directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ersin Er" <ersin...@gmail.com>
Subject Re: ACI Basics/understanding
Date Wed, 04 Apr 2007 14:11:28 GMT
Hi Martin,

You may want to follow the instruction on the following page:

http://directory.apache.org/apacheds/1.0/32-basic-authorization.html

It it does not help, let us know for further help.

On 4/4/07, Martin Marcher <martin.marcher@gmail.com> wrote:
> Hello,
>
> I just jumped into apacheds and doing basic stuff for directory
> integration (apacheds-1.0.1).
>
> Now what I can't find is docs that I can use to set up ACIs, does
> anybody have links for this?
>
> I found the authoriztation[1] and the subsequent pages. But even the
> "Enable Search for all users"[2] is somewhat unclear to me.
>
> We're trying to switch as much of our services as possible to java
> since our company develops mainly in that area, however I'm not a Java
> programmer.
>
> Back to the topic, following the example in [2] I think the following
> should be true:
>
> ACIs are handled over ldif entries, which in turn are applied to the a
> subtree or a single element, meaning if I need an ACI for a subtree or
> entry in apacheds i have to add an:
>
> objectClass: accessControlSubentry
>
> to the entry I want to grant/deny access.
>
> Translating the java code on [2] to ldif the following should result:
>
> I kept the newlines in prescriptive aci for reading purpose:
> (if this is correct maybe someone could post it to [3])
> --snip--
> dn: cn=enableSearchForAllUsers,dc=example,dc=com
> ObjectClass: accessControlSubentry
> subtreeSpecification: {}
> prescriptiveACI:
> {
>   identificationTag "enableSearchForAllUsers",
>   precedence 14,
>   authenticationLevel simple,
>   itemOrUserFirst userFirst:
>   {
>     userClasses { allUsers },
>     userPermissions
>     {
>       {
>         protectedItems {entry, allUserAttributeTypesAndValues},
>         grantsAndDenials { grantRead, grantReturnDN, grantBrowse }
>       }
>     }
>   }
> }
> --snap--
>
> Now with this Information say I have an inetPersonOrg at the following location:
>
> --snip--
> dn: uid=john.doe,ou=accounts,ou=people,dc=example,dc=com
> ObjectClass: inetOrgPerson
> ObjectClass: organizationalPerson
> ObjectClass: person
> ObjectClass: posixAccount
> ObjectClass: shadowAccount
> ObjectClass: top
> cn: John Doe
> cn: Jonathan Doe
> gidnumber: 1000
> homedirectory: /home/john.doe
> sn: Doe
> uid: john.doe
> uidnumber: 1000
> displayname: John Doe
> givenname: John
> givenname: Johnathan
> --snap--
>
> Now I want only "dn:
> uid=john.doe,ou=accounts,ou=people,dc=example,dc=com" to be able to
> access it (self read/modify - everything in essence)
>
> --snip--
> dn: uid=john.doe,ou=accounts,ou=people,dc=example,dc=com
> changetype: modify
> add: ObjectClass
> ObjectClass: accessControlSubentry
> -
> add: subtreeSpecification
> subtreeSpecification: {}
> -
> add: prescriptiveACI
> prescriptiveACI:
> {
>   identificationTag "enableJohnDoeSelfAccess",
>   precedence 50,
>   authenticationLevel simple,
>   itemOrUserFirst userFirst:
>   {
>     userClasses { thisEntry },
>     userPermissions
>     {
>       {
>         protectedItems {entry, allUserAttributeTypesAndValues},
>         grantsAndDenials { grantModify, grantRead, grant ReturnDN, grantBrowse }
>       }
>     }
>   }
> }
> --snap--
>
> Did I get that right, or is it completely wrong.
>
> Summary:
>
>  1 to modify ACIs create an ldif and modify the subtree of entry itself
>  2 ACIs are defined in the ObjectClass: accessControlSubentry and the
> attribute prescriptiveACI with the Syntax mentionend somewhere in [1]
> I think (at least there's an EBNF notations linked somewhere in that
> area)
>
> [1] http://directory.apache.org/apacheds/1.0/authorization.html
> [2] http://directory.apache.org/apacheds/1.0/enablesearchforallusers.html
> [3] http://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=DIRxSRVx10&title=enableSearchForAllUsers.ldif&linkCreation=true&fromPageId=26217
> --
> Martin Marcher
> martin.marcher@gmail.com
> http://www.mycorners.com
> https://www.xing.com/profile/Martin_Marcher
> http://www.linkedin.com/in/martinmarcher
> http://www.studivz.net/profile.php?ids=9f83ea8c5996b8ec
> http://www.amazon.de/gp/registry/wishlist/3KDAGCL2NKOIM/ref=reg_hu-wl_goto-registry/302-4432803-5146435?ie=UTF8&sort=date-added
>


-- 
Ersin

Mime
View raw message