directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From anto...@apache.org
Subject svn commit: r1423760 - /directory/site/trunk/content/apacheds/advanced-ug/
Date Wed, 19 Dec 2012 04:46:31 GMT
Author: antoine
Date: Wed Dec 19 04:46:29 2012
New Revision: 1423760

URL: http://svn.apache.org/viewvc?rev=1423760&view=rev
Log:
adding 4.5 chapter, still a work in progress

Added:
    directory/site/trunk/content/apacheds/advanced-ug/4-authentication-and-authorization.mdtext
      - copied, changed from r1423751, directory/site/trunk/content/apacheds/advanced-ug/3-admin-model.mdtext
    directory/site/trunk/content/apacheds/advanced-ug/4.5-authorization.mdtext
    directory/site/trunk/content/apacheds/advanced-ug/4.5.1-introduction.mdtext
    directory/site/trunk/content/apacheds/advanced-ug/4.5.10-aci-grammar.mdtext
    directory/site/trunk/content/apacheds/advanced-ug/4.5.11-links-and-references.mdtext
    directory/site/trunk/content/apacheds/advanced-ug/4.5.2-definitions.mdtext
    directory/site/trunk/content/apacheds/advanced-ug/4.5.3-enabling-access-control.mdtext
    directory/site/trunk/content/apacheds/advanced-ug/4.5.4-aci-types.mdtext
    directory/site/trunk/content/apacheds/advanced-ug/4.5.4.1-entryaci.mdtext
    directory/site/trunk/content/apacheds/advanced-ug/4.5.4.2-prescriptiveaci.mdtext
    directory/site/trunk/content/apacheds/advanced-ug/4.5.4.3-subentryaci.mdtext
    directory/site/trunk/content/apacheds/advanced-ug/4.5.5-aci-elements.mdtext
    directory/site/trunk/content/apacheds/advanced-ug/4.5.5.1-userclasses.mdtext
    directory/site/trunk/content/apacheds/advanced-ug/4.5.5.2-protecteditems.mdtext
    directory/site/trunk/content/apacheds/advanced-ug/4.5.5.3-permissions.mdtext
    directory/site/trunk/content/apacheds/advanced-ug/4.5.5.4-subtrees.mdtext
    directory/site/trunk/content/apacheds/advanced-ug/4.5.6-the-acdf-engine.mdtext
    directory/site/trunk/content/apacheds/advanced-ug/4.5.6.1-how-it-works.mdtext
    directory/site/trunk/content/apacheds/advanced-ug/4.5.6.2-selections.mdtext
    directory/site/trunk/content/apacheds/advanced-ug/4.5.6.3-constraints.mdtext
    directory/site/trunk/content/apacheds/advanced-ug/4.5.6.4-priority.mdtext
    directory/site/trunk/content/apacheds/advanced-ug/4.5.7-using-acis-trail.mdtext
    directory/site/trunk/content/apacheds/advanced-ug/4.5.7.1-enable-authenticated-users-to-browse-and-read-entries.mdtext
    directory/site/trunk/content/apacheds/advanced-ug/4.5.8-acis-administration.mdtext
    directory/site/trunk/content/apacheds/advanced-ug/4.5.9-migration-from-other-ldap-servers.mdtext
Modified:
    directory/site/trunk/content/apacheds/advanced-ug/3-admin-model.mdtext

Modified: directory/site/trunk/content/apacheds/advanced-ug/3-admin-model.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/3-admin-model.mdtext?rev=1423760&r1=1423759&r2=1423760&view=diff
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/3-admin-model.mdtext (original)
+++ directory/site/trunk/content/apacheds/advanced-ug/3-admin-model.mdtext Wed Dec 19 04:46:29 2012
@@ -3,8 +3,8 @@ NavPrev: 2-server-config.html
 NavPrevText: 2 - Server Configuration
 NavUp: ../advanced-users-guide.html
 NavUpText: Advanced User Guide
-NavNext: 4-.html
-NavNextText: 4 - 
+NavNext: 4-authentication-and-authorization.html
+NavNextText: 4 - Authentication and Authorization
 Notice: Licensed to the Apache Software Foundation (ASF) under one
     or more contributor license agreements.  See the NOTICE file
     distributed with this work for additional information

Copied: directory/site/trunk/content/apacheds/advanced-ug/4-authentication-and-authorization.mdtext (from r1423751, directory/site/trunk/content/apacheds/advanced-ug/3-admin-model.mdtext)
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4-authentication-and-authorization.mdtext?p2=directory/site/trunk/content/apacheds/advanced-ug/4-authentication-and-authorization.mdtext&p1=directory/site/trunk/content/apacheds/advanced-ug/3-admin-model.mdtext&r1=1423751&r2=1423760&rev=1423760&view=diff
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/3-admin-model.mdtext (original)
+++ directory/site/trunk/content/apacheds/advanced-ug/4-authentication-and-authorization.mdtext Wed Dec 19 04:46:29 2012
@@ -1,10 +1,8 @@
-Title: 3 - Administrative Model
-NavPrev: 2-server-config.html
-NavPrevText: 2 - Server Configuration
+Title: 4 - Authentication & Authorization
+NavPrev: 3-admin-model.html
+NavPrevText: 3 Administrative Model
 NavUp: ../advanced-users-guide.html
 NavUpText: Advanced User Guide
-NavNext: 4-.html
-NavNextText: 4 - 
 Notice: Licensed to the Apache Software Foundation (ASF) under one
     or more contributor license agreements.  See the NOTICE file
     distributed with this work for additional information
@@ -22,72 +20,9 @@ Notice: Licensed to the Apache Software 
     specific language governing permissions and limitations
     under the License.
 
