PingDirectory

Troubleshooting ACI evaluation

This topic applies only to the PingDirectory server.

The server provides the ability to collect debug information related to ACI evaluation for any operation by enabling the Debug ACI Logger. The Debug ACI Logger is highly configurable and can be scoped to trace very specific request operations in order to narrow on any ACI issue that might arise in the field. Parameters for non-request operations, such as log-connects, log-disconnects, log-security-negotiation, log-results, log-assuance-completed, log-search-entries, log-search-references, log-intermediate-responses are set to false by default and should remain so.

Here is an example to enable the Debug ACI Logger:

$ bin/dsconfig set-log-publisher-prop \
  --publisher-name "Debug ACI Logger" \
  --set enabled:true

Using this debug tracer is often more efficient by limiting the output using request and result criteria to match specific types of operations. An example result criteria for operations that fail because of insufficient access rights can be added to the logger as follows:

$ bin/dsconfig set-log-publisher-prop \
  --publisher-name "Debug ACI Logger" \
  --set "result-criteria:Insufficient Access Rights"

After the logger has been enabled, all matching operations begin writing ACI evaluation traces to the log file. The amount of information is quite large for each evaluation that is done. However, this information is useful if there is an ACI issue that is difficult to resolve. Most operations result in multiple "ACI DEBUG" traces in the log, since it usually requires multiple ACI rights to perform an operation, each of which requires a separate evaluation. In particular, you can expect a lot of debug tracing when dealing with ACIs for controls, extended operations, and proxied authorization.

The ACI DEBUG traces contain the following pieces of information:

  • Operation. Specifies a dump of the operation object that you can use to correlate to the original request operation.

  • ACI Container. Specifies the context of the ACI evaluation being performed.

  • Client Entry. Specifies an LDIF dump of the client request access.

  • Resource Entry. Specifies an LDIF dump of the target resource.

  • isProxiedAuth. Specifies if the client is attempting to proxy as another user.

  • Original Auth. Specifies the original client DN if authorization is currently via the proxy.

  • Rights. Specifies a list of the ACI rights being requested on the resource entry.

  • Control. Specifies the OIDs when evaluating ACIs for a control.

  • ExtOp. Specifies the OIDs when evaluating ACIs for an extended operation.

  • ACI Canidates. Specifies a list of all the ACIs known to this operation, sorted by origin.

  • Applicable ACIs. Specifies a list of ACIs relevant to the current evaluation. These ACIs are separated by type into "Denies" and "Allows".

  • Deny ACI Evaluations. Specifies the results of evaluating each "deny" ACI. If any of these evaluate to TRUE, then the operation will be denied.

  • Allow ACI Evaluations. Specifies the results of evaluating each "allow" ACI. At least one of these must evaluate to "TRUE" or the operation will be denied.

For users with the bypass-acl privilege, the Debug ACI Logger will not provide any ACI debug tracing since evaluations are not done for those operations. However, you will see the following trace if you have ACI debugging enabled (debug-aci-enabled is set to TRUE) for those operations:

Bypassing ACL Evaluation for Operation

To avoid unnecessary tracing of these operations, the "Debug ACI Logger" uses a "Client Connection Criteria" called "Clients subject to Access Control" that excludes requests from users with the bypass-acl privilege. It is recommended that you create and use your own criteria which specifically targets the clients that you are trying to debug in order to make analyzing the tracing output easier.

$ bin/dsconfig create-connection-criteria \
  --criteria-name "Restricted Clients" \
  --type simple \
  --set none-included-user-privilege:bypass-acl
Do not use Result Criteria with the Debug ACI Logger. Result criteria is evaluated after ACIs, so it will not be taken into consideration for this type of debugging.