf.org/html/rfc2696">simple paged results
+   control</link> without authenticating. By default, OpenDJ includes a global
+   ACI to allow only authenticated users to use the control.</para>
+
+   <screen>$ dsconfig
+ --port 4444
+ --hostname opendj.example.com
+ --bindDN "cn=Directory Manager"
+ --bindPassword "password"
+ get-access-control-handler-prop
+
+Property   : Value(s)
+-----------:-------------------------------------------------------------------
+enabled    : true
+global-aci : (extop="1.3.6.1.4.1.26027.1.6.1 || 1.3.6.1.4.1.26027.1.6.3 ||
+...
+           : (targetcontrol="1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2
+           : || <emphasis role="strong">1.2.840.113556.1.4.319</emphasis> || 1.2.826.0.1.3344810.2.3 ||
+           : 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 ||
+           : 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9") (version
+           : 3.0; acl "Authenticated users control access"; allow(read)
+           : userdn="ldap:///all";), (targetcontrol="2.16.840.1.113730.3.4.2 ||
+           : 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 ||
+           : 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 ||
+           : 2.16.840.1.113730.3.4.16") (version 3.0; acl "Anonymous control
+           : access"; allow(read) userdn="ldap:///anyone";)</screen>
+
+   <para>To grant anonymous (unauthenticated) user access to the control,
+   add the OID for the simple paged results control to the list of those in
+   the <literal>Anonymous control access</literal> global ACI.</para>
+
+   <screen>$ dsconfig
+ --port 4444
+ --hostname opendj.example.com
+ --bindDN "cn=Directory Manager"
+ --bindPassword "password"
+ set-access-control-handler-prop
+ --remove global-aci:"(targetcontrol=\"2.16.840.1.113730.3.4.2 ||
+ 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 ||
+ 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 ||
+ 2.16.840.1.113730.3.4.16\") (version 3.0; acl \"Anonymous control access\";
+ allow(read) userdn=\"ldap:///anyone\";)"
+ --add global-aci:"(targetcontrol=\"2.16.840.1.113730.3.4.2 ||
+ 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 ||
+ 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 ||
+ 2.16.840.1.113730.3.4.16 || <emphasis role="strong">1.2.840.113556.1.4.319</emphasis>\")
+ (version 3.0; acl \"Anonymous control access\"; allow(read)
+ userdn=\"ldap:///anyone\";)"
+ --no-prompt</screen>
+
+   <para>Alternatively, stop OpenDJ, edit the corresponding ACI carefully in
+   <filename>/path/to/OpenDJ/config/config.ldif</filename>, and restart OpenDJ.
+   <footnote><para>Unlike the <command>dsconfig</command> command, the
+   <filename>config.ldif</filename> file is not a public interface. In this
+   particular case, however, the <command>dsconfig</command> command is such a
+   pain in the nether regions that you might as well edit the LDIF instead
+   (unless you are doing this in production).</para></footnote></para>
+  </section>
  </section>
  
  <section xml:id="troubleshoot-repl">

--
Gitblit v1.10.0