directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r866770 [4/9] - in /websites/staging/directory/trunk/content: ./ apacheds/ apacheds/advanced-ug/ apacheds/basic-ug/ apacheds/configuration/ apacheds/kerberos-ug/ api/ api/gen-docs/ api/gen-docs/latest/ api/groovy-api/ api/user-guide/ studio/
Date Fri, 21 Jun 2013 10:04:40 GMT
Modified: websites/staging/directory/trunk/content/apacheds/basic-ug/3.2-basic-authorization.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/basic-ug/3.2-basic-authorization.html (original)
+++ websites/staging/directory/trunk/content/apacheds/basic-ug/3.2-basic-authorization.html Fri Jun 21 10:04:38 2013
@@ -180,14 +180,14 @@
 <h3 id="authorization-for-directory-operations-vs-group-membership">Authorization for directory operations vs. group membership</h3>
 <p>In order to accomplish their authorization functionality, software components often take advantage of LDAP groups stored within the directory. <em>groupOfNames</em> and <em>groupOfUniqueNames</em> are common object classes for groups entries; they contain the DNs of their members (users, other groups) as attribute values. </p>
 <p>In order to illustrate this, the "Seven Seas" example partition contains such group entries below "ou=groups,o=sevenSeas". Here the entry of a group describing the HMS Bounty crew (before the mutiny) in LDIF format.</p>
-<div class="codehilite"><pre><span class="err">dn:</span> <span class="err">cn=HMS</span> <span class="err">Bounty,ou=crews,ou=groups,o=sevenSeas</span>
-<span class="err">object</span><span class="kd">class</span><span class="err">:</span> <span class="nc">groupOfUniqueNames</span>
-<span class="err">objectclass:</span> <span class="err">top</span>
-<span class="err">cn:</span> <span class="err">HMS</span> <span class="err">Bounty</span>
-<span class="err">uniquemember:</span> <span class="err">cn=William</span> <span class="err">Bligh,ou=people,o=sevenSeas</span>
-<span class="err">uniquemember:</span> <span class="err">cn=Fletcher</span> <span class="err">Christian,ou=people,o=sevenSeas</span>
-<span class="err">uniquemember:</span> <span class="err">cn=John</span> <span class="err">Fryer,ou=people,o=sevenSeas</span>
-<span class="err">...</span>
+<div class="codehilite"><pre><span class="n">dn</span><span class="o">:</span> <span class="n">cn</span><span class="o">=</span><span class="n">HMS</span> <span class="n">Bounty</span><span class="o">,</span><span class="n">ou</span><span class="o">=</span><span class="n">crews</span><span class="o">,</span><span class="n">ou</span><span class="o">=</span><span class="n">groups</span><span class="o">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
+<span class="n">objectclass</span><span class="o">:</span> <span class="n">groupOfUniqueNames</span>
+<span class="n">objectclass</span><span class="o">:</span> <span class="n">top</span>
+<span class="n">cn</span><span class="o">:</span> <span class="n">HMS</span> <span class="n">Bounty</span>
+<span class="n">uniquemember</span><span class="o">:</span> <span class="n">cn</span><span class="o">=</span><span class="n">William</span> <span class="n">Bligh</span><span class="o">,</span><span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="o">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
+<span class="n">uniquemember</span><span class="o">:</span> <span class="n">cn</span><span class="o">=</span><span class="n">Fletcher</span> <span class="n">Christian</span><span class="o">,</span><span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="o">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
+<span class="n">uniquemember</span><span class="o">:</span> <span class="n">cn</span><span class="o">=</span><span class="n">John</span> <span class="n">Fryer</span><span class="o">,</span><span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="o">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
+<span class="o">...</span>
 </pre></div>
 
 
@@ -197,70 +197,70 @@
 <h3 id="sample-data-within-ouusersousystem">Sample data within "ou=users,ou=system"</h3>
 <p>In addition to our brave sailors below <em>ou=people,o=sevenSeas</em>, assume the following to entries present within <em>ou=users,ou=system</em>:</p>
 <p><img alt="Authorization Sample Entries" src="images/authorization-sample-entries.png" /></p>
-<div class="codehilite"><pre><span class="err">dn:</span> <span class="err">cn=Tori</span> <span class="err">Amos,ou=users,ou=system</span>
-<span class="err">object</span><span class="kd">class</span><span class="err">:</span> <span class="err">person</span>
-<span class="err">objectclass:</span> <span class="err">top</span>
-<span class="err">sn:</span> <span class="err">Amos</span>
-<span class="err">cn:</span> <span class="err">Tori</span> <span class="err">Amos</span>
-<span class="err">userpassword:</span> <span class="err">amos</span>
-
-<span class="err">dn:</span> <span class="err">cn=Kate</span> <span class="err">Bush,ou=users,ou=system</span>
-<span class="err">objectclass:</span> <span class="err">person</span>
-<span class="err">objectclass:</span> <span class="err">top</span>
-<span class="err">sn:</span> <span class="err">Bush</span>
-<span class="err">cn:</span> <span class="err">Kate</span> <span class="err">Bush</span>
-<span class="err">userpassword:</span> <span class="err">bush</span>
+<div class="codehilite"><pre><span class="n">dn</span><span class="o">:</span> <span class="n">cn</span><span class="o">=</span><span class="n">Tori</span> <span class="n">Amos</span><span class="o">,</span><span class="n">ou</span><span class="o">=</span><span class="n">users</span><span class="o">,</span><span class="n">ou</span><span class="o">=</span><span class="n">system</span>
+<span class="n">objectclass</span><span class="o">:</span> <span class="n">person</span>
+<span class="n">objectclass</span><span class="o">:</span> <span class="n">top</span>
+<span class="n">sn</span><span class="o">:</span> <span class="n">Amos</span>
+<span class="n">cn</span><span class="o">:</span> <span class="n">Tori</span> <span class="n">Amos</span>
+<span class="n">userpassword</span><span class="o">:</span> <span class="n">amos</span>
+
+<span class="n">dn</span><span class="o">:</span> <span class="n">cn</span><span class="o">=</span><span class="n">Kate</span> <span class="n">Bush</span><span class="o">,</span><span class="n">ou</span><span class="o">=</span><span class="n">users</span><span class="o">,</span><span class="n">ou</span><span class="o">=</span><span class="n">system</span>
+<span class="n">objectclass</span><span class="o">:</span> <span class="n">person</span>
+<span class="n">objectclass</span><span class="o">:</span> <span class="n">top</span>
+<span class="n">sn</span><span class="o">:</span> <span class="n">Bush</span>
+<span class="n">cn</span><span class="o">:</span> <span class="n">Kate</span> <span class="n">Bush</span>
+<span class="n">userpassword</span><span class="o">:</span> <span class="n">bush</span>
 </pre></div>
 
 
 <p>They are used in the following examples, in conjunction with <em>o=sevenSeas</em>, to describe the default authorization rules.</p>
 <h3 id="rules-and-sample-operations">Rules and sample operations</h3>
 <p>Without ACIs the server automatically protects, hides, the admin user from everyone but the admin user. Here a sample search operation in order to demonstrate this protection. The same command is submitted three times with different users.</p>
-<div class="codehilite"><pre><span class="nv">$</span> <span class="nv">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> <span class="mi">10389</span> <span class="o">-</span><span class="n">D</span> <span class="s">&quot;uid=admin,ou=system&quot;</span> <span class="o">-</span><span class="n">w</span> <span class="n">secret</span> <span class="o">\\</span>
-    <span class="o">-</span><span class="n">b</span> <span class="s">&quot;ou=system&quot;</span> <span class="o">-</span><span class="n">s</span> <span class="n">one</span> <span class="s">&quot;(uid=admin)&quot;</span> <span class="n">dn</span>
-<span class="n">version:</span> <span class="mi">1</span>
-<span class="n">dn:</span> <span class="n">uid</span><span class="o">=</span><span class="n">admin</span><span class="p">,</span><span class="n">ou</span><span class="o">=</span><span class="nb">system</span>
+<div class="codehilite"><pre>$ <span class="n">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> 10389 <span class="o">-</span><span class="n">D</span> &quot;<span class="n">uid</span><span class="p">=</span><span class="n">admin</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">system</span>&quot; <span class="o">-</span><span class="n">w</span> <span class="n">secret</span> <span class="o">\\</span>
+    <span class="o">-</span><span class="n">b</span> &quot;<span class="n">ou</span><span class="p">=</span><span class="n">system</span>&quot; <span class="o">-</span><span class="n">s</span> <span class="n">one</span> &quot;<span class="p">(</span><span class="n">uid</span><span class="p">=</span><span class="n">admin</span><span class="p">)</span>&quot; <span class="n">dn</span>
+<span class="n">version</span><span class="p">:</span> 1
+<span class="n">dn</span><span class="p">:</span> <span class="n">uid</span><span class="p">=</span><span class="n">admin</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">system</span>
 
