directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Martin Marcher" <martin.marc...@gmail.com>
Subject ACI Basics/understanding
Date Wed, 04 Apr 2007 14:06:18 GMT
Hello,

I just jumped into apacheds and doing basic stuff for directory
integration (apacheds-1.0.1).

Now what I can't find is docs that I can use to set up ACIs, does
anybody have links for this?

I found the authoriztation[1] and the subsequent pages. But even the
"Enable Search for all users"[2] is somewhat unclear to me.

We're trying to switch as much of our services as possible to java
since our company develops mainly in that area, however I'm not a Java
programmer.

Back to the topic, following the example in [2] I think the following
should be true:

ACIs are handled over ldif entries, which in turn are applied to the a
subtree or a single element, meaning if I need an ACI for a subtree or
entry in apacheds i have to add an:

objectClass: accessControlSubentry

to the entry I want to grant/deny access.

Translating the java code on [2] to ldif the following should result:

I kept the newlines in prescriptive aci for reading purpose:
(if this is correct maybe someone could post it to [3])
--snip--
dn: cn=enableSearchForAllUsers,dc=example,dc=com
ObjectClass: accessControlSubentry
subtreeSpecification: {}
prescriptiveACI:
{
  identificationTag "enableSearchForAllUsers",
  precedence 14,
  authenticationLevel simple,
  itemOrUserFirst userFirst:
  {
    userClasses { allUsers },
    userPermissions
    {
      {
        protectedItems {entry, allUserAttributeTypesAndValues},
        grantsAndDenials { grantRead, grantReturnDN, grantBrowse }
      }
    }
  }
}
--snap--

Now with this Information say I have an inetPersonOrg at the following location:

--snip--
dn: uid=john.doe,ou=accounts,ou=people,dc=example,dc=com
ObjectClass: inetOrgPerson
ObjectClass: organizationalPerson
ObjectClass: person
ObjectClass: posixAccount
ObjectClass: shadowAccount
ObjectClass: top
cn: John Doe
cn: Jonathan Doe
gidnumber: 1000
homedirectory: /home/john.doe
sn: Doe
uid: john.doe
uidnumber: 1000
displayname: John Doe
givenname: John
givenname: Johnathan
--snap--

Now I want only "dn:
uid=john.doe,ou=accounts,ou=people,dc=example,dc=com" to be able to
access it (self read/modify - everything in essence)

--snip--
dn: uid=john.doe,ou=accounts,ou=people,dc=example,dc=com
changetype: modify
add: ObjectClass
ObjectClass: accessControlSubentry
-
add: subtreeSpecification
subtreeSpecification: {}
-
add: prescriptiveACI
prescriptiveACI:
{
  identificationTag "enableJohnDoeSelfAccess",
  precedence 50,
  authenticationLevel simple,
  itemOrUserFirst userFirst:
  {
    userClasses { thisEntry },
    userPermissions
    {
      {
        protectedItems {entry, allUserAttributeTypesAndValues},
        grantsAndDenials { grantModify, grantRead, grant ReturnDN, grantBrowse }
      }
    }
  }
}
--snap--

Did I get that right, or is it completely wrong.

Summary:

 1 to modify ACIs create an ldif and modify the subtree of entry itself
 2 ACIs are defined in the ObjectClass: accessControlSubentry and the
attribute prescriptiveACI with the Syntax mentionend somewhere in [1]
I think (at least there's an EBNF notations linked somewhere in that
area)

[1] http://directory.apache.org/apacheds/1.0/authorization.html
[2] http://directory.apache.org/apacheds/1.0/enablesearchforallusers.html
[3] http://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=DIRxSRVx10&title=enableSearchForAllUsers.ldif&linkCreation=true&fromPageId=26217
-- 
Martin Marcher
martin.marcher@gmail.com
http://www.mycorners.com
https://www.xing.com/profile/Martin_Marcher
http://www.linkedin.com/in/martinmarcher
http://www.studivz.net/profile.php?ids=9f83ea8c5996b8ec
http://www.amazon.de/gp/registry/wishlist/3KDAGCL2NKOIM/ref=reg_hu-wl_goto-registry/302-4432803-5146435?ie=UTF8&sort=date-added

Mime
View raw message