directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Evans <richard.ev...@datanomic.com>
Subject Creating ACIs in trunk code
Date Thu, 12 May 2011 16:17:34 GMT
I'm running a 1.5.8 snapshot freshly built from trunk-with-dependencies.  I'm set up access
controls and am trying to define the 'enable search for all users' ACI entry as explained
in the online docs.

I've setup config.ldif to define a test partition 'neptune.com'.  After starting the server
I ldapadd this LDIF:

version: 1

# Neptune root context entry

dn: dc=neptune,dc=com
objectClass: top
objectClass: domain
objectClass: extensibleObject
o: neptune.com
dc: neptune
description: The context entry for suffix neptune.com
administrativeRole: accessControlSpecificArea

# Enable search by all users

dn: cn=enableSearchForAllUsers,dc=neptune,dc=com
objectClass: subentry
objectClass: accessControlSubentry
cn: enableSearchForAllUsers
subtreeSpecification: {}
prescriptiveACI: {
   identificationTag "enableSearchForAllUsers",
   precedence 14,
   authenticationLevel simple,
   itemOrUserFirst userFirst: 
   { 
     userClasses { allUsers }, 
     userPermissions 
     { 
       {
         protectedItems {entry, allUserAttributeTypesAndValues}, 
         grantsAndDenials { grantRead, grantReturnDN, grantBrowse } 
       }
     } 
   } 
 }

...

At this point I can search as a test user.  If I restart the server I see this:

[16:39:28] DEBUG [org.apache.directory.server.core.authz.AciAuthorizationInterceptor] - Initializing
the AciAuthorizationInterceptor
[16:39:28] WARN [org.apache.directory.server.core.authz.TupleCache] - Found accessControlSubentry
'cn=enableSearchForAllUsers,dc=neptune,dc=com' without any prescriptiveACI
[16:39:28] DEBUG [org.apache.directory.server.core.authz.GroupCache] - group cache contents
on startup:
...

(I turned up logging for the Aci package).

This looks a bit like DIRSERVER-1524.  Have I created the Aci entry correctly for trunk code?

A couple of other related queries:

1. With access controls enabled, I can't connect anonymously to the RootDSE - do I need another
Aci entry for this?
2. Attempting a search as a test user, I would expect searches to fail with an error, instead
I just get no results.  Is this intentional?

Richard



Mime
View raw message