-<span class="nv">$</span> <span class="nv">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> <span class="mi">10389</span> <span class="o">-</span><span class="n">D</span> <span class="s">&quot;cn=William Bush,ou=people,o=sevenSeas&quot;</span> <span class="o">-</span><span class="n">w</span> <span class="n">pass</span> <span class="o">\\</span>
-    <span class="o">-</span><span class="n">b</span> <span class="s">&quot;ou=system&quot;</span> <span class="o">-</span><span class="n">s</span> <span class="n">one</span> <span class="s">&quot;(uid=admin)&quot;</span> <span class="n">dn</span>
+$ <span class="n">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> 10389 <span class="o">-</span><span class="n">D</span> &quot;<span class="n">cn</span><span class="p">=</span><span class="n">William</span> <span class="n">Bush</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>&quot; <span class="o">-</span><span class="n">w</span> <span class="n">pass</span> <span class="o">\\</span>
+    <span class="o">-</span><span class="n">b</span> &quot;<span class="n">ou</span><span class="p">=</span><span class="n">system</span>&quot; <span class="o">-</span><span class="n">s</span> <span class="n">one</span> &quot;<span class="p">(</span><span class="n">uid</span><span class="p">=</span><span class="n">admin</span><span class="p">)</span>&quot; <span class="n">dn</span>
 
-<span class="nv">$</span> <span class="nv">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> <span class="mi">10389</span> <span class="o">-</span><span class="n">D</span> <span class="s">&quot;cn=Tori Amos,ou=users,ou=system&quot;</span> <span class="o">-</span><span class="n">w</span> <span class="n">amos</span> <span class="o">\\</span>
-    <span class="o">-</span><span class="n">b</span> <span class="s">&quot;ou=system&quot;</span> <span class="o">-</span><span class="n">s</span> <span class="n">one</span> <span class="s">&quot;(uid=admin)&quot;</span> <span class="n">dn</span>
+$ <span class="n">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> 10389 <span class="o">-</span><span class="n">D</span> &quot;<span class="n">cn</span><span class="p">=</span><span class="n">Tori</span> <span class="n">Amos</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">users</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">system</span>&quot; <span class="o">-</span><span class="n">w</span> <span class="n">amos</span> <span class="o">\\</span>
+    <span class="o">-</span><span class="n">b</span> &quot;<span class="n">ou</span><span class="p">=</span><span class="n">system</span>&quot; <span class="o">-</span><span class="n">s</span> <span class="n">one</span> &quot;<span class="p">(</span><span class="n">uid</span><span class="p">=</span><span class="n">admin</span><span class="p">)</span>&quot; <span class="n">dn</span>
 
-<span class="nv">$</span>
+$
 </pre></div>
 
 
 <p>Users cannot see other user entries under the 'ou=users,ou=system' entry. So placing new users there automatically protects them. Placing new users anywhere else exposes them.</p>
-<div class="codehilite"><pre><span class="nv">$</span> <span class="nv">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> <span class="mi">10389</span> <span class="o">-</span><span class="n">D</span> <span class="s">&quot;uid=admin,ou=system&quot;</span> <span class="o">-</span><span class="n">w</span> <span class="n">secret</span> <span class="o">\\</span>
-    <span class="o">-</span><span class="n">b</span> <span class="s">&quot;ou=users,ou=system&quot;</span> <span class="o">-</span><span class="n">s</span> <span class="n">one</span> <span class="s">&quot;(objectclass=*)&quot;</span> <span class="n">dn</span>
-<span class="n">version:</span> <span class="mi">1</span>
-<span class="n">dn:</span> <span class="n">cn</span><span class="o">=</span><span class="n">Tori</span> <span class="n">Amos</span><span class="p">,</span><span class="n">ou</span><span class="o">=</span><span class="n">users</span><span class="p">,</span><span class="n">ou</span><span class="o">=</span><span class="nb">system</span>
+<div class="codehilite"><pre>$ <span class="n">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> 10389 <span class="o">-</span><span class="n">D</span> &quot;<span class="n">uid</span><span class="p">=</span><span class="n">admin</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">system</span>&quot; <span class="o">-</span><span class="n">w</span> <span class="n">secret</span> <span class="o">\\</span>
+    <span class="o">-</span><span class="n">b</span> &quot;<span class="n">ou</span><span class="p">=</span><span class="n">users</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">system</span>&quot; <span class="o">-</span><span class="n">s</span> <span class="n">one</span> &quot;<span class="p">(</span><span class="n">objectclass</span><span class="p">=</span><span class="o">*</span><span class="p">)</span>&quot; <span class="n">dn</span>
+<span class="n">version</span><span class="p">:</span> 1
+<span class="n">dn</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">Tori</span> <span class="n">Amos</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">users</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">system</span>
 
-<span class="n">dn:</span> <span class="n">cn</span><span class="o">=</span><span class="n">Kate</span> <span class="n">Bush</span><span class="p">,</span><span class="n">ou</span><span class="o">=</span><span class="n">users</span><span class="p">,</span><span class="n">ou</span><span class="o">=</span><span class="nb">system</span>
+<span class="n">dn</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">Kate</span> <span class="n">Bush</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">users</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">system</span>
 
-<span class="nv">$</span> <span class="nv">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> <span class="mi">10389</span> <span class="o">-</span><span class="n">D</span> <span class="s">&quot;cn=Kate Bush,ou=users,ou=system&quot;</span> <span class="o">-</span><span class="n">w</span> <span class="n">bush</span> <span class="o">\\</span>
-    <span class="o">-</span><span class="n">b</span> <span class="s">&quot;ou=users,ou=system&quot;</span> <span class="o">-</span><span class="n">s</span> <span class="n">one</span> <span class="s">&quot;(objectclass=*)&quot;</span> <span class="n">dn</span>
-<span class="n">version:</span> <span class="mi">1</span>
-<span class="n">dn:</span> <span class="n">cn</span><span class="o">=</span><span class="n">Kate</span> <span class="n">Bush</span><span class="p">,</span><span class="n">ou</span><span class="o">=</span><span class="n">users</span><span class="p">,</span><span class="n">ou</span><span class="o">=</span><span class="nb">system</span>
+$ <span class="n">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> 10389 <span class="o">-</span><span class="n">D</span> &quot;<span class="n">cn</span><span class="p">=</span><span class="n">Kate</span> <span class="n">Bush</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">users</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">system</span>&quot; <span class="o">-</span><span class="n">w</span> <span class="n">bush</span> <span class="o">\\</span>
+    <span class="o">-</span><span class="n">b</span> &quot;<span class="n">ou</span><span class="p">=</span><span class="n">users</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">system</span>&quot; <span class="o">-</span><span class="n">s</span> <span class="n">one</span> &quot;<span class="p">(</span><span class="n">objectclass</span><span class="p">=</span><span class="o">*</span><span class="p">)</span>&quot; <span class="n">dn</span>
+<span class="n">version</span><span class="p">:</span> 1
+<span class="n">dn</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">Kate</span> <span class="n">Bush</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">users</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">system</span>
 
-<span class="nv">$</span> <span class="nv">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> <span class="mi">10389</span> <span class="o">-</span><span class="n">D</span> <span class="s">&quot;cn=William Bush,ou=people,o=sevenSeas&quot;</span> <span class="o">-</span><span class="n">w</span> <span class="n">pass</span> <span class="o">\\</span>
-    <span class="o">-</span><span class="n">b</span> <span class="s">&quot;ou=users,ou=system&quot;</span> <span class="o">-</span><span class="n">s</span> <span class="n">one</span> <span class="s">&quot;(objectclass=*)&quot;</span> <span class="n">dn</span>
+$ <span class="n">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> 10389 <span class="o">-</span><span class="n">D</span> &quot;<span class="n">cn</span><span class="p">=</span><span class="n">William</span> <span class="n">Bush</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>&quot; <span class="o">-</span><span class="n">w</span> <span class="n">pass</span> <span class="o">\\</span>
+    <span class="o">-</span><span class="n">b</span> &quot;<span class="n">ou</span><span class="p">=</span><span class="n">users</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">system</span>&quot; <span class="o">-</span><span class="n">s</span> <span class="n">one</span> &quot;<span class="p">(</span><span class="n">objectclass</span><span class="p">=</span><span class="o">*</span><span class="p">)</span>&quot; <span class="n">dn</span>
 