-# 3 - Administrative Model
-
-The **Administrative Model** is a really critical notion that need to be understood, because it drives many of ApacheDS roles.
-
-It's directly inherited by the **X.500** Administrative model (in fact, we do implement the full **X.500** sepcification related to **AAs**).
-
-## What is the Administrative Model ?
-
-The idea is to define the **DIT** as some areas which are administrated. Each area can be defined, and covers a set of entries, and each area can manage one ore more roles we want to manage. Those roles can be related to authorization, schema, etc... Each of this areas can overlap, but in any case, if two areas are overlaping, then one area totally include the other one. 
-
-The Admnistrative Model is everything we need to implement in order to be able to manage roles on some defined areas.
-
-## Areas
-
-An Area describe a part of the **DIT** which will start from a specific entry, and span across a part of the subtree starting at the base entry. An area is administrated by an **AP** (Administrative Point) which holds all the needed information about the area and the roles.
-
-We have three kind of areas :
-
-* AAA : Autonomous Administrative Areas
-* SAA : Specific Administrative Areas
-* IAA : Inner Administrative Areas
-
-**AAAs** cover all the roles as if we have declared one **SAA** for each existing role. They overload any area in which they can be encapsulated, hiding them.
-
-**SAAs** cover one specific role, and overload any encapsulating area with the same role.
-
-**IAAs** cover one specific role, but don't not overload any encapsulating area with the same role.
-
-## Administration Point
-
-An **Administration Point** is the point in the **DIT** where an area starts. It defines the roles, and the scope that applies to this area.
-
-Once we know which area we need to define, and the associated roles, it's mandatory to store those information in the **DIT**. This is done by addinga **subentries**, which just are entries storing all the administrative configuration.
-
-An Administrative Point is stored as a **subentry** (which is just a plain LDAP entry) just below the base of the defined area.
-
-<DIV class="info" markdown="1">
-	A **Subentry** is just a plain normal entry except that it contains administative model informations. They are stored below the entry they are managing, as a child entry.
-</DIV>
-
-<DIV class="note" markdown="1">
-	We also use the term "subtree" to define areas. This is due to the fact that we define a subtree specification in the administration point to express the set of selected entries.
-</DIV>
-
-## Roles
-
-The roles are the various aspects which are managed by the administration points. Currently, we manage five different roles in ApacheDS :
-
-* Authorization : manage the access to entries
-* Schema : define the schema to be used by a subtree
-* Triggers : define the triggers that can be leveraged in a subtree
-* Collective Attributes : manage attributes that are valid ofr a set of entries
-* Replication : manage the replication of a set
-
-# ApacheDS 2.0 coverage
-
-Currently, in Apache 2.0, we don't implement all this model. What is supported is :
-
-* AAA and SAA : We don't currently support IAA
-* We don't have more than one schema
-* Replication is not managed with any administration point
-
-Those missing parts will be implemented in the forthcoming versions.
+# 4 - Authentication and Authorization
 
 ## Chapter content
 
-* [3.1 - Administrative Points](3.1-administrative-points.html)
-* [3.2 - Operations on an Administrative Point](3.2-operations-on-an-administrativepoint.html)
+* [4.5 - Authorization](4.5-authorization.html)
 

Added: directory/site/trunk/content/apacheds/advanced-ug/4.5-authorization.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4.5-authorization.mdtext?rev=1423760&view=auto
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4.5-authorization.mdtext (added)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.5-authorization.mdtext Wed Dec 19 04:46:29 2012
@@ -0,0 +1,85 @@
+Title: 4.5. Authorization
+NavPrev: 3-admin-model.html
+NavPrevText: 3 - Administrative Model
+NavUp: 3-admin-model.html
+NavUpText: 3 - Administrative Model
+NavNext: 3.2-operations-on-an-administrativepoint.html
+NavNextText: 3.2 Operations on an a Administrative Point
+Notice: Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+    .
+    http://www.apache.org/licenses/LICENSE-2.0
+    .
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+{scrollbar}
+
+ApacheDS uses an adaptation of the X.500 basic access control scheme in
+combination with X.500 subentries to control access to entries and
+attributes within the DIT. This document will show you how to enable the
+basic access control mechanism and how to define access control information
+to manage access to protected resources.
+
+## Chapter content
+
+* [4.5.1 - Introduction](4.5.1-introduction.html)
+* [4.5.2 - Definitions](4.5.2-definitions.html)
+* [4.5.3 - Enabling access control](4.5.3-enabling-access-control.html)
+* [4.5.4 - Aci Types](4.5.4-aci-types.html)
+* [4.5.5 - Aci Elements](4.5.5-aci-elements.html)
+* [4.5.6 - The Acdf Engine](4.5.6-the-acdf-engine.html)
+* [4.5.7 - Using Acis Trail](4.5.7-using-acis-trail.html)
+* [4.5.8 - Acis Administration](4.5.8-acis-administration.html)
+* [4.5.9 - Migration from other Ldap Servers](4.5.9-migration-from-other-ldap-servers.html)
+* [4.5.10 - Aci Grammar](4.5.10-aci-grammar.html)
+* [4.5.11 - Links and References](4.5.11-links-and-references.html)
+
+
+## Some Simple Examples
+
+The ACIItem syntax is very expressive and that makes it extremely powerful
+for specifying complex access control policies. However the syntax is not
+very easy to grasp for beginners. For this reason we start with simple
+examples that focus on different protection mechanisms offered by the
+ACIItem syntax. We do this instead of specifying the grammar which is not
+the best way to learn a language.
+
+{warning:title=Before you go any further...}
+Please don't go any further until you have read up on the use of
+Subentries. Knowledge of subentries, subtreeSpecifications, administrative
+areas, and administrative roles are required to properly digest the
+following material.
+{warning}
+
+Before going on to these trails you might want to set up an Administrative
+Area for managing access control via prescriptiveACI.  Both subentryACI and
+prescriptiveACI require the presence of an Administrative Point entry.	For
+more information and code examples see [ACAreas](acareas.html)
+. 
+
+### ACI Trails
+
+Here are some trails that resemble simple HOWTO guides.  They're ordered
+with the most pragmatic usage first.  We will add to these trails over
+time.
+
+<table>
+<tr><th>Trail</th><th>Description</th></tr>
+<tr><td>[EnableSearchForAllUsers](enablesearchforallusers.html)
+</td><td>Enabling access to browse and read all entries and their attributes by
+authenticated users.</td></tr>
+<tr><td>DenySubentryAccess (TBW) </td><td> Protecting access to subentries themselves.</td></tr>
+<tr><td>[AllowSelfPasswordModify](allowselfpasswordmodify.html)
+</td><td>Granting users the rights needed to change their own passwords.</td></tr>
+<tr><td>GrantAddDelModToGroup (TBW)</td><td>Granting add, delete, and modify permissions
+to a group of users.</td></tr>
+<tr><td>GrantModToEntry (TBW)</td><td>Applying ACI to a single entry.</td></tr>

