The server provides the ability to collect debug information related to ACI evaluation for
any operation by enabling the Debug ACI Logger. The Debug ACI Logger is highly configurable
and can be scoped to trace very specific request operations in order to narrow on any ACI
issue that might arise in the field. Parameters for non-request operations, such as
false by default and should remain so.
$ bin/dsconfig set-log-publisher-prop \ --publisher-name "Debug ACI Logger" \ --set enabled:true
$ bin/dsconfig set-log-publisher-prop \ --publisher-name "Debug ACI Logger" \ --set "result-criteria:Insufficient Access Rights"
Once the logger is enabled, all matching operations begin writing ACI evaluation traces to the log file. The amount of information is quite large for each evaluation that is done. However, this information is useful if there is an ACI issue that is difficult to resolve. Most operations result in multiple "ACI DEBUG" traces in the log, since it usually requires multiple ACI rights to perform an operation, each of which requires a separate evaluation. In particular, you can expect a lot of debug tracing when dealing with ACIs for controls, extended operations, and proxied authorization.
The ACI DEBUG traces contain the following pieces of information:
- Operation. Specifies a dump of the operation object that you can use to correlate to the original request operation.
ACI Container. Specifies the context of the ACI evaluation being performed.
- Client Entry. Specifies an LDIF dump of the client request access.
- Resource Entry. Specifies an LDIF dump of the target resource.
- isProxiedAuth. Specifies if the client is attempting to proxy as another user.
- Original Auth. Specifies the original client DN if authorization is currently via the proxy.
- Rights. Specifies a list of the ACI rights being requested on the resource entry.
- Control. Specifies the OIDs when evaluating ACIs for a control.
- ExtOp. Specifies the OIDs when evaluating ACIs for an extended operation.
- ACI Canidates. Specifies a list of all the ACIs known to this operation, sorted by origin.
- Applicable ACIs. Specifies a list of ACIs relevant to the current evaluation. These ACIs are separated by type into "Denies" and "Allows".
- Deny ACI Evaluations. Specifies the results of evaluating each "deny" ACI. If any of these evaluate to TRUE, then the operation will be denied.
- Allow ACI Evaluations. Specifies the results of evaluating each "allow" ACI. At least one of these must evaluate to "TRUE" or the operation will be denied.
bypass-aclprivilege, the Debug ACI Logger will not provide any ACI debug tracing since evaluations are not done for those operations. However, you will see the following trace if you have ACI debugging enabled (
debug-aci-enabledis set to TRUE) for those operations:
Bypassing ACL Evaluation for Operation
bypass-aclprivilege. It is recommended that you create and use your own criteria which specifically targets the clients that you are trying to debug in order to make analyzing the tracing output easier.
$ bin/dsconfig create-connection-criteria \ --criteria-name "Restricted Clients" \ --type simple \ --set none-included-user-privilege:bypass-acl