-<span class="nv">$</span> <span class="nv">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> <span class="mi">10389</span> <span class="o">-</span><span class="n">D</span> <span class="s">&quot;cn=William Bush,ou=people,o=sevenSeas&quot;</span> <span class="o">-</span><span class="n">w</span> <span class="n">pass</span> <span class="o">\\</span>
-    <span class="o">-</span><span class="n">b</span> <span class="s">&quot;ou=people,o=sevenSeas&quot;</span> <span class="o">-</span><span class="n">s</span> <span class="n">one</span> <span class="s">&quot;(objectclass=*)&quot;</span> <span class="n">dn</span>
-<span class="n">version:</span> <span class="mi">1</span>
-<span class="n">dn:</span> <span class="n">cn</span><span class="o">=</span><span class="n">Horatio</span> <span class="n">Hornblower</span><span class="p">,</span><span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
+$ <span class="n">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> 10389 <span class="o">-</span><span class="n">D</span> &quot;<span class="n">cn</span><span class="p">=</span><span class="n">William</span> <span class="n">Bush</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>&quot; <span class="o">-</span><span class="n">w</span> <span class="n">pass</span> <span class="o">\\</span>
+    <span class="o">-</span><span class="n">b</span> &quot;<span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>&quot; <span class="o">-</span><span class="n">s</span> <span class="n">one</span> &quot;<span class="p">(</span><span class="n">objectclass</span><span class="p">=</span><span class="o">*</span><span class="p">)</span>&quot; <span class="n">dn</span>
+<span class="n">version</span><span class="p">:</span> 1
+<span class="n">dn</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">Horatio</span> <span class="n">Hornblower</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
 
-<span class="n">dn:</span> <span class="n">cn</span><span class="o">=</span><span class="n">William</span> <span class="n">Bush</span><span class="p">,</span><span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
+<span class="n">dn</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">William</span> <span class="n">Bush</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
 
-<span class="n">dn:</span> <span class="n">cn</span><span class="o">=</span><span class="n">Thomas</span> <span class="n">Masterman</span> <span class="n">Hardy</span><span class="p">,</span><span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
+<span class="n">dn</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">Thomas</span> <span class="n">Masterman</span> <span class="n">Hardy</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
 
-<span class="n">dn:</span> <span class="n">cn</span><span class="o">=</span><span class="n">Cornelius</span> <span class="n">Buckley</span><span class="p">,</span><span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
+<span class="n">dn</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">Cornelius</span> <span class="n">Buckley</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
 
-<span class="n">dn:</span> <span class="n">cn</span><span class="o">=</span><span class="n">William</span> <span class="n">Bligh</span><span class="p">,</span><span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
-<span class="o">...</span>
-<span class="nv">$</span>
+<span class="n">dn</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">William</span> <span class="n">Bligh</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+<span class="p">...</span>
+$
 </pre></div>
 
 
@@ -286,36 +286,36 @@
 <li>Create a subentry subordinate to "o=sevenSeas" to grant all operations' permissions to "cn=Horatio Nelson,ou=people,o=sevenSeas", who acts as directory manager </li>
 </ol>
 <p>The subentry should contain the following attributes and values:</p>
-<div class="codehilite"><pre><span class="n">cn</span><span class="o">=</span><span class="s">&quot;sevenSeasAuthorizationRequirementsACISubentry&quot;</span>
-<span class="n">subtreeSpecification</span><span class="o">=</span><span class="s">&quot;{}&quot;</span>
-<span class="n">prescriptiveACI</span><span class="o">=</span><span class="s">&quot;{</span>
-<span class="s">               identificationTag &quot;</span><span class="n">directoryManagerFullAccessACI</span><span class="s">&quot;,</span>
-<span class="s">               precedence 11,</span>
-<span class="s">               authenticationLevel simple,</span>
-<span class="s">               itemOrUserFirst userFirst:</span>
-<span class="s">               {</span>
-<span class="s">                 userClasses</span>
-<span class="s">                 {</span>
-<span class="s">                   name { &quot;</span><span class="n">cn</span><span class="o">=</span><span class="n">Horatio</span> <span class="n">Nelson</span><span class="p">,</span><span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span><span class="s">&quot; }</span>
-<span class="s">                 },</span>
-<span class="s">                 userPermissions</span>
-<span class="s">                 { </span>
-<span class="s">                   {</span>
-<span class="s">                     protectedItems</span>
-<span class="s">                     {</span>
-<span class="s">                       entry, allUserAttributeTypesAndValues</span>
-<span class="s">                     },</span>
-<span class="s">                     grantsAndDenials</span>
-<span class="s">                     {</span>
-<span class="s">                       grantAdd, grantDiscloseOnError, grantRead,</span>
-<span class="s">                       grantRemove, grantBrowse, grantExport, grantImport,</span>
-<span class="s">                       grantModify, grantRename, grantReturnDN,</span>
-<span class="s">                       grantCompare, grantFilterMatch, grantInvoke</span>
-<span class="s">                     } </span>
-<span class="s">                   }</span>
-<span class="s">                 }</span>
-<span class="s">               } </span>
-<span class="s">             }&quot;</span>
+<div class="codehilite"><pre><span class="n">cn</span><span class="p">=</span>&quot;<span class="n">sevenSeasAuthorizationRequirementsACISubentry</span>&quot;
+<span class="n">subtreeSpecification</span><span class="p">=</span>&quot;<span class="p">{}</span>&quot;
+<span class="n">prescriptiveACI</span><span class="p">=</span>&quot;<span class="p">{</span>
+               <span class="n">identificationTag</span> &quot;<span class="n">directoryManagerFullAccessACI</span>&quot;<span class="p">,</span>
+               <span class="n">precedence</span> 11<span class="p">,</span>
+               <span class="n">authenticationLevel</span> <span class="n">simple</span><span class="p">,</span>
+               <span class="n">itemOrUserFirst</span> <span class="n">userFirst</span><span class="p">:</span>
+               <span class="p">{</span>
+                 <span class="n">userClasses</span>
+                 <span class="p">{</span>
+                   <span class="n">name</span> <span class="p">{</span> &quot;<span class="n">cn</span><span class="p">=</span><span class="n">Horatio</span> <span class="n">Nelson</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>&quot; <span class="p">}</span>
+                 <span class="p">},</span>
+                 <span class="n">userPermissions</span>
+                 <span class="p">{</span> 
+                   <span class="p">{</span>
+                     <span class="n">protectedItems</span>
+                     <span class="p">{</span>
+                       <span class="n">entry</span><span class="p">,</span> <span class="n">allUserAttributeTypesAndValues</span>
+                     <span class="p">},</span>
+                     <span class="n">grantsAndDenials</span>
+                     <span class="p">{</span>
+                       <span class="n">grantAdd</span><span class="p">,</span> <span class="n">grantDiscloseOnError</span><span class="p">,</span> <span class="n">grantRead</span><span class="p">,</span>
+                       <span class="n">grantRemove</span><span class="p">,</span> <span class="n">grantBrowse</span><span class="p">,</span> <span class="n">grantExport</span><span class="p">,</span> <span class="n">grantImport</span><span class="p">,</span>
+                       <span class="n">grantModify</span><span class="p">,</span> <span class="n">grantRename</span><span class="p">,</span> <span class="n">grantReturnDN</span><span class="p">,</span>
+                       <span class="n">grantCompare</span><span class="p">,</span> <span class="n">grantFilterMatch</span><span class="p">,</span> <span class="n">grantInvoke</span>
+                     <span class="p">}</span> 
+                   <span class="p">}</span>
+                 <span class="p">}</span>
+               <span class="p">}</span> 
+             <span class="p">}</span>&quot;
 </pre></div>
 