Added: directory/site/trunk/content/apacheds/advanced-ug/4.5.1-introduction.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4.5.1-introduction.mdtext?rev=1423760&view=auto
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4.5.1-introduction.mdtext (added)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.5.1-introduction.mdtext Wed Dec 19 04:46:29 2012
@@ -0,0 +1,53 @@
+Title: 4.5.1 Introduction
+NavPrev: 4.5-authorization.html
+NavPrevText: 4.5 - Authorization
+NavUp: 4.5-authorization.html
+NavUpText: 4.5 - Authorization
+NavNext: 4.5.2-definitions.html
+NavNextText: 4.5.2 Definitions
+Notice: Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+    .
+    http://www.apache.org/licenses/LICENSE-2.0
+    .
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+    {scrollbar}
+First of all, one has to understand that Authorization in this context
+involves four components. The principle is :
+ 
+{panel} grants *Users* authorization to proceed some *Action* on a set of
+*Items* in a defined *Area*{panel}
+
+Let's define the four components.
+
+*Users* :
+bq. the set of entity being able to do some action. It can be every user,
+the entry owner, a list of users, members of a group or a selection in the
+DIT. Basically, a *user* is defined as an entry in the DIT. 
+
+*Action* :
+bq. Generally speaking, a grant or denial to do something, depending on the
+selected item (read, delete, etc).
+
+*Items* :
+bq. An *item* is an element of the DIT. It can be an Entry, an
+AttributeType, some AttributeValues. It can also define some constraints
+that will apply on the selected entries.
+
+*Area* :
+bq.It defines the set of entries on which the defined ACI applies. It can
+be the whole DIT, a part of the DIT, a selection of entries, an Entry.
+
+We implement those elements using *ACI*s.
+
+The following chapters will present you the system inside out.

