directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Evans <>
Subject Creating ACIs in trunk code
Date Thu, 12 May 2011 16:17:34 GMT
I'm running a 1.5.8 snapshot freshly built from trunk-with-dependencies.  I'm set up access
controls and am trying to define the 'enable search for all users' ACI entry as explained
in the online docs.

I've setup config.ldif to define a test partition ''.  After starting the server
I ldapadd this LDIF:

version: 1

# Neptune root context entry

dn: dc=neptune,dc=com
objectClass: top
objectClass: domain
objectClass: extensibleObject
dc: neptune
description: The context entry for suffix
administrativeRole: accessControlSpecificArea

# Enable search by all users

dn: cn=enableSearchForAllUsers,dc=neptune,dc=com
objectClass: subentry
objectClass: accessControlSubentry
cn: enableSearchForAllUsers
subtreeSpecification: {}
prescriptiveACI: {
   identificationTag "enableSearchForAllUsers",
   precedence 14,
   authenticationLevel simple,
   itemOrUserFirst userFirst: 
     userClasses { allUsers }, 
         protectedItems {entry, allUserAttributeTypesAndValues}, 
         grantsAndDenials { grantRead, grantReturnDN, grantBrowse } 


At this point I can search as a test user.  If I restart the server I see this:

[16:39:28] DEBUG [] - Initializing
the AciAuthorizationInterceptor
[16:39:28] WARN [] - Found accessControlSubentry
'cn=enableSearchForAllUsers,dc=neptune,dc=com' without any prescriptiveACI
[16:39:28] DEBUG [] - group cache contents
on startup:

(I turned up logging for the Aci package).

This looks a bit like DIRSERVER-1524.  Have I created the Aci entry correctly for trunk code?

A couple of other related queries:

1. With access controls enabled, I can't connect anonymously to the RootDSE - do I need another
Aci entry for this?
2. Attempting a search as a test user, I would expect searches to fail with an error, instead
I just get no results.  Is this intentional?


View raw message