 
@@ -323,32 +323,32 @@
 <li>A new attribute value should added to the previously created Subentry's prescriptiveACI attribute to grant search and compare permissions to all users.</li>
 </ol>
 <p>The new value:</p>
-<div class="codehilite"><pre><span class="n">prescriptiveACI</span><span class="o">=</span><span class="s">&quot;{</span>
-<span class="s">               identificationTag &quot;</span><span class="n">allUsersSearchAndCompareACI</span><span class="s">&quot;,</span>
-<span class="s">               precedence 10,</span>
-<span class="s">               authenticationLevel simple,</span>
-<span class="s">               itemOrUserFirst userFirst:</span>
-<span class="s">               {</span>
-<span class="s">                 userClasses</span>
-<span class="s">                 {</span>
-<span class="s">                   allUsers</span>
-<span class="s">                 },</span>
-<span class="s">                 userPermissions</span>
-<span class="s">                 { </span>
-<span class="s">                   {</span>
-<span class="s">                     protectedItems</span>
-<span class="s">                     {</span>
-<span class="s">                       entry, allUserAttributeTypesAndValues</span>
-<span class="s">                     },</span>
-<span class="s">                     grantsAndDenials</span>
-<span class="s">                     {</span>
-<span class="s">                       grantRead, grantBrowse, grantReturnDN,</span>
-<span class="s">                       grantCompare, grantFilterMatch, grantDiscloseOnError </span>
-<span class="s">                     } </span>
-<span class="s">                   }</span>
-<span class="s">                 }</span>
-<span class="s">               } </span>
-<span class="s">             }&quot;</span>
+<div class="codehilite"><pre><span class="n">prescriptiveACI</span><span class="p">=</span>&quot;<span class="p">{</span>
+               <span class="n">identificationTag</span> &quot;<span class="n">allUsersSearchAndCompareACI</span>&quot;<span class="p">,</span>
+               <span class="n">precedence</span> 10<span class="p">,</span>
+               <span class="n">authenticationLevel</span> <span class="n">simple</span><span class="p">,</span>
+               <span class="n">itemOrUserFirst</span> <span class="n">userFirst</span><span class="p">:</span>
+               <span class="p">{</span>
+                 <span class="n">userClasses</span>
+                 <span class="p">{</span>
+                   <span class="n">allUsers</span>
+                 <span class="p">},</span>
+                 <span class="n">userPermissions</span>
+                 <span class="p">{</span> 
+                   <span class="p">{</span>
+                     <span class="n">protectedItems</span>
+                     <span class="p">{</span>
+                       <span class="n">entry</span><span class="p">,</span> <span class="n">allUserAttributeTypesAndValues</span>
+                     <span class="p">},</span>
+                     <span class="n">grantsAndDenials</span>
+                     <span class="p">{</span>
+                       <span class="n">grantRead</span><span class="p">,</span> <span class="n">grantBrowse</span><span class="p">,</span> <span class="n">grantReturnDN</span><span class="p">,</span>
+                       <span class="n">grantCompare</span><span class="p">,</span> <span class="n">grantFilterMatch</span><span class="p">,</span> <span class="n">grantDiscloseOnError</span> 
+                     <span class="p">}</span> 
+                   <span class="p">}</span>
+                 <span class="p">}</span>
+               <span class="p">}</span> 
+             <span class="p">}</span>&quot;
 </pre></div>
 
 
@@ -356,91 +356,90 @@
 <li>A new attribute value should added to the previously created Subentry's prescriptiveACI attribute to deny search and compare permissions for <em>userPassword</em> attribute to all users.</li>
 </ol>
 <p>The new value:</p>
-<div class="codehilite"><pre><span class="n">prescriptiveACI</span><span class="o">=</span><span class="s">&quot;{</span>
-<span class="s">               identificationTag &quot;</span><span class="n">preventAllUsersFromReadingUserPasswordAttributeACI</span><span class="s">&quot;,</span>
-<span class="s">               precedence 10,</span>
-<span class="s">               authenticationLevel simple,</span>
-<span class="s">               itemOrUserFirst userFirst:</span>
-<span class="s">               {</span>
-<span class="s">                 userClasses</span>
-<span class="s">                 {</span>
-<span class="s">                   allUsers</span>
-<span class="s">                 },</span>
-<span class="s">                 userPermissions</span>
-<span class="s">                 { </span>
-<span class="s">                   {</span>
-<span class="s">                     protectedItems</span>
-<span class="s">                     {</span>
-<span class="s">                       attributeType { userPassword }</span>
-<span class="s">                     },</span>
-<span class="s">                     grantsAndDenials</span>
-<span class="s">                     {</span>
-<span class="s">                       denyRead, denyCompare, denyFilterMatch</span>
-<span class="s">                     } </span>
-<span class="s">                   }</span>
-<span class="s">                 }</span>
-<span class="s">               } </span>
-<span class="s">             }&quot;</span>
+<div class="codehilite"><pre><span class="n">prescriptiveACI</span><span class="p">=</span>&quot;<span class="p">{</span>
+               <span class="n">identificationTag</span> &quot;<span class="n">preventAllUsersFromReadingUserPasswordAttributeACI</span>&quot;<span class="p">,</span>
+               <span class="n">precedence</span> 10<span class="p">,</span>
+               <span class="n">authenticationLevel</span> <span class="n">simple</span><span class="p">,</span>
+               <span class="n">itemOrUserFirst</span> <span class="n">userFirst</span><span class="p">:</span>
+               <span class="p">{</span>
+                 <span class="n">userClasses</span>
+                 <span class="p">{</span>
+                   <span class="n">allUsers</span>
+                 <span class="p">},</span>
+                 <span class="n">userPermissions</span>
+                 <span class="p">{</span> 
+                   <span class="p">{</span>
+                     <span class="n">protectedItems</span>
+                     <span class="p">{</span>
+                       <span class="n">attributeType</span> <span class="p">{</span> <span class="n">userPassword</span> <span class="p">}</span>
+                     <span class="p">},</span>
+                     <span class="n">grantsAndDenials</span>
+                     <span class="p">{</span>
+                       <span class="n">denyRead</span><span class="p">,</span> <span class="n">denyCompare</span><span class="p">,</span> <span class="n">denyFilterMatch</span>
+                     <span class="p">}</span> 
+                   <span class="p">}</span>
+                 <span class="p">}</span>
+               <span class="p">}</span> 
+             <span class="p">}</span>&quot;
 </pre></div>
 
 
 <p>The two values given in 3 and 4 can be combined in a single value as:</p>
-<div class="codehilite"><pre><span class="n">prescriptiveACI</span><span class="o">=</span><span class="s">&quot;{</span>
-<span class="s">               identificationTag &quot;</span><span class="n">allUsersACI</span><span class="s">&quot;,</span>
-<span class="s">               precedence 10,</span>
-<span class="s">               authenticationLevel none,</span>
-<span class="s">               itemOrUserFirst userFirst:</span>
-<span class="s">               {</span>
-<span class="s">                 userClasses</span>
-<span class="s">                 {</span>
-<span class="s">                   allUsers</span>
-<span class="s">                 },</span>
-<span class="s">                 userPermissions</span>
-<span class="s">                 { </span>
-<span class="s">                   {</span>
-<span class="s">                     protectedItems { entry, allUserAttributeTypesAndValues },</span>
-<span class="s">                     grantsAndDenials { grantRead, grantBrowse, grantReturnDN,</span>
-<span class="s">                                        grantCompare, grantFilterMatch, grantDiscloseOnError } </span>
-<span class="s">                   },</span>
-<span class="s">                   {</span>
-<span class="s">                     protectedItems { attributeType { userPassword } },</span>
-<span class="s">                     grantsAndDenials { denyRead, denyCompare, denyFilterMatch }</span>
-<span class="s">                   }</span>
-<span class="s">                 }</span>
-<span class="s">               } </span>
-<span class="s">             }&quot;</span>
+<div class="codehilite"><pre><span class="n">prescriptiveACI</span><span class="p">=</span>&quot;<span class="p">{</span>
+               <span class="n">identificationTag</span> &quot;<span class="n">allUsersACI</span>&quot;<span class="p">,</span>
+               <span class="n">precedence</span> 10<span class="p">,</span>
+               <span class="n">authenticationLevel</span> <span class="n">none</span><span class="p">,</span>
+               <span class="n">itemOrUserFirst</span> <span class="n">userFirst</span><span class="p">:</span>
+               <span class="p">{</span>
+                 <span class="n">userClasses</span>
+                 <span class="p">{</span>
+                   <span class="n">allUsers</span>
+                 <span class="p">},</span>
+                 <span class="n">userPermissions</span>
+                 <span class="p">{</span> 
+                   <span class="p">{</span>
+                     <span class="n">protectedItems</span> <span class="p">{</span> <span class="n">entry</span><span class="p">,</span> <span class="n">allUserAttributeTypesAndValues</span> <span class="p">},</span>
+                     <span class="n">grantsAndDenials</span> <span class="p">{</span> <span class="n">grantRead</span><span class="p">,</span> <span class="n">grantBrowse</span><span class="p">,</span> <span class="n">grantReturnDN</span><span class="p">,</span>
+                                        <span class="n">grantCompare</span><span class="p">,</span> <span class="n">grantFilterMatch</span><span class="p">,</span> <span class="n">grantDiscloseOnError</span> <span class="p">}</span> 
+                   <span class="p">},</span>
+                   <span class="p">{</span>
+                     <span class="n">protectedItems</span> <span class="p">{</span> <span class="n">attributeType</span> <span class="p">{</span> <span class="n">userPassword</span> <span class="p">}</span> <span class="p">},</span>
+                     <span class="n">grantsAndDenials</span> <span class="p">{</span> <span class="n">denyRead</span><span class="p">,</span> <span class="n">denyCompare</span><span class="p">,</span> <span class="n">denyFilterMatch</span> <span class="p">}</span>
+                   <span class="p">}</span>
+                 <span class="p">}</span>
+               <span class="p">}</span> 
+             <span class="p">}</span>&quot;
 </pre></div>
 