Added: directory/site/trunk/content/apacheds/advanced-ug/4.5.10-aci-grammar.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4.5.10-aci-grammar.mdtext?rev=1423760&view=auto
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4.5.10-aci-grammar.mdtext (added)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.5.10-aci-grammar.mdtext Wed Dec 19 04:46:29 2012
@@ -0,0 +1,263 @@
+Title: 4.5.10 ACI grammar
+{scrollbar}
+
+The ACI attributes store data following a specific structure, which is
+define by this grammar :
+
+{newcode:title=ACI grammar|linenumbers=true|lang=xml}
+<wrapperEntryPoint> ::= <SP*> '{' <SP*> <mainACIItemComponent> <SP*>
+<mainACIItemComponents> '}' <SP*> EOF
+
+<mainACIItemComponents> ::= ',' <SP*> <mainACIItemComponent> <SP*>
+<mainACIItemComponents> | e
+
+** Note : we have to allow only one of each option
+<mainACIItemComponent> ::= 
+    "identificationTag" <SP+> SAFEUTF8STRING
+    | "precedence" <SP+> INTEGER
+    | "authenticationLevel" <SP+> <authenticationLevel>
+    | "itemOrUserFirst" <SP+> <itemOrUserFirst>
+
+<authenticationLevel> ::= "none" | "simple" | "strong"
+
+<itemOrUserFirst> ::= 
+		   "itemFirst" <SP*> ':' <SP*> '{' <SP*> <itemType> <SP*>
+'}' 
+		   | 
+		   "userFirst" <SP*> ':' <SP*> '{' <SP*> <userType> <SP*>
+'}'
+
+<itemType> ::= 
+	    "protectedItems" <SP*> '{' <SP*> <protectedItem?> '}' <SP*> 
+			     ',' <SP*> '{' <SP*> <anyItemPermission> <SP*>
+<anyItemPermission*> '}'
+	    | 
+	    "itemPermissions" <SP+> '{' <SP*> <itemPermissions?> '}' <SP*> 
+			     ',' <SP*> "protectedItems" <SP*> '{' <SP*>
+<protectedItem?> '}'
+
+<userType> ::= 
+	     "userClasses" <SP+> '{' <SP*> <userClass?> '}' <SP*> ',' 
+			       <SP*> '{' <SP*> <anyUserPermission> <SP*>
+<anyUserPermission*> '}'
+	      |
+	      "userPermissions" <SP+> '{' <SP*> <userPermissions?> '}'
+<SP*> ',' 
+			       <SP*> "userClasses" <SP+> '{' <SP*>
+<userClass?> '}'
+
+<protectedItem?> ::= <protectedItem> <SP*> <protectedItem*> | e
+
+<protectedItem*> ::= ',' <SP*> <protectedItem> <SP*> <protectedItem*> | e
+
+<protectedItem> ::= 
+    "entry"
+    | "allUserAttributeTypes"
+    | "attributeType" <SP+> '{' <SP*> <oid> <SP*> <oids> '}'
+    | "allAttributeValues" <SP+> '{' <SP*> <oid> <SP*> <oids> '}'
+    | "allUserAttributeTypesAndValues"
+    | ATTRIBUTE_VALUE_CANDIDATE
+    | "selfValue" <SP+> '{' <SP*> <oid> <SP*> <oids> '}'
+    | RANGE_OF_VALUES_CANDIDATE
+    | "maxValueCount" <SP+> '{' <SP*> '{' <SP*> <valueCountType> <SP*> '}'
+<SP*> <maxValueCount*> '}'
+    | "maxImmSub" <SP+> INTEGER
+    | "restrictedBy" <SP+> '{' <SP*> '{' <SP*> <typeValueIn> <SP*> '}'
+<SP*> <restrictedValue*> '}'
+    | "classes" <SP+> <refinement>
+
+<maxValueCount*> ::= ',' <SP*> '{' <SP*> <valueCountType> <SP*> '}' <SP*>
+<maxValueCount*> | e
+
+<valueCountType> ::= 
+		   "type" <SP+> <oid> <SP*> ',' <SP*> "maxCount" <SP+>
+INTEGER 
+		    | 
+		   "maxCount" <SP+> INTEGER <SP*> ',' <SP*> "type" <SP+>
+<oid> 
+    
+<restrictedValue*> ::= ',' <SP*> '{' <SP*> <typeValueIn> <SP*> '}' <SP*>
+<restrictedValue*> | e 
+    
+<typeValueIn> ::=
+		"type" <SP+> <oid> <SP*> ',' <SP*> "valuesIn" <SP+> <oid>
+		|
+		"valuesIn" <SP+> <oid> <SP*> ',' <SP*> "type" <SP+> <oid>
+
+<oids> ::= ',' <SP*> <oid> <SP*> <oids> | e
+
+<itemPermissions?> ::= '{' <SP*> <anyItemPermission> <SP*>
+<anyItemPermission*> '}' <SP*> <itemPermissions*> | e
+
+<itemPermissions*> ::= 
+		     ',' <SP*> '{' <SP*> <anyItemPermission> <SP*>
+<anyItemPermission*> '}' <SP*> <itemPermissions*> | e
+
+<anyItemPermission*> ::= ',' <SP*> <anyItemPermission> <SP*>
+<anyItemPermission*> | e
+
+<anyItemPermission> :
+    "precedence" <SP+> <INTEGER>
+    | "userClasses" <SP+> '{' <SP*> <userClass?> '}'
+    | "grantsAndDenials" <SP+> '{' <SP*> <grantAndDenial?> '}'
+
+<grantAndDenial?> ::= <grantAndDenial> <SP*> <grantAndDenial*> | e
+
+<grantAndDenial*> ::= ',' <SP*> <grantAndDenial> <SP*> <grantAndDenial*>
+
+<grantAndDenial> :
+    "grantAdd" 
+    | "denyAdd" 
+    | "grantDiscloseOnError"
+    | "denyDiscloseOnError" 
+    | "grantRead" 
+    | "denyRead" 
+    | "grantRemove" 
+    | "denyRemove" 
+    | "grantBrowse" 
+    | "denyBrowse" 
+    | "grantExport"
+    | "denyExport" 
+    | "grantImport" 
+    | "denyImport" 
+    | "grantModify" 
+    | "denyModify" 
+    | "grantRename" 
+    | "denyRename"
+    | "grantReturnDN"
+    | "denyReturnDN" 
+    | "grantCompare" 
+    | "denyCompare" 
+    | "grantFilterMatch"
+    | "denyFilterMatch" 
+    | "grantInvoke"
+    | "denyInvoke"
+
+<userClass?> ::= <userClass> <SP*> <userClass*> | e
+
+<userClass*> ::= ',' <SP*> <userClass> <SP*> <userClass*> | e
+
+<userClass> :
+    "allUsers"
+    | "thisEntry"
+    | "parentOfEntry"
+    | "name" <SP+> '{' <SP*> <distinguishedName> <SP*> <name*> '}'
+    | "userGroup" <SP+> '{' <SP*> <distinguishedName> <SP*> <userGroup*>
+'}'
+    | "subtree" <SP+> '{' <SP*> '{' <SP*> <subtreeSpecificationComponent?>
+'}' <SP*> <subTree*> '}'
+
+<name*> ::= ',' <SP*> <distinguishedName> <SP*> <name*> | e
+ 
+<userGroup*> ::= ',' <SP*> <distinguishedName> <SP*> <userGroup*> | e
+
+<subTree*> ::= ',' <SP*> '{' <SP*> <subtreeSpecificationComponent?> '}'
+<SP*> <subTree*> | e
+
+<userPermissions?> ::= '{' <SP*> <anyUserPermission> <SP*>
+<anyUserPermission*> '}' <SP*> <userPermissions*> | e
+
+<userPermissions*> ::= 
+		     ',' <SP*> '{' <SP*> <anyUserPermission> <SP*>
+<anyUserPermission*> '}' <SP*> <userPermissions*> | e
+
+<anyUserPermission*> ::= ',' <SP*> <anyUserPermission> <SP*>
+<anyUserPermission*> | e
+
+<anyUserPermission> :
+    "precedence" <SP+> <INTEGER>
+    | "protectedItems" <SP*> '{' <SP*> <protectedItem?> '}'
+    | "grantsAndDenials" <SP+> '{' <SP*> <grantAndDenial?> '}'
+
+<subtreeSpecificationComponent?> ::= <subtreeSpecificationComponent> <SP*>
+<subtreeSpecificationComponent*> | e
+<subtreeSpecificationComponent*> ::= ',' <SP*>
+<subtreeSpecificationComponent> <SP*> <subtreeSpecificationComponent*> | e
+
+<subtreeSpecificationComponent> :
+    "base" <SP+> <distinguishedName>
+    | "specificExclusions" <SP+> '{' <SP*> <specificExclusion?> '}'
+    | "minimum" <SP+> INTEGER
+    | "maximum" <SP+> INTEGER
+
+<specificExclusion?> ::= <specificExclusion> <SP*> <specificExclusion*> | e
+
+<specificExclusion*> ::= ',' <SP*> <specificExclusion> <SP*>
+<specificExclusion*> | e
+
+<specificExclusion> ::=
+		      "chopBefore" <SP*> ':' <SP*> <distinguishedName> 
+		      | 
+		      "chopAfter" <SP*> ':' <SP*> <distinguishedName>
+
+<refinement> ::= 
+	       "item" <SP*> ':' <SP*> <oid> 
+	       | 
+	       "and" <SP*> ':' <SP*> '{' <refinements?> '}'
+	       | 
+	       "or" <SP*> ':' <SP*> '{' <refinements?> '}'
+	       | 
+	       "not" <SP*> ':' <SP*> '{' <refinements?> '}'
+
+<refinements?> ::= <SP*> <refinements?> <SP*> <refinement*> | e
+
+<refinement*> ::= ',' <SP*> <refinement> <SP*> <refinement*> | e
+
+<distinguishedName> ::= SAFEUTF8STRING
+
+<oid> ::= DESCR | NUMERICOID
+
+SAFEUTF8CHAR :
+    '\u0001'..'\u0021' |
+    '\u0023'..'\u007F' |
+    '\u00c0'..'\u00d6' |
+    '\u00d8'..'\u00f6' |
+    '\u00f8'..'\u00ff' |
+    '\u0100'..'\u1fff' |
+    '\u3040'..'\u318f' |
+    '\u3300'..'\u337f' |
+    '\u3400'..'\u3d2d' |
+    '\u4e00'..'\u9fff' |
+    '\uf900'..'\ufaff' ;
+
+<SP+> ::= <SP> <SP*>
+<SP*> ::= <SP> <SP*> | e
+<SP> ::= ' ' | '\t' | '\n' | '\r' ;
+
+
+ALPHA : 'A'..'Z' | 'a'..'z' ;
+
+<INTEGER> ::= <DIGIT> | <LDIGIT> <DIGIT> <DIGIT*>
+<DIGIT> ::= '0' | <LDIGIT> ;
+<LDIGIT> ::= '1'..'9' ;
+<DIGIT*> ::= <DIGIT> <DIGIT*> | e
+
+HYPHEN : '-' ;
+
+NUMERICOID : INTEGER ( DOT INTEGER )+ ;
+
+DOT : '.' ;
+
+INTEGER_OR_NUMERICOID
+    :
+    ( INTEGER DOT ) => NUMERICOID
+    |
+    INTEGER
+
+SAFEUTF8STRING : '"'! ( SAFEUTF8CHAR )* '"'! ;
+
+DESCR 
+    :
+    ( "attributeValue" ( SP! )+ '{' ) =>
+      "attributeValue"! ( SP! )+ '{'! ( options : . )* '}'!
+    | ( "rangeOfValues" ( SP! )+ '(' ) =>
+      "rangeOfValues"! ( SP! )+ FILTER
+    | ALPHA ( ALPHA | DIGIT | HYPHEN )*
+    ;
+
+FILTER : '(' ( ( '&' (SP)* (FILTER)+ ) | ( '|' (SP)* (FILTER)+ ) | ( '!'
+(SP)* FILTER ) | FILTER_VALUE ) ')' (SP)* ;
+
+FILTER_VALUE : (options: ~( ')' | '(' | '&' | '|' | '!' ) ( ~(')') )* ) ;
+
+{newcode}

