From Wed Nov 19 22:18:06 2008 Return-Path: Delivered-To: Received: (qmail 73785 invoked from network); 19 Nov 2008 22:18:04 -0000 Received: from (HELO ( by with SMTP; 19 Nov 2008 22:18:04 -0000 Received: (qmail 41960 invoked by uid 500); 19 Nov 2008 22:18:12 -0000 Delivered-To: Received: (qmail 41909 invoked by uid 500); 19 Nov 2008 22:18:12 -0000 Mailing-List: contact; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list Received: (qmail 41900 invoked by uid 99); 19 Nov 2008 22:18:12 -0000 Received: from (HELO ( by (qpsmtpd/0.29) with ESMTP; Wed, 19 Nov 2008 14:18:12 -0800 X-ASF-Spam-Status: No, hits=-1994.3 required=10.0 tests=ALL_TRUSTED,HTML_MESSAGE,MIME_HTML_ONLY X-Spam-Check-By: Received: from [] (HELO ( by (qpsmtpd/0.29) with ESMTP; Wed, 19 Nov 2008 22:16:49 +0000 Received: from brutus (localhost []) by (Postfix) with ESMTP id 2CBCE234C29B for ; Wed, 19 Nov 2008 14:17:04 -0800 (PST) Message-ID: <876832050.1227133024182.JavaMail.www-data@brutus> Date: Wed, 19 Nov 2008 14:17:04 -0800 (PST) From: To: Subject: [CONF] Apache Directory Server v1.5: ACAreas (page edited) MIME-Version: 1.0 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on
Page Edited : DIRxSRVx11 : ACAreas

ACAreas has been edited by Emmanuel L=C3=83=C2=A9charny (Nov 19, 2008).


= (View changes)

<= colgroup>=
3D""= Work in progress

This site is in the process of being reviewed and updated.


This guide will show you how to create an Access Control Specific Area a= nd Access Control Inner Areas for administering access controls within Apac= heDS. Basic knowledge of the X.500 administrative model is presumed along w= ith an understanding of the Basic Access Control Scheme in X.501. For quick= primers please take a look at the following documentation:

Cr= eating Access Control Specific Areas (ACSA)

An access control specific area is an Autonomous Administrative Area (AA= A) for managing access control specific aspects of a subtree within the DIT= . Like all administrative areas, an access control specific area is rooted = at a vertex entry called the Administrative Point (AP). The ACSA spans down= until leaf entries are encountered or until another ACSA is encountered. A= ccess control specific areas do not overlap.

Under the AP, you can add subentries that contain prescriptiveACI attrib= utes. Zero or more subentries can be added, each with one or more prescript= iveACI. These subentries apply access control information (ACI) in these pr= escriptiveACI attributes to collections of entries within the ACSA.

Addin= g an 'administrativeRole' Attribute

An entry becomes an AP when it has an administrativeRole attribute added= to it with the appropriate value(s). For an ACSA, we need to add the 'acce= ssControlSpecificArea' value to this attribute.

Most of the time users will create partitions in the server and set the = root context of the partition (its suffix) to be the AP for a ACSA. For exa= mple the default server.xml for ApacheDS ships with a partition with the su= ffix, 'dc=3Dexample,dc=3Dcom'. We can use this suffix entry as the AP and o= ur ACSA can cover all entries under and including 'dc=3Dexample,dc=3Dcom'.<= /p>

The code below binds to the server as admin ('uid=3Dadmin,ou=3Dsystem') = and modifies the suffix entry to become an ACSA. Note that we check to make= sure the attribute does not already exist before attempting the add operat= ion.

  // Get a DirContext on the dc=3Dexample,dc=
=3Dcom entry
  Hashtable env =3D new Hashtabl=
  env.put( "java.naming.factory.initial",=
 "com.sun.jndi.ldap.LdapCtxFactory" );
  env.put( "java.naming.provider.url", "ldap://localhost:389=
/dc=3Dexample,dc=3Dcom" );
  env.put( "
l", "uid=3Dadmin,ou=3Dsystem" );
  env.put( "", "secret" );
  env.put( ""=
, "simple" );
  ctx =3D new InitialDirContext( env );

  // Lookup the administrativeRole specificall=
y since it is operational
  Attributes ap =3D ctx.getAttributes( ""=
, new Strin=
g[] { "administrativeRole" } );
  Attribute administrativeRole =3D ap.get( "admi=
nistrativeRole" );

  // If it does not exist or has no ACSA value=
 then add the attribute
  if ( administrativeRole =3D=3D=
 null || ! administrativeRole.contains(=
 "accessControlSpecificArea" ) )
    Attributes changes =3D new BasicAtt=
ributes( "administrativeRole", "accessControlSpecificArea", true );
    ctx.modifyAttributes( "", DirContext.ADD_ATTRIBUTE, changes );

This simple modification of adding the value 'accessControlSpecificArea'= to the administrativeRole makes the suffix entry 'dc=3Dexample,dc=3Dcom' a= n AP for an access control specific area. Now you can add subentries to you= r heart's content which subordinate to the AP.

= Creating an Access Control Inner Administrative Area

Creating an inner area involves the same process. In fact the same code = can be used by changing the value added to the administrativeRole attribute= . To create the inner area just add 'accessControlInnerArea' for the admini= strativeRole within the AP: same steps, same code, different value for the = administrativeRole.

Access Control Subentri= es

After creating the access control area you can create subentries that su= bordinate to this AP for managing access to it and anything below. Access c= ontrol subentries are entries with the objectClasses: 'subentry' and 'acces= sControlSubentry'. An access control subentry must contain 3 attributes oth= er than the obvious objectClass attribute. These required attributes are li= sted below:

Attribute SINGLE-VALUED Description
cn no The name of the subentry used as its RDN
subtreeSpecification yes The specification for the collection of entries = the ACI is to be applied to.
prescriptiveACI no The attribute holding the ACIItem