 
 <h3 id="ldif-for-this-configuration">LDIF for this configuration</h3>
-<p>The following LDIF file ([^authz_sevenSeas.ldif]) provides a set of changes made to directory entries in the "Seven Seas" data. In total it performs the steps described above.<br />
-</p>
-<div class="codehilite"><pre><span class="c1"># File authz_sevenSeas.ldif</span>
-<span class="c1">#</span>
-<span class="c1"># Create an operational attribute &quot;administrativeRole&quot;</span>
-<span class="c1"># with value &quot;accessControlSpecificArea&quot; in the entry &quot;o=sevenSeas&quot;.</span>
-<span class="c1">#</span>
-<span class="n">dn:</span> <span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
-<span class="n">changetype:</span> <span class="n">modify</span>
-<span class="n">add:</span> <span class="n">administrativeRole</span>
-<span class="n">administrativeRole:</span> <span class="n">accessControlSpecificArea</span>
-
-<span class="c1"># Create a subentry subordinate to &quot;o=sevenSeas&quot; to grant all operations&#39; permissions </span>
-<span class="c1"># to &quot;cn=Horatio Nelson,ou=people,o=sevenSeas&quot;, to grant search and compare permissions</span>
-<span class="c1"># to all users and to deny search and compare permissions for userPassword attribute to all users. </span>
-<span class="c1">#</span>
-<span class="n">dn:</span> <span class="n">cn</span><span class="o">=</span><span class="n">sevenSeasAuthorizationRequirementsACISubentry</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
-<span class="n">changetype:</span> <span class="n">add</span>
-<span class="n">objectclass:</span> <span class="n">top</span>
-<span class="n">objectclass:</span> <span class="n">subentry</span>
-<span class="n">objectclass:</span> <span class="n">accessControlSubentry</span>
-<span class="n">cn:</span> <span class="n">sevenSeasAuthorizationRequirementsACISubentry</span>
-<span class="n">subtreeSpecification:</span> <span class="p">{}</span>
-<span class="n">prescriptiveACI:</span> <span class="p">{</span>
+<p>The following LDIF file ([^authz_sevenSeas.ldif]) provides a set of changes made to directory entries in the "Seven Seas" data. In total it performs the steps described above.  </p>
+<div class="codehilite"><pre><span class="c"># File authz_sevenSeas.ldif</span>
+<span class="c">#</span>
+<span class="c"># Create an operational attribute &quot;administrativeRole&quot;</span>
+<span class="c"># with value &quot;accessControlSpecificArea&quot; in the entry &quot;o=sevenSeas&quot;.</span>
+<span class="c">#</span>
+<span class="n">dn</span><span class="p">:</span> <span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+<span class="n">changetype</span><span class="p">:</span> <span class="n">modify</span>
+<span class="n">add</span><span class="p">:</span> <span class="n">administrativeRole</span>
+<span class="n">administrativeRole</span><span class="p">:</span> <span class="n">accessControlSpecificArea</span>
+
+<span class="c"># Create a subentry subordinate to &quot;o=sevenSeas&quot; to grant all operations&#39; permissions </span>
+<span class="c"># to &quot;cn=Horatio Nelson,ou=people,o=sevenSeas&quot;, to grant search and compare permissions</span>
+<span class="c"># to all users and to deny search and compare permissions for userPassword attribute to all users. </span>
+<span class="c">#</span>
+<span class="n">dn</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">sevenSeasAuthorizationRequirementsACISubentry</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+<span class="n">changetype</span><span class="p">:</span> <span class="n">add</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">top</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">subentry</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">accessControlSubentry</span>
+<span class="n">cn</span><span class="p">:</span> <span class="n">sevenSeasAuthorizationRequirementsACISubentry</span>
+<span class="n">subtreeSpecification</span><span class="p">:</span> <span class="p">{}</span>
+<span class="n">prescriptiveACI</span><span class="p">:</span> <span class="p">{</span>
     <span class="n">identificationTag</span> <span class="s">&quot;directoryManagerFullAccessACI&quot;</span><span class="p">,</span>
-    <span class="n">precedence</span> <span class="mi">11</span><span class="p">,</span>
+    <span class="n">precedence</span> 11<span class="p">,</span>
     <span class="n">authenticationLevel</span> <span class="n">simple</span><span class="p">,</span>
-    <span class="n">itemOrUserFirst</span> <span class="n">userFirst:</span>
+    <span class="n">itemOrUserFirst</span> <span class="n">userFirst</span><span class="p">:</span>
     <span class="p">{</span>
         <span class="n">userClasses</span>
         <span class="p">{</span>
@@ -464,11 +463,11 @@
         <span class="p">}</span>
     <span class="p">}</span> 
 <span class="p">}</span>
-<span class="n">prescriptiveACI:</span> <span class="p">{</span>
+<span class="n">prescriptiveACI</span><span class="p">:</span> <span class="p">{</span>
     <span class="n">identificationTag</span> <span class="s">&quot;allUsersACI&quot;</span><span class="p">,</span>
-    <span class="n">precedence</span> <span class="mi">10</span><span class="p">,</span>
+    <span class="n">precedence</span> 10<span class="p">,</span>
     <span class="n">authenticationLevel</span> <span class="n">none</span><span class="p">,</span>
-    <span class="n">itemOrUserFirst</span> <span class="n">userFirst:</span>
+    <span class="n">itemOrUserFirst</span> <span class="n">userFirst</span><span class="p">:</span>
     <span class="p">{</span>
         <span class="n">userClasses</span>
         <span class="p">{</span>
@@ -492,81 +491,80 @@
 
 
 <p>To apply this configuration to the sample data partition, you can perform an <em>ldapmodify</em> with the LDIF as agrument:</p>
-<div class="codehilite"><pre><span class="nv">$</span> <span class="nv">ldapmodify</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> <span class="mi">10389</span> <span class="o">-</span><span class="n">D</span> <span class="s">&quot;uid=admin,ou=system&quot;</span> <span class="o">-</span><span class="n">w</span> <span class="n">secret</span> <span class="o">-</span><span class="n">f</span> <span class="n">authz_sevenSeas</span><span class="o">.</span><span class="n">ldif</span>
-<span class="n">modifying</span> <span class="n">entry</span> <span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
+<div class="codehilite"><pre>$ <span class="n">ldapmodify</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> 10389 <span class="o">-</span><span class="n">D</span> &quot;<span class="n">uid</span><span class="p">=</span><span class="n">admin</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">system</span>&quot; <span class="o">-</span><span class="n">w</span> <span class="n">secret</span> <span class="o">-</span><span class="n">f</span> <span class="n">authz_sevenSeas</span><span class="p">.</span><span class="n">ldif</span>
+<span class="n">modifying</span> <span class="n">entry</span> <span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
 
-<span class="n">adding</span> <span class="k">new</span> <span class="n">entry</span> <span class="n">cn</span><span class="o">=</span><span class="n">sevenSeasAuthorizationRequirementsACISubentry</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
-<span class="nv">$</span>
+<span class="n">adding</span> <span class="n">new</span> <span class="n">entry</span> <span class="n">cn</span><span class="p">=</span><span class="n">sevenSeasAuthorizationRequirementsACISubentry</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+$
 </pre></div>
 