Added: directory/site/trunk/content/apacheds/advanced-ug/4.5.11-links-and-references.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4.5.11-links-and-references.mdtext?rev=1423760&view=auto
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4.5.11-links-and-references.mdtext (added)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.5.11-links-and-references.mdtext Wed Dec 19 04:46:29 2012
@@ -0,0 +1,11 @@
+Title: 4.5.11 Links and references
+{scrollbar}
+
+The *Apache Directory Server* authorization system is based on the *X.500*
+specifications. Those documents are available on [X.500 freely available specifications](http://www.x500standard.com/index.php?n=Ig.LatestAvail)
+, and more specifically [X.501|http://www.itu.int/rec/T-REC-X.501-200811-I!Cor2/dologin.asp?lang=e&id=T-REC-X.501-200811-I!Cor2!PDF-E&type=items]
+.
+
+Some more 'user friendly' documentation about Access Control can be found
+in *Chadwick*'s book, available at [X.500 book](http://sec.cs.kent.ac.uk/x500book/)
+, chapter 8.

Added: directory/site/trunk/content/apacheds/advanced-ug/4.5.2-definitions.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4.5.2-definitions.mdtext?rev=1423760&view=auto
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4.5.2-definitions.mdtext (added)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.5.2-definitions.mdtext Wed Dec 19 04:46:29 2012
@@ -0,0 +1,44 @@
+Title: 4.5.2 Definitions
+NavPrev: 4.5.1-introduction.html
+NavPrevText: 4.5.1 - Introduction
+NavUp: 4.5-authorization.html
+NavUpText: 4.5 - Authorization
+NavNext: 4.5.3-enabling-access-control.html
+NavNextText: 4.5.3 Enabling Access Control
+Notice: Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+    .
+    http://www.apache.org/licenses/LICENSE-2.0
+    .
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+
+
+*ACI* :
+bq. Access Control Information. The set of all the information which might
+be relevant to an access control decision for a given subject.
+
+*ACDF* :
+bq. Access Control Decision Function. It is the function used to decide
+whether a particular subject has a particular access right by virtue of
+applicable ACI items.
+
+*protected item* :
+bq. A protected item is the element of directory information being
+accessed.  The protected items are entries, attributes, attribute values
+and distinguished names.  Access to each protected item can be separately
+controlled through ACI.
+
+*subject* :
+bq. The entity acting on the server. It can be a person, a program, ... It
+aggregates the identity and the security related attributes (passwords,
+ceritifcates...) for this entity.

Added: directory/site/trunk/content/apacheds/advanced-ug/4.5.3-enabling-access-control.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4.5.3-enabling-access-control.mdtext?rev=1423760&view=auto
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4.5.3-enabling-access-control.mdtext (added)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.5.3-enabling-access-control.mdtext Wed Dec 19 04:46:29 2012
@@ -0,0 +1,27 @@
+Title: 4.5.3 Enabling Access Control
+NavPrev: 4.5.2-definitions.html
+NavPrevText: 4.5.2 - Definitions
+NavUp: 4.5-authorization.html
+NavUpText: 4.5 - Authorization
+NavNext: 4.5.4-aci-types.html
+NavNextText: 4.5.4 Aci Types
+Notice: Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+    .
+    http://www.apache.org/licenses/LICENSE-2.0
+    .
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+
+
+Title: 4.5.3 Enabling Access Control
+{scrollbar}

Added: directory/site/trunk/content/apacheds/advanced-ug/4.5.4-aci-types.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4.5.4-aci-types.mdtext?rev=1423760&view=auto
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4.5.4-aci-types.mdtext (added)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.5.4-aci-types.mdtext Wed Dec 19 04:46:29 2012
@@ -0,0 +1,35 @@
+Title: 4.5.4 ACI types
+NavPrev: 4.5.3-enabling-access-control.html
+NavPrevText: 4.5.3 - Enabling Access Control
+NavUp: 4.5-authorization.html
+NavUpText: 4.5 - Authorization
+NavNext: 4.5.5-aci-elements.html
+NavNextText: 4.5.5 Aci Elements
+Notice: Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+    .
+    http://www.apache.org/licenses/LICENSE-2.0
+    .
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+
+
+
+Three different types of ACI exist. All types use the same specification
+syntax for an ACIITem. These types differ in their placement and manner of
+use within the directory.
+
+## Chapter content
+
+* [4.5.4.1 - Entry Aci](4.5.4.1-entryaci.html)
+* [4.5.4.2 - Prescriptive Aci](4.5.4.2-prescriptiveaci.html)
+* [4.5.4.3 - Subentry Aci](4.5.4.3-subentryaci.html)

Added: directory/site/trunk/content/apacheds/advanced-ug/4.5.4.1-entryaci.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4.5.4.1-entryaci.mdtext?rev=1423760&view=auto
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4.5.4.1-entryaci.mdtext (added)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.5.4.1-entryaci.mdtext Wed Dec 19 04:46:29 2012
@@ -0,0 +1,41 @@
+Title: 4.5.4.1 EntryACI
+NavPrev: 4.5.4-aci-types.html
+NavPrevText: 4.5.4 - Aci Types
+NavUp: 4.5.4-aci-types.html
+NavUpText: 4.5.4 - Aci Types
+NavNext: 4.5.4.2-prescriptiveaci.html
+NavNextText: 4.5.4.2 Prescriptive Aci
+Notice: Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+    .
+    http://www.apache.org/licenses/LICENSE-2.0
+    .
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+
+
+
+
+Entry ACI are access controls added to entries to protect that entry
+specifically. Meaning the protected entry is the entry where the ACI
+resides. When performing an operation on an entry, ApacheDS checks for the
+presence of the multivalued operational attribute, *entryACI*. The values
+of the entryACI attribute contain ACIItems.
+
+{note}
+
+There is one exception to the rule of consulting entryACI attributes within
+ApacheDS: add operations do not consult the entryACI within the entry being
+added. This is a security precaution. (??? Check this sentence) If allowed
+users can arbitrarily add entries where they wanted by putting entryACI
+into the new entry being added. This could compromise the DSA. 
+{note}

