Author: buildbot Date: Wed May 15 15:33:16 2013 New Revision: 862077 Log: Staging update by buildbot for directory Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.3-enabling-access-control.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.4-aci-types.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.4.1-entryaci.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.4.2-prescriptiveaci.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.4.3-subentryaci.html Removed: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.3-enabling-access-control.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.4-aci-types.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.4.1-entryaci.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.4.2-prescriptiveaci.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.4.3-subentryaci.html Modified: websites/staging/directory/trunk/content/ (props changed) Propchange: websites/staging/directory/trunk/content/ ------------------------------------------------------------------------------ --- cms:source-revision (original) +++ cms:source-revision Wed May 15 15:33:16 2013 @@ -1 +1 @@ -1482898 +1482903 Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.3-enabling-access-control.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.3-enabling-access-control.html (added) +++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.3-enabling-access-control.html Wed May 15 15:33:16 2013 @@ -0,0 +1,172 @@ + + + + + 4.2.3 Enabling Access Control — Apache Directory + + + + + + + + + + + + +
+ +
+
+ + + +
+
+ + + + + +

4.2.3 Enabling Access Control

+

TODO...

+ + + + + +
+
+
+ +
+ + \ No newline at end of file Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.4-aci-types.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.4-aci-types.html (added) +++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.4-aci-types.html Wed May 15 15:33:16 2013 @@ -0,0 +1,180 @@ + + + + + 4.2.4 ACI types — Apache Directory + + + + + + + + + + + + +
+ +
+
+ + + +
+
+ + + + + +

4.2.4 ACI types

+

Three different types of ACI exist. All types use the same specification +syntax for an ACIITem. These types differ in their placement and manner of +use within the directory.

+

Chapter content

+ + + + + + +
+
+
+ +
+ + \ No newline at end of file Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.4.1-entryaci.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.4.1-entryaci.html (added) +++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.4.1-entryaci.html Wed May 15 15:33:16 2013 @@ -0,0 +1,183 @@ + + + + + 4.2.4.1 EntryACI — Apache Directory + + + + + + + + + + + + +
+ +
+
+ + + +
+
+ + + + + +

4.2.4.1 EntryACI

+

Entry ACI are access controls added to entries to protect that entry +specifically. Meaning the protected entry is the entry where the ACI +resides. When performing an operation on an entry, ApacheDS checks for the +presence of the multivalued operational attribute, entryACI. The values +of the entryACI attribute contain ACIItems.

+

+There is one exception to the rule of consulting entryACI attributes within +ApacheDS: add operations do not consult the entryACI within the entry being +added. This is a security precaution. (??? Check this sentence) If allowed +users can arbitrarily add entries where they wanted by putting entryACI +into the new entry being added. This could compromise the DSA. +

+ + + + + +
+
+
+ +
+ + \ No newline at end of file Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.4.2-prescriptiveaci.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.4.2-prescriptiveaci.html (added) +++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.4.2-prescriptiveaci.html Wed May 15 15:33:16 2013 @@ -0,0 +1,203 @@ + + + + + 4.2.4.2 PrescriptiveACI — Apache Directory + + + + + + + + + + + + +
+ +
+
+ + + +
+
+ + + + + +

4.2.4.2 PrescriptiveACI

+

Prescriptive ACI are access controls that are applied to a collection of +entries, not just to a single entry. Collections of entries are defined by +the subtreeSpecifications of subentries. Hence prescriptive ACI are added +to subentries as attributes and are applied by ApacheDS to the entries +selected by the subentry's subtreeSpecification. ApacheDS uses the +prescriptiveACI multivalued operational attribute within subentries to +contain ACIItems that apply to the entry collection.

+

Prescriptive ACI can save much effort when trying to control access to a +collection of resources. Prescriptive ACI can even be specified to apply +access controls to entries that do not yet exist within the DIT. They are a +very powerful mechanism and for this reason they are the preferred +mechanism for managing access to protected resources. ApacheDS is optimized +specifically for managing access to collections of entries rather than +point entries themselves.

+

Users should try to avoid entry ACIs whenever possible, and use +prescriptive ACIs instead. Entry ACIs are more for managing exceptional +cases and should not be used excessively.

+

+How it works! +For every type of LDAP operation, ApacheDS checks to see if any access +control subentries include the protected entry in their collection. The set +of subentries which include the protected entry are discovered very rapidly +by the subentry subsystem. The subentry subsystem caches +subtreeSpecifications for all subentries within the server so inclusion +checks are fast.

+

For each access control subentry in the set, ApacheDS checks within a +prescriptive ACI cache for ACI tuples. ApacheDS also caches prescriptive +ACI information in a special form called ACI tuples. This is done so +ACIItem parsing and conversion to an optimal representations for evaluation +is not required at access time. This way access based on prescriptive ACIs +is determined very rapidly. +

+ + + + + +
+
+
+ +
+ + \ No newline at end of file Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.4.3-subentryaci.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.4.3-subentryaci.html (added) +++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.4.3-subentryaci.html Wed May 15 15:33:16 2013 @@ -0,0 +1,183 @@ + + + + + 4.2.4.3 SubentryACI — Apache Directory + + + + + + + + + + + + +
+ +
+
+ + + +
+
+ + + + + +

4.2.4.3 SubentryACI

+

Access to subentries also needs to be controlled. Subentries are special in +ApacheDS. Although they subordinate to an administrative entry (entry of an +Administrative Point), they are technically considered to be in the same +context as their administrative entry. ApacheDS considers the perscriptive +ACI applied to the administrative entry, to also apply to its subentries.

+

This however is not the most intuitive mechanism to use for explicitly +controlling access to subentries. A more explicit mechanism is used to +specify ACIs specifically for protecting subentries. ApacheDS uses the +multivalued operational attribute, subentryACI, within administrative +entries to control access to immediately subordinate subentries.

+

Protection policies for ACIs themselves can be managed within the entry of +an administrative point.

+ + + + + +
+
+
+ +
+ + \ No newline at end of file