 
 <p>It is also possible to use graphical tools; some of them offer the feature to perform operations given in LDIF.</p>
 <h2 id="verification-that-it-works">Verification, that it works</h2>
-<p>After successfully applying the changes to the sample partition, one may ask how to check whether it works. We therefore perform some operations with the help of command line tools. Some will be permitted, some will not (and cause an appropriate error message). It would also be able to check this with the help of graphical tools (you might like to do this instead). But it is easier to document the parameters used with the help command line arguments.<br />
-</p>
+<p>After successfully applying the changes to the sample partition, one may ask how to check whether it works. We therefore perform some operations with the help of command line tools. Some will be permitted, some will not (and cause an appropriate error message). It would also be able to check this with the help of graphical tools (you might like to do this instead). But it is easier to document the parameters used with the help command line arguments.  </p>
 <h3 id="performing-some-search-operations-in-order-to-read-data">Performing some search operations in order to read data</h3>
 <p>Bind as user "William Bush" and search for entries which match "(uid=hhornblo)". Expected behavior: We are able to read the attributes of entry "cn=Horatio Hornblower,ou=people,o=sevenSeas" (the only entry which matches the filter). The password attribute should not be visible. It works as desired: </p>
-<div class="codehilite"><pre><span class="nv">$</span> <span class="nv">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> <span class="mi">10389</span> <span class="o">-</span><span class="n">D</span> <span class="s">&quot;cn=William Bush,ou=people,o=sevenSeas&quot;</span> <span class="o">-</span><span class="n">w</span> <span class="n">pass</span> <span class="o">\\</span>
-    <span class="o">-</span><span class="n">b</span> <span class="s">&quot;o=sevenSeas&quot;</span> <span class="o">-</span><span class="n">s</span> <span class="k">sub </span><span class="err">&quot;(</span><span class="nf">uid</span><span class="err">=</span><span class="nf">hhornblo</span><span class="err">)&quot;</span>
-<span class="nf">version</span><span class="err">:</span> <span class="err">1</span>
-<span class="nf">dn</span><span class="err">:</span> <span class="nf">cn</span><span class="err">=</span><span class="nf">Horatio</span> <span class="nf">Hornblower</span><span class="err">,</span><span class="nf">ou</span><span class="err">=</span><span class="nf">people</span><span class="err">,</span><span class="nf">o</span><span class="err">=</span><span class="nf">sevenSeas</span>
-<span class="nf">mail</span><span class="err">:</span> <span class="nf">hhornblo</span><span class="err">@</span><span class="nf">royalnavy</span><span class="err">.</span><span class="nf">mod</span><span class="err">.</span><span class="nf">uk</span>
-<span class="nf">objectclass</span><span class="err">:</span> <span class="nf">person</span>
-<span class="nf">objectclass</span><span class="err">:</span> <span class="nf">organizationalPerson</span>
-<span class="nf">objectclass</span><span class="err">:</span> <span class="nf">inetOrgPerson</span>
-<span class="nf">objectclass</span><span class="err">:</span> <span class="nf">top</span>
-<span class="nf">cn</span><span class="err">:</span> <span class="nf">Horatio</span> <span class="nf">Hornblower</span>
-<span class="nf">uid</span><span class="err">:</span> <span class="nf">hhornblo</span>
-<span class="nf">givenname</span><span class="err">:</span> <span class="nf">Horatio</span>
-<span class="nf">description</span><span class="err">:</span> <span class="nf">Capt</span><span class="err">.</span> <span class="nf">Horatio</span> <span class="nf">Hornblower</span><span class="err">,</span> <span class="nf">R</span><span class="err">.</span><span class="nf">N</span>
-<span class="nf">sn</span><span class="err">:</span> <span class="nf">Hornblower</span>
+<div class="codehilite"><pre>$ <span class="n">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> 10389 <span class="o">-</span><span class="n">D</span> &quot;<span class="n">cn</span><span class="p">=</span><span class="n">William</span> <span class="n">Bush</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>&quot; <span class="o">-</span><span class="n">w</span> <span class="n">pass</span> <span class="o">\\</span>
+    <span class="o">-</span><span class="n">b</span> &quot;<span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>&quot; <span class="o">-</span><span class="n">s</span> <span class="n">sub</span> &quot;<span class="p">(</span><span class="n">uid</span><span class="p">=</span><span class="n">hhornblo</span><span class="p">)</span>&quot;
+<span class="n">version</span><span class="p">:</span> 1
+<span class="n">dn</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">Horatio</span> <span class="n">Hornblower</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+<span class="n">mail</span><span class="p">:</span> <span class="n">hhornblo</span><span class="p">@</span><span class="n">royalnavy</span><span class="p">.</span><span class="nb">mod</span><span class="p">.</span><span class="n">uk</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">person</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">organizationalPerson</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">inetOrgPerson</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">top</span>
+<span class="n">cn</span><span class="p">:</span> <span class="n">Horatio</span> <span class="n">Hornblower</span>
+<span class="n">uid</span><span class="p">:</span> <span class="n">hhornblo</span>
+<span class="n">givenname</span><span class="p">:</span> <span class="n">Horatio</span>
+<span class="n">description</span><span class="p">:</span> <span class="n">Capt</span><span class="p">.</span> <span class="n">Horatio</span> <span class="n">Hornblower</span><span class="p">,</span> <span class="n">R</span><span class="p">.</span><span class="n">N</span>
+<span class="n">sn</span><span class="p">:</span> <span class="n">Hornblower</span>
 </pre></div>
 
 
 <p>In the described configuration, the user "Horatio Nelson" acts as a directory manager below "o=sevenSeas". Hence he should basically be allowed to do everything. He should even be able to see other users' <em>userPassword</em> values. In our case, the hash function <em>SHA</em> was applied to them:</p>
-<div class="codehilite"><pre><span class="nv">$</span> <span class="nv">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> <span class="mi">10389</span> <span class="o">-</span><span class="n">D</span> <span class="s">&quot;cn=Horatio Nelson,ou=people,o=sevenSeas&quot;</span> <span class="o">-</span><span class="n">w</span> <span class="n">pass</span> <span class="o">\\</span>
-    <span class="o">-</span><span class="n">b</span> <span class="s">&quot;o=sevenSeas&quot;</span> <span class="o">-</span><span class="n">s</span> <span class="k">sub </span><span class="p">&quot;(objectclass=person)&quot; uid userPassword</span>
-<span class="p">version: 1</span>
-<span class="p">dn: cn=Horatio Hornblower,ou=people,o=sevenSeas</span>
-<span class="p">userpassword: {</span><span class="n">SHA</span><span class="p">}</span><span class="n">nU4eI71bcnBGqeO0t9tXvY1u5oQ</span><span class="o">=</span>
-<span class="n">uid:</span> <span class="n">hhornblo</span>
-
-<span class="n">dn:</span> <span class="n">cn</span><span class="o">=</span><span class="n">William</span> <span class="n">Bush</span><span class="p">,</span><span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
-<span class="n">userpassword:</span> <span class="p">{</span><span class="n">SHA</span><span class="p">}</span><span class="n">nU4eI71bcnBGqeO0t9tXvY1u5oQ</span><span class="o">=</span>
-<span class="n">uid:</span> <span class="n">wbush</span>
-
-<span class="n">dn:</span> <span class="n">cn</span><span class="o">=</span><span class="n">Thomas</span> <span class="n">Quist</span><span class="p">,</span><span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
-<span class="n">userpassword:</span> <span class="p">{</span><span class="n">SHA</span><span class="p">}</span><span class="n">nU4eI71bcnBGqeO0t9tXvY1u5oQ</span><span class="o">=</span>
-<span class="n">uid:</span> <span class="n">tquist</span>
-<span class="o">...</span>
+<div class="codehilite"><pre>$ <span class="n">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> 10389 <span class="o">-</span><span class="n">D</span> &quot;<span class="n">cn</span><span class="p">=</span><span class="n">Horatio</span> <span class="n">Nelson</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>&quot; <span class="o">-</span><span class="n">w</span> <span class="n">pass</span> <span class="o">\\</span>
+    <span class="o">-</span><span class="n">b</span> &quot;<span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>&quot; <span class="o">-</span><span class="n">s</span> <span class="n">sub</span> &quot;<span class="p">(</span><span class="n">objectclass</span><span class="p">=</span><span class="n">person</span><span class="p">)</span>&quot; <span class="n">uid</span> <span class="n">userPassword</span>
+<span class="n">version</span><span class="p">:</span> 1
+<span class="n">dn</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">Horatio</span> <span class="n">Hornblower</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+<span class="n">userpassword</span><span class="p">:</span> <span class="p">{</span><span class="n">SHA</span><span class="p">}</span><span class="n">nU4eI71bcnBGqeO0t9tXvY1u5oQ</span><span class="p">=</span>
+<span class="n">uid</span><span class="p">:</span> <span class="n">hhornblo</span>
+
+<span class="n">dn</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">William</span> <span class="n">Bush</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+<span class="n">userpassword</span><span class="p">:</span> <span class="p">{</span><span class="n">SHA</span><span class="p">}</span><span class="n">nU4eI71bcnBGqeO0t9tXvY1u5oQ</span><span class="p">=</span>
+<span class="n">uid</span><span class="p">:</span> <span class="n">wbush</span>
+
+<span class="n">dn</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">Thomas</span> <span class="n">Quist</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+<span class="n">userpassword</span><span class="p">:</span> <span class="p">{</span><span class="n">SHA</span><span class="p">}</span><span class="n">nU4eI71bcnBGqeO0t9tXvY1u5oQ</span><span class="p">=</span>
+<span class="n">uid</span><span class="p">:</span> <span class="n">tquist</span>
+<span class="p">...</span>
 </pre></div>
 
 
 <p>But "Horation Nelson" is not able to perform searches in other areas than "o=sevenSeas" to see the entries. Of course our global ApacheDS administrator "uid=admin,ou=system" is still able to see them:</p>
-<div class="codehilite"><pre><span class="nv">$</span> <span class="nv">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> <span class="mi">10389</span> <span class="o">-</span><span class="n">D</span> <span class="s">&quot;cn=Horatio Nelson,ou=people,o=sevenSeas&quot;</span> <span class="o">-</span><span class="n">w</span> <span class="n">pass</span> <span class="o">\\</span>
-    <span class="o">-</span><span class="n">b</span> <span class="s">&quot;ou=system&quot;</span> <span class="o">-</span><span class="n">s</span> <span class="k">sub </span><span class="err">&quot;(</span><span class="nf">objectclass</span><span class="err">=</span><span class="nf">person</span><span class="err">)&quot;</span>
+<div class="codehilite"><pre>$ <span class="n">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> 10389 <span class="o">-</span><span class="n">D</span> &quot;<span class="n">cn</span><span class="p">=</span><span class="n">Horatio</span> <span class="n">Nelson</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>&quot; <span class="o">-</span><span class="n">w</span> <span class="n">pass</span> <span class="o">\\</span>
+    <span class="o">-</span><span class="n">b</span> &quot;<span class="n">ou</span><span class="p">=</span><span class="n">system</span>&quot; <span class="o">-</span><span class="n">s</span> <span class="n">sub</span> &quot;<span class="p">(</span><span class="n">objectclass</span><span class="p">=</span><span class="n">person</span><span class="p">)</span>&quot;
 