Added: directory/site/trunk/content/apacheds/advanced-ug/4.5.4.2-prescriptiveaci.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4.5.4.2-prescriptiveaci.mdtext?rev=1423760&view=auto
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4.5.4.2-prescriptiveaci.mdtext (added)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.5.4.2-prescriptiveaci.mdtext Wed Dec 19 04:46:29 2012
@@ -0,0 +1,59 @@
+Title: 4.5.4.2 PrescriptiveACI
+NavPrev: 4.5.4.1-entryaci.html
+NavPrevText: 4.5.4.1 - Entry Aci
+NavUp: 4.5.4-aci-types.html
+NavUpText: 4.5.4 - Aci Types
+NavNext: 4.5.4.3-subentryaci.html
+NavNextText: 4.5.4.3 Subentry Aci
+Notice: Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+    .
+    http://www.apache.org/licenses/LICENSE-2.0
+    .
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+
+Prescriptive ACI are access controls that are applied to a collection of
+entries, not just to a single entry. Collections of entries are defined by
+the subtreeSpecifications of subentries. Hence prescriptive ACI are added
+to subentries as attributes and are applied by ApacheDS to the entries
+selected by the subentry's subtreeSpecification. ApacheDS uses the
+*prescriptiveACI* multivalued operational attribute within subentries to
+contain ACIItems that apply to the entry collection.
+
+Prescriptive ACI can save much effort when trying to control access to a
+collection of resources. Prescriptive ACI can even be specified to apply
+access controls to entries that do not yet exist within the DIT. They are a
+very powerful mechanism and for this reason they are the preferred
+mechanism for managing access to protected resources. ApacheDS is optimized
+specifically for managing access to collections of entries rather than
+point entries themselves.
+
+Users should try to avoid entry ACIs whenever possible, and use
+prescriptive ACIs instead. Entry ACIs are more for managing exceptional
+cases and should not be used excessively.
+
+{info:title=How it works!}
+For every type of LDAP operation, ApacheDS checks to see if any access
+control subentries include the protected entry in their collection. The set
+of subentries which include the protected entry are discovered very rapidly
+by the subentry subsystem. The subentry subsystem caches
+subtreeSpecifications for all subentries within the server so inclusion
+checks are fast. 
+
+For each access control subentry in the set, ApacheDS checks within a
+prescriptive ACI cache for ACI tuples. ApacheDS also caches prescriptive
+ACI information in a special form called ACI tuples. This is done so
+ACIItem parsing and conversion to an optimal representations for evaluation
+is not required at access time. This way access based on prescriptive ACIs
+is determined very rapidly.
+{info}

Added: directory/site/trunk/content/apacheds/advanced-ug/4.5.4.3-subentryaci.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4.5.4.3-subentryaci.mdtext?rev=1423760&view=auto
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4.5.4.3-subentryaci.mdtext (added)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.5.4.3-subentryaci.mdtext Wed Dec 19 04:46:29 2012
@@ -0,0 +1,41 @@
+Title: 4.5.4.3 SubentryACI
+NavPrev: 4.5.4.2-prescriptiveaci.html
+NavPrevText: 4.5.4.2 - Prescriptive Aci
+NavUp: 4.5.4-aci-types.html
+NavUpText: 4.5.4 - Aci Types
+NavNext: 4.5.5-aci-elements.html
+NavNextText: 4.5.5 Aci Elements
+Notice: Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+    .
+    http://www.apache.org/licenses/LICENSE-2.0
+    .
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+
+
+
+Access to subentries also needs to be controlled. Subentries are special in
+ApacheDS. Although they subordinate to an administrative entry (entry of an
+Administrative Point), they are technically considered to be in the same
+context as their administrative entry. ApacheDS considers the perscriptive
+ACI applied to the administrative entry, to also apply to its subentries. 
+
+This however is not the most intuitive mechanism to use for explicitly
+controlling access to subentries. A more explicit mechanism is used to
+specify ACIs specifically for protecting subentries. ApacheDS uses the
+multivalued operational attribute, *subentryACI*, within administrative
+entries to control access to immediately subordinate subentries.
+
+Protection policies for ACIs themselves can be managed within the entry of
+an administrative point.
+

Added: directory/site/trunk/content/apacheds/advanced-ug/4.5.5-aci-elements.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4.5.5-aci-elements.mdtext?rev=1423760&view=auto
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4.5.5-aci-elements.mdtext (added)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.5.5-aci-elements.mdtext Wed Dec 19 04:46:29 2012
@@ -0,0 +1,32 @@
+Title: 4.5.5 ACI elements
+NavPrev: 4.5.4-aci-types.html
+NavPrevText: 4.5.4 - ACI types
+NavUp: 4.5-authorization.html
+NavUpText: 4.5 - Authorization
+NavNext: 4.5.6-the-acdf-engine.html
+NavNextText: 4.5.6 The Acdf Engine
+Notice: Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+    .
+    http://www.apache.org/licenses/LICENSE-2.0
+    .
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+
+## Chapter content
+
+* [4.5.5.1 - User Classes](4.5.5.1-userclasses.html)
+* [4.5.5.2 - User Protected Items](4.5.5.2-protecteditems.html)
+* [4.5.5.3 - Permissions](4.5.5.3-permissions.html)
+* [4.5.5.4 - Subtrees](4.5.5.4-subtrees.html)
+
+

Added: directory/site/trunk/content/apacheds/advanced-ug/4.5.5.1-userclasses.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4.5.5.1-userclasses.mdtext?rev=1423760&view=auto
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4.5.5.1-userclasses.mdtext (added)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.5.5.1-userclasses.mdtext Wed Dec 19 04:46:29 2012
@@ -0,0 +1,23 @@
+Title: 4.5.5.1 UserClasses
+NavPrev: 4.5.5-aci-elements.html
+NavPrevText: 4.5.5 - ACI Elements
+NavUp: 4.5.5-aci-elements.html
+NavUpText: 4.5.5 - ACI Elements
+NavNext: 4.5.5.2-protecteditems.html
+NavNextText: 4.5.5.2 Protected Itements
+Notice: Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+    .
+    http://www.apache.org/licenses/LICENSE-2.0
+    .
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.