-<span class="err">$</span> <span class="nf">ldapsearch</span> <span class="err">-</span><span class="nf">h</span> <span class="nf">zanzibar</span> <span class="err">-</span><span class="nf">p</span> <span class="err">10389</span> <span class="err">-</span><span class="nf">D</span> <span class="err">&quot;</span><span class="nf">uid</span><span class="err">=</span><span class="nf">admin</span><span class="err">,</span><span class="nf">ou</span><span class="err">=</span><span class="nf">system</span><span class="err">&quot;</span> <span class="err">-</span><span class="nf">w</span> <span class="nf">secret</span> <span class="err">\\</span>
-    <span class="err">-</span><span class="nf">b</span> <span class="err">&quot;</span><span class="nf">ou</span><span class="err">=</span><span class="nf">system</span><span class="err">&quot;</span> <span class="err">-</span><span class="nf">s</span> <span class="nf">sub</span> <span class="err">&quot;(</span><span class="nf">objectclass</span><span class="err">=</span><span class="nf">person</span><span class="err">)&quot;</span>
-<span class="nf">version</span><span class="err">:</span> <span class="err">1</span>
-<span class="nf">dn</span><span class="err">:</span> <span class="nf">uid</span><span class="err">=</span><span class="nf">admin</span><span class="err">,</span><span class="nf">ou</span><span class="err">=</span><span class="nf">system</span>
-<span class="nf">sn</span><span class="err">:</span> <span class="nf">administrator</span>
-<span class="nf">cn</span><span class="err">:</span> <span class="nf">system</span> <span class="nf">administrator</span>
-<span class="nf">objectClass</span><span class="err">:</span> <span class="nf">top</span>
-<span class="nf">objectClass</span><span class="err">:</span> <span class="nf">person</span>
-<span class="nf">objectClass</span><span class="err">:</span> <span class="nf">organizationalPerson</span>
-<span class="nf">objectClass</span><span class="err">:</span> <span class="nf">inetOrgPerson</span>
-<span class="nf">userpassword</span><span class="err">:</span> <span class="nf">secret</span>
-<span class="nf">uid</span><span class="err">:</span> <span class="nf">admin</span>
-<span class="nf">displayName</span><span class="err">:</span> <span class="nf">Directory</span> <span class="nf">Superuser</span>
-
-<span class="nf">dn</span><span class="err">:</span> <span class="nf">cn</span><span class="err">=</span><span class="nf">Tori</span> <span class="nf">Amos</span><span class="err">,</span><span class="nf">ou</span><span class="err">=</span><span class="nf">users</span><span class="err">,</span><span class="nf">ou</span><span class="err">=</span><span class="nf">system</span>
-<span class="nf">cn</span><span class="err">:</span> <span class="nf">Tori</span> <span class="nf">Amos</span>
-<span class="nf">userpassword</span><span class="err">:</span> <span class="nf">amos</span>
-<span class="nf">objectclass</span><span class="err">:</span> <span class="nf">person</span>
-<span class="nf">objectclass</span><span class="err">:</span> <span class="nf">top</span>
-<span class="nf">sn</span><span class="err">:</span> <span class="nf">Amos</span>
-<span class="err">...</span>
+$ <span class="n">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> 10389 <span class="o">-</span><span class="n">D</span> &quot;<span class="n">uid</span><span class="p">=</span><span class="n">admin</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">system</span>&quot; <span class="o">-</span><span class="n">w</span> <span class="n">secret</span> <span class="o">\\</span>
+    <span class="o">-</span><span class="n">b</span> &quot;<span class="n">ou</span><span class="p">=</span><span class="n">system</span>&quot; <span class="o">-</span><span class="n">s</span> <span class="n">sub</span> &quot;<span class="p">(</span><span class="n">objectclass</span><span class="p">=</span><span class="n">person</span><span class="p">)</span>&quot;
+<span class="n">version</span><span class="p">:</span> 1
+<span class="n">dn</span><span class="p">:</span> <span class="n">uid</span><span class="p">=</span><span class="n">admin</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">system</span>
+<span class="n">sn</span><span class="p">:</span> <span class="n">administrator</span>
+<span class="n">cn</span><span class="p">:</span> <span class="n">system</span> <span class="n">administrator</span>
+<span class="n">objectClass</span><span class="p">:</span> <span class="n">top</span>
+<span class="n">objectClass</span><span class="p">:</span> <span class="n">person</span>
+<span class="n">objectClass</span><span class="p">:</span> <span class="n">organizationalPerson</span>
+<span class="n">objectClass</span><span class="p">:</span> <span class="n">inetOrgPerson</span>
+<span class="n">userpassword</span><span class="p">:</span> <span class="n">secret</span>
+<span class="n">uid</span><span class="p">:</span> <span class="n">admin</span>
+<span class="n">displayName</span><span class="p">:</span> <span class="n">Directory</span> <span class="n">Superuser</span>
+
+<span class="n">dn</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">Tori</span> <span class="n">Amos</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">users</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">system</span>
+<span class="n">cn</span><span class="p">:</span> <span class="n">Tori</span> <span class="n">Amos</span>
+<span class="n">userpassword</span><span class="p">:</span> <span class="n">amos</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">person</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">top</span>
+<span class="n">sn</span><span class="p">:</span> <span class="n">Amos</span>
+<span class="p">...</span>
 </pre></div>
 
 
@@ -574,106 +572,106 @@
 <p>Until now the authorization only hided data (entries, attributes) from users with insufficient access rights. Let's perform some operations which try to manipulate the directory data! </p>
 <h4 id="adding-an-entry">Adding an entry</h4>
 <p>First we try to add a new user to the "Seven Seas" partition. The data for the entry is inspired by "Peter Pan" and provided by this LDIF file (<a href="resources/captain-hook.ldif">Captain hook</a>): </p>
-<div class="codehilite"><pre><span class="c1"># File captain_hook.ldif</span>
-<span class="n">dn:</span> <span class="n">cn</span><span class="o">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">,</span><span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
-<span class="n">objectclass:</span> <span class="n">inetOrgPerson</span>
-<span class="n">objectclass:</span> <span class="n">organizationalPerson</span>
-<span class="n">objectclass:</span> <span class="n">person</span>
-<span class="n">objectclass:</span> <span class="n">top</span>
-<span class="n">cn:</span> <span class="n">James</span> <span class="n">Hook</span>
-<span class="n">description:</span> <span class="n">A</span> <span class="n">pirate</span> <span class="n">captain</span> <span class="ow">and</span> <span class="n">Peter</span> <span class="n">Pan</span><span class="err">&#39;</span><span class="n">s</span> <span class="n">nemesis</span>
-<span class="n">sn:</span> <span class="n">Hook</span>
-<span class="n">mail:</span> <span class="n">jhook</span><span class="nv">@neverland</span>
-<span class="n">userpassword:</span> <span class="n">peterPan</span>
+<div class="codehilite"><pre><span class="c"># File captain_hook.ldif</span>
+<span class="n">dn</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">inetOrgPerson</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">organizationalPerson</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">person</span>
+<span class="n">objectclass</span><span class="p">:</span> <span class="n">top</span>
+<span class="n">cn</span><span class="p">:</span> <span class="n">James</span> <span class="n">Hook</span>
+<span class="n">description</span><span class="p">:</span> <span class="n">A</span> <span class="n">pirate</span> <span class="n">captain</span> <span class="nb">and</span> <span class="n">Peter</span> <span class="n">Pan</span><span class="o">&#39;</span><span class="n">s</span> <span class="n">nemesis</span>
+<span class="n">sn</span><span class="p">:</span> <span class="n">Hook</span>
+<span class="n">mail</span><span class="p">:</span> <span class="n">jhook</span><span class="p">@</span><span class="n">neverland</span>
+<span class="n">userpassword</span><span class="p">:</span> <span class="n">peterPan</span>
 </pre></div>
 