Added: directory/site/trunk/content/apacheds/advanced-ug/4.5.5.2-protecteditems.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4.5.5.2-protecteditems.mdtext?rev=1423760&view=auto
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4.5.5.2-protecteditems.mdtext (added)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.5.5.2-protecteditems.mdtext Wed Dec 19 04:46:29 2012
@@ -0,0 +1,36 @@
+Title: 4.5.5.2 ProtectedItems
+NavPrev: 4.5.5.1-userclasses.html
+NavPrevText: 4.5.5.1 - User Classes
+NavUp: 4.5.5-aci-elements.html
+NavUpText: 4.5.5 - ACI Elements
+NavNext: 4.5.5.3-permissions.html
+NavNextText: 4.5.5.3 Permissions
+Notice: Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements.  See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership.  The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License.  You may obtain a copy of the License at
+    .
+    http://www.apache.org/licenses/LICENSE-2.0
+    .
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied.  See the License for the
+    specific language governing permissions and limitations
+    under the License.
+
+The *protected items* are elements being accessed, and thus controlled by
+ACIs. Many parts of the DIT can be protected :
+* Entry : a entry as a whole.
+* allUserAttributeTypes : the User's AttributeType, excluding the
+associated values
+* allUserAttributeTypesAndValues : the User's AttributeType, including the
+associated values
+* allAttributeValues : All the AttributeType values
+* attributeType : A specific AttributeType
+* attributeValue : A set of attribute values
+* selfValue : The values associated with the requestor RDN's AttributeTypes
+

Added: directory/site/trunk/content/apacheds/advanced-ug/4.5.5.3-permissions.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4.5.5.3-permissions.mdtext?rev=1423760&view=auto
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4.5.5.3-permissions.mdtext (added)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.5.5.3-permissions.mdtext Wed Dec 19 04:46:29 2012
@@ -0,0 +1,2 @@
+Title: 4.5.5.3 Permissions
+{scrollbar}

Added: directory/site/trunk/content/apacheds/advanced-ug/4.5.5.4-subtrees.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4.5.5.4-subtrees.mdtext?rev=1423760&view=auto
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4.5.5.4-subtrees.mdtext (added)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.5.5.4-subtrees.mdtext Wed Dec 19 04:46:29 2012
@@ -0,0 +1,2 @@
+Title: 4.5.5.4 Subtrees
+{scrollbar}

Added: directory/site/trunk/content/apacheds/advanced-ug/4.5.6-the-acdf-engine.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4.5.6-the-acdf-engine.mdtext?rev=1423760&view=auto
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4.5.6-the-acdf-engine.mdtext (added)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.5.6-the-acdf-engine.mdtext Wed Dec 19 04:46:29 2012
@@ -0,0 +1,2 @@
+Title: 4.5.6 The ACDF engine
+{scrollbar}

Added: directory/site/trunk/content/apacheds/advanced-ug/4.5.6.1-how-it-works.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4.5.6.1-how-it-works.mdtext?rev=1423760&view=auto
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4.5.6.1-how-it-works.mdtext (added)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.5.6.1-how-it-works.mdtext Wed Dec 19 04:46:29 2012
@@ -0,0 +1,2 @@
+Title: 4.5.6.1 How it works
+{scrollbar}

Added: directory/site/trunk/content/apacheds/advanced-ug/4.5.6.2-selections.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4.5.6.2-selections.mdtext?rev=1423760&view=auto
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4.5.6.2-selections.mdtext (added)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.5.6.2-selections.mdtext Wed Dec 19 04:46:29 2012
@@ -0,0 +1,2 @@
+Title: 4.5.6.2 Selections
+{scrollbar}

Added: directory/site/trunk/content/apacheds/advanced-ug/4.5.6.3-constraints.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4.5.6.3-constraints.mdtext?rev=1423760&view=auto
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4.5.6.3-constraints.mdtext (added)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.5.6.3-constraints.mdtext Wed Dec 19 04:46:29 2012
@@ -0,0 +1,2 @@
+Title: 4.5.6.3 Constraints
+{scrollbar}

Added: directory/site/trunk/content/apacheds/advanced-ug/4.5.6.4-priority.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4.5.6.4-priority.mdtext?rev=1423760&view=auto
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4.5.6.4-priority.mdtext (added)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.5.6.4-priority.mdtext Wed Dec 19 04:46:29 2012
@@ -0,0 +1,2 @@
+Title: 4.5.6.4 Priority
+{scrollbar}

Added: directory/site/trunk/content/apacheds/advanced-ug/4.5.7-using-acis-trail.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4.5.7-using-acis-trail.mdtext?rev=1423760&view=auto
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4.5.7-using-acis-trail.mdtext (added)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.5.7-using-acis-trail.mdtext Wed Dec 19 04:46:29 2012
@@ -0,0 +1,2 @@
+Title: 4.5.7 Using ACIs trail
+{scrollbar}