 
 <p>An anonymous user is not allowed to create new entries, as the following error message shows:</p>
-<div class="codehilite"><pre><span class="nv">$</span> <span class="nv">ldapmodify</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> <span class="mi">10389</span> <span class="o">-</span><span class="n">a</span> <span class="o">-</span><span class="n">f</span> <span class="n">captain_hook</span><span class="o">.</span><span class="n">ldif</span>
-<span class="n">adding</span> <span class="k">new</span> <span class="n">entry</span> <span class="n">cn</span><span class="o">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">,</span><span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
-<span class="n">ldap_add:</span> <span class="n">Insufficient</span> <span class="n">access</span>
-<span class="n">ldap_add:</span> <span class="n">additional</span> <span class="n">info:</span> <span class="n">failed</span> <span class="n">to</span> <span class="n">add</span> <span class="n">entry</span> <span class="n">cn</span><span class="o">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">,</span><span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas:</span> <span class="n">null</span>
-<span class="nv">$</span>
+<div class="codehilite"><pre>$ <span class="n">ldapmodify</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> 10389 <span class="o">-</span><span class="n">a</span> <span class="o">-</span><span class="n">f</span> <span class="n">captain_hook</span><span class="p">.</span><span class="n">ldif</span>
+<span class="n">adding</span> <span class="n">new</span> <span class="n">entry</span> <span class="n">cn</span><span class="p">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+<span class="n">ldap_add</span><span class="p">:</span> <span class="n">Insufficient</span> <span class="n">access</span>
+<span class="n">ldap_add</span><span class="p">:</span> <span class="n">additional</span> <span class="n">info</span><span class="p">:</span> <span class="n">failed</span> <span class="n">to</span> <span class="n">add</span> <span class="n">entry</span> <span class="n">cn</span><span class="p">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span><span class="p">:</span> <span class="n">null</span>
+$
 </pre></div>
 
 
 <p>The same holds true for all "Seven Seas"-user other than "Horatio Nelson". The latter is permitted to do so:</p>
-<div class="codehilite"><pre><span class="nv">$</span> <span class="nv">ldapmodify</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> <span class="mi">10389</span> <span class="o">-</span><span class="n">D</span> <span class="s">&quot;cn=William Bush,ou=people,o=sevenSeas&quot;</span> <span class="o">-</span><span class="n">w</span> <span class="n">pass</span> <span class="o">\\</span>
-    <span class="o">-</span><span class="n">a</span> <span class="o">-</span><span class="n">f</span> <span class="n">captain_hook</span><span class="o">.</span><span class="n">ldif</span>
-<span class="n">adding</span> <span class="k">new</span> <span class="n">entry</span> <span class="n">cn</span><span class="o">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">,</span><span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
-<span class="n">ldap_add:</span> <span class="n">Insufficient</span> <span class="n">access</span>
-<span class="n">ldap_add:</span> <span class="n">additional</span> <span class="n">info:</span> <span class="n">failed</span> <span class="n">to</span> <span class="n">add</span> <span class="n">entry</span> <span class="n">cn</span><span class="o">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">,</span><span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas:</span> <span class="n">null</span>
-
-<span class="nv">$</span> <span class="nv">ldapmodify</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> <span class="mi">10389</span> <span class="o">-</span><span class="n">D</span> <span class="s">&quot;cn=Horatio Nelson,ou=people,o=sevenSeas&quot;</span> <span class="o">-</span><span class="n">w</span> <span class="n">pass</span> <span class="o">\\</span>
-    <span class="o">-</span><span class="n">a</span> <span class="o">-</span><span class="n">f</span> <span class="n">captain_hook</span><span class="o">.</span><span class="n">ldif</span>
-<span class="n">adding</span> <span class="k">new</span> <span class="n">entry</span> <span class="n">cn</span><span class="o">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">,</span><span class="n">ou</span><span class="o">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="o">=</span><span class="n">sevenSeas</span>
-<span class="nv">$</span>
+<div class="codehilite"><pre>$ <span class="n">ldapmodify</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> 10389 <span class="o">-</span><span class="n">D</span> &quot;<span class="n">cn</span><span class="p">=</span><span class="n">William</span> <span class="n">Bush</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>&quot; <span class="o">-</span><span class="n">w</span> <span class="n">pass</span> <span class="o">\\</span>
+    <span class="o">-</span><span class="n">a</span> <span class="o">-</span><span class="n">f</span> <span class="n">captain_hook</span><span class="p">.</span><span class="n">ldif</span>
+<span class="n">adding</span> <span class="n">new</span> <span class="n">entry</span> <span class="n">cn</span><span class="p">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+<span class="n">ldap_add</span><span class="p">:</span> <span class="n">Insufficient</span> <span class="n">access</span>
+<span class="n">ldap_add</span><span class="p">:</span> <span class="n">additional</span> <span class="n">info</span><span class="p">:</span> <span class="n">failed</span> <span class="n">to</span> <span class="n">add</span> <span class="n">entry</span> <span class="n">cn</span><span class="p">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span><span class="p">:</span> <span class="n">null</span>
+
+$ <span class="n">ldapmodify</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> 10389 <span class="o">-</span><span class="n">D</span> &quot;<span class="n">cn</span><span class="p">=</span><span class="n">Horatio</span> <span class="n">Nelson</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>&quot; <span class="o">-</span><span class="n">w</span> <span class="n">pass</span> <span class="o">\\</span>
+    <span class="o">-</span><span class="n">a</span> <span class="o">-</span><span class="n">f</span> <span class="n">captain_hook</span><span class="p">.</span><span class="n">ldif</span>
+<span class="n">adding</span> <span class="n">new</span> <span class="n">entry</span> <span class="n">cn</span><span class="p">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+$
 </pre></div>
 
 
 <p>Afterwards a new entry is successfully created within the "Seven Seas" partition by user "Horatio Nelson". The '+' sign in the attributes list of the <em>ldapsearch</em> command causes ApacheDS to return the operational attributes, which demonstrate this.</p>
-<div class="codehilite"><pre><span class="nv">$</span> <span class="nv">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> <span class="mi">10389</span> <span class="o">-</span><span class="n">b</span> <span class="s">&quot;o=sevenSeas&quot;</span> <span class="o">-</span><span class="n">s</span> <span class="k">sub </span><span class="err">&quot;(</span><span class="nf">cn</span><span class="err">=</span><span class="nf">James</span> <span class="nf">Hook</span><span class="err">)&quot;</span> <span class="err">+</span>
-<span class="nf">version</span><span class="err">:</span> <span class="err">1</span>
-<span class="nf">dn</span><span class="err">:</span> <span class="nf">cn</span><span class="err">=</span><span class="nf">James</span> <span class="nf">Hook</span><span class="err">,</span><span class="nf">ou</span><span class="err">=</span><span class="nf">people</span><span class="err">,</span><span class="nf">o</span><span class="err">=</span><span class="nf">sevenSeas</span>
-<span class="nf">accessControlSubentries</span><span class="err">:</span> <span class="nf">cn</span><span class="err">=</span><span class="nf">sevenSeasAuthorizationRequirementsACISubentry</span><span class="err">,</span><span class="nf">o</span><span class="err">=</span><span class="nf">sevenSeas</span>
-<span class="nf">creatorsName</span><span class="err">:</span> <span class="nf">cn</span><span class="err">=</span><span class="nf">Horatio</span> <span class="nf">Nelson</span><span class="err">,</span><span class="nf">ou</span><span class="err">=</span><span class="nf">people</span><span class="err">,</span><span class="nf">o</span><span class="err">=</span><span class="nf">sevenSeas</span>
-<span class="nf">createTimestamp</span><span class="err">:</span> <span class="err">20061203140109</span><span class="nf">Z</span>
+<div class="codehilite"><pre>$ <span class="n">ldapsearch</span> <span class="o">-</span><span class="n">h</span> <span class="n">zanzibar</span> <span class="o">-</span><span class="n">p</span> 10389 <span class="o">-</span><span class="n">b</span> &quot;<span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>&quot; <span class="o">-</span><span class="n">s</span> <span class="n">sub</span> &quot;<span class="p">(</span><span class="n">cn</span><span class="p">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">)</span>&quot; <span class="o">+</span>
+<span class="n">version</span><span class="p">:</span> 1
+<span class="n">dn</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">James</span> <span class="n">Hook</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+<span class="n">accessControlSubentries</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">sevenSeasAuthorizationRequirementsACISubentry</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+<span class="n">creatorsName</span><span class="p">:</span> <span class="n">cn</span><span class="p">=</span><span class="n">Horatio</span> <span class="n">Nelson</span><span class="p">,</span><span class="n">ou</span><span class="p">=</span><span class="n">people</span><span class="p">,</span><span class="n">o</span><span class="p">=</span><span class="n">sevenSeas</span>
+<span class="n">createTimestamp</span><span class="p">:</span> 20061203140109<span class="n">Z</span>
 </pre></div>
 
 

[... 94 lines stripped ...]


Mime
View raw message