Added: directory/site/trunk/content/apacheds/advanced-ug/4.5.7.1-enable-authenticated-users-to-browse-and-read-entries.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4.5.7.1-enable-authenticated-users-to-browse-and-read-entries.mdtext?rev=1423760&view=auto
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4.5.7.1-enable-authenticated-users-to-browse-and-read-entries.mdtext (added)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.5.7.1-enable-authenticated-users-to-browse-and-read-entries.mdtext Wed Dec 19 04:46:29 2012
@@ -0,0 +1,182 @@
+Title: 4.5.7.1 Enable Authenticated Users to Browse and Read Entries
+{scrollbar}
+
+In this trail, we will show how we will allow all authenticated users to
+browse and read all the entries.
+
+By default, if the access control subsystem is enabled, no one but the
+administrator can browse the DIT. This is obviously not convenient ...
+
+<a name="2.5.7.1EnableAuthenticatedUserstoBrowseandReadEntries-PartitionandAccessControlAreaSetup"></a>
+# Partition and Access Control Area Setup
+
+For this example we presume you have setup a partition at the namingContext
+*dc=example,dc=com* and have turned on access controls. Now you want to
+grant browse and read access to entries and their attributes.
+
+Before you can add a *subentry* with the *prescriptiveACI* you'll need to
+create an *administrative area*. For now we'll make the root of the
+partition the *Adminstrative Point* (*AP*). Every entry including this
+entry and those underneath will be part of the autonomous administrative
+area for managing access controls. To do this we must add the
+*administrativeRole* operational attribute to the *AP* entry. 
+
+<a name="2.5.7.1EnableAuthenticatedUserstoBrowseandReadEntries-AdministrationPointsetup"></a>
+## AdministrationPoint setup
+
+In our case, the *dc=example,dc=com* context entry has to contain the
+*administrativeRole* attribute, with the *accessControlSpecificArea* value.
+
+Let's first connect to the server using the *admin* user, and select the
+*dc=example,dc=com* entry :
+
+!Screen shot 2010-07-04 at 8.45.09 PM.png|border=1!
+
+
+We will now add the *directoryOperation* attribute *administrativeRole* to
+this entry :
+
+!Screen shot 2010-07-04 at 10.17.54 PM.png|border=1!
+
+and we select the *accessControlSpecificArea* value :
+
+!Screen shot 2010-07-04 at 10.18.49 PM.png|border=1!
+
+Here is the resulting entry :
+
+!Screen shot 2010-07-04 at 10.19.44 PM.png|border=1!
+
+<a name="2.5.7.1EnableAuthenticatedUserstoBrowseandReadEntries-Subentryaddition"></a>
+## Subentry addition
+
+Now, we have to create a *subentry* in which we will add the
+*prescriptiveACI* granting access to all the users.
+
+Let's define the ACI first.
+
+<a name="2.5.7.1EnableAuthenticatedUserstoBrowseandReadEntries-ACIItemDescription"></a>
+### ACIItem Description
+
+Here's the ACIItem we will add :
+
+{newcode}
+{ 
+  identificationTag "enableSearchForAllUsers",
+  precedence 14,
+  authenticationLevel simple,
+  itemOrUserFirst userFirst: 
+  { 
+    userClasses { allUsers }, 
+    userPermissions 
+    { 
+       {
+	 protectedItems {entry, allUserAttributeTypesAndValues}, 
+	 grantsAndDenials { grantRead, grantReturnDN, grantBrowse } 
+       }
+    } 
+  } 
+}
+{newcode}
+
+There are several parameters to this simple ACIItem. Here's a breif
+exaplanation of each field and it's meaning or significance.
+
+<table>
+<tr><th> Fields </th><th> Description </th></tr>
+<tr><td> identificationTag </td><td> Identifies the ACIItem within an entry. </td></tr>
+<tr><td> precedence </td><td> Determine which ACI to apply with conflicting ACIItems. </td></tr>
+<tr><td> authenticationLevel </td><td> User's level of trust with values of none, simple,
+strong </td></tr>
+<tr><td> itemOrUserFirst </td><td> Determines order of item permissions or user
+permissions. </td></tr>
+<tr><td> userClasses </td><td> The set of users the permissions apply to. </td></tr>
+<tr><td> userPermissions </td><td> Permissions on protected items </td></tr>
+</table>
+
+In our case, we want to grant all the users :
+
+{newcode:firstline=7}
+  userClasses { allUsers }
+{newcode}
+
+to be granted a read access :
+
+{newcode:firstline=12}
+	 grantsAndDenials { grantRead, grantReturnDN, grantBrowse } 
+{newcode}
+
+for the Entry and all the values :
+
+{newcode:firstline=11}
+	 protectedItems {entry, allUserAttributeTypesAndValues}, 
+{newcode}
+
+The granted permissions are used to allow the user to browse the tree
+(*grantBrowse*), read the entries (*grantRead*) and return the DN for
+aliases (*grantReturnDN*).
+
+<a name="2.5.7.1EnableAuthenticatedUserstoBrowseandReadEntries-PrescriptiveACIaddition"></a>
+## PrescriptiveACI addition
+
+Now that we have defined the *ACIItem*, we have to add it into a *subentry*
+associated with the *administration point*. This is just an entry under the
+*administration Point*, here, we will call it *cn=enableSearchForAllUsers,
+dc=example,dc=com*.
+
+The entry is described below in a LDIF format :
+
+{newcode}
+dn: cn=enableSearchForAllUsers,dc=example,dc=com
+objectClass: top
+objectClass: subentry
+objectClass: accessControlSubentry
+subtreeSpecification: {}
+prescriptiveACI: 
+ { 
+   identificationTag "enableSearchForAllUsers",
+   precedence 14,
+   authenticationLevel simple,
+   itemOrUserFirst userFirst: 
+   { 
+     userClasses { allUsers }, 
+     userPermissions 
+     { 
+       {
+	 protectedItems {entry, allUserAttributeTypesAndValues}
+	 grantsAndDenials { grantRead, grantReturnDN, grantBrowse }
+       }
+     }
+   }
+ }
+{newcode}
+
+It's also easy to create such an entry with *Apache Directory Studio*.
+First, right click on the context entry, and select 'new Entry' :
+
+!Screen shot 2010-07-04 at 11.57.50 PM.png|border=1!
+
+Then create a new entry from scratch, and select the 'subentry' and
+'accessControlSubentry' ObjectClasses :
+
+!Screen shot 2010-07-04 at 11.59.28 PM.png|border=1!
+
+Create the RDN for this new entry :
+
+!Screen shot 2010-07-05 at 12.01.43 AM.png|border=1!
+
+Pass the subtree editor, we don't need to define anything here, and go to
+the Attributes definition :
+
+!Screen shot 2010-07-05 at 12.03.21 AM.png|border=1!
+
+The next step is to add the *rescriptiveACI* value, using the dedicated
+editor :
+
+!Screen shot 2010-07-05 at 12.12.16 AM.png|border=1!
+
+When the selection has been done, we have to add the permissions :
+
+!Screen shot 2010-07-05 at 12.13.47 AM.png|border=1!
+ 
+
+Once done, all the entries under *dc=example,dc=com* are ruled by this ACI

Added: directory/site/trunk/content/apacheds/advanced-ug/4.5.8-acis-administration.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4.5.8-acis-administration.mdtext?rev=1423760&view=auto
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4.5.8-acis-administration.mdtext (added)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.5.8-acis-administration.mdtext Wed Dec 19 04:46:29 2012
@@ -0,0 +1,2 @@
+Title: 4.5.8 ACIs administration
+{scrollbar}

Added: directory/site/trunk/content/apacheds/advanced-ug/4.5.9-migration-from-other-ldap-servers.mdtext
URL: http://svn.apache.org/viewvc/directory/site/trunk/content/apacheds/advanced-ug/4.5.9-migration-from-other-ldap-servers.mdtext?rev=1423760&view=auto
==============================================================================
--- directory/site/trunk/content/apacheds/advanced-ug/4.5.9-migration-from-other-ldap-servers.mdtext (added)
+++ directory/site/trunk/content/apacheds/advanced-ug/4.5.9-migration-from-other-ldap-servers.mdtext Wed Dec 19 04:46:29 2012
@@ -0,0 +1,2 @@
+Title: 4.5.9 Migration from other LDAP servers
+{scrollbar}



Mime
View raw message