directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Martin Marcher" <martin.marc...@gmail.com>
Subject Re: ACI Basics/understanding
Date Wed, 04 Apr 2007 14:19:15 GMT
hehe, now that was easy.

Guess I just need some coffe to get focused again after all the docs
"just seem to be there"(r) :)

looks like i somehow started reading the whole thing backwards

On 4/4/07, Ersin Er <ersin.er@gmail.com> wrote:
> Hi Martin,
>
> You may want to follow the instruction on the following page:
>
> http://directory.apache.org/apacheds/1.0/32-basic-authorization.html
>
> It it does not help, let us know for further help.
>
> On 4/4/07, Martin Marcher <martin.marcher@gmail.com> wrote:
> > Hello,
> >
> > I just jumped into apacheds and doing basic stuff for directory
> > integration (apacheds-1.0.1).
> >
> > Now what I can't find is docs that I can use to set up ACIs, does
> > anybody have links for this?
> >
> > I found the authoriztation[1] and the subsequent pages. But even the
> > "Enable Search for all users"[2] is somewhat unclear to me.
> >
> > We're trying to switch as much of our services as possible to java
> > since our company develops mainly in that area, however I'm not a Java
> > programmer.
> >
> > Back to the topic, following the example in [2] I think the following
> > should be true:
> >
> > ACIs are handled over ldif entries, which in turn are applied to the a
> > subtree or a single element, meaning if I need an ACI for a subtree or
> > entry in apacheds i have to add an:
> >
> > objectClass: accessControlSubentry
> >
> > to the entry I want to grant/deny access.
> >
> > Translating the java code on [2] to ldif the following should result:
> >
> > I kept the newlines in prescriptive aci for reading purpose:
> > (if this is correct maybe someone could post it to [3])
> > --snip--
> > dn: cn=enableSearchForAllUsers,dc=example,dc=com
> > ObjectClass: accessControlSubentry
> > subtreeSpecification: {}
> > prescriptiveACI:
> > {
> >   identificationTag "enableSearchForAllUsers",
> >   precedence 14,
> >   authenticationLevel simple,
> >   itemOrUserFirst userFirst:
> >   {
> >     userClasses { allUsers },
> >     userPermissions
> >     {
> >       {
> >         protectedItems {entry, allUserAttributeTypesAndValues},
> >         grantsAndDenials { grantRead, grantReturnDN, grantBrowse }
> >       }
> >     }
> >   }
> > }
> > --snap--
> >
> > Now with this Information say I have an inetPersonOrg at the following location:
> >
> > --snip--
> > dn: uid=john.doe,ou=accounts,ou=people,dc=example,dc=com
> > ObjectClass: inetOrgPerson
> > ObjectClass: organizationalPerson
> > ObjectClass: person
> > ObjectClass: posixAccount
> > ObjectClass: shadowAccount
> > ObjectClass: top
> > cn: John Doe
> > cn: Jonathan Doe
> > gidnumber: 1000
> > homedirectory: /home/john.doe
> > sn: Doe
> > uid: john.doe
> > uidnumber: 1000
> > displayname: John Doe
> > givenname: John
> > givenname: Johnathan
> > --snap--
> >
> > Now I want only "dn:
> > uid=john.doe,ou=accounts,ou=people,dc=example,dc=com" to be able to
> > access it (self read/modify - everything in essence)
> >
> > --snip--
> > dn: uid=john.doe,ou=accounts,ou=people,dc=example,dc=com
> > changetype: modify
> > add: ObjectClass
> > ObjectClass: accessControlSubentry
> > -
> > add: subtreeSpecification
> > subtreeSpecification: {}
> > -
> > add: prescriptiveACI
> > prescriptiveACI:
> > {
> >   identificationTag "enableJohnDoeSelfAccess",
> >   precedence 50,
> >   authenticationLevel simple,
> >   itemOrUserFirst userFirst:
> >   {
> >     userClasses { thisEntry },
> >     userPermissions
> >     {
> >       {
> >         protectedItems {entry, allUserAttributeTypesAndValues},
> >         grantsAndDenials { grantModify, grantRead, grant ReturnDN, grantBrowse }
> >       }
> >     }
> >   }
> > }
> > --snap--
> >
> > Did I get that right, or is it completely wrong.
> >
> > Summary:
> >
> >  1 to modify ACIs create an ldif and modify the subtree of entry itself
> >  2 ACIs are defined in the ObjectClass: accessControlSubentry and the
> > attribute prescriptiveACI with the Syntax mentionend somewhere in [1]
> > I think (at least there's an EBNF notations linked somewhere in that
> > area)
> >
> > [1] http://directory.apache.org/apacheds/1.0/authorization.html
> > [2] http://directory.apache.org/apacheds/1.0/enablesearchforallusers.html
> > [3] http://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=DIRxSRVx10&title=enableSearchForAllUsers.ldif&linkCreation=true&fromPageId=26217
> > --
> > Martin Marcher
> > martin.marcher@gmail.com
> > http://www.mycorners.com
> > https://www.xing.com/profile/Martin_Marcher
> > http://www.linkedin.com/in/martinmarcher
> > http://www.studivz.net/profile.php?ids=9f83ea8c5996b8ec
> > http://www.amazon.de/gp/registry/wishlist/3KDAGCL2NKOIM/ref=reg_hu-wl_goto-registry/302-4432803-5146435?ie=UTF8&sort=date-added
> >
>
>
> --
> Ersin
>


-- 
Martin Marcher
martin.marcher@gmail.com
http://www.mycorners.com
https://www.xing.com/profile/Martin_Marcher
http://www.linkedin.com/in/martinmarcher
http://www.studivz.net/profile.php?ids=9f83ea8c5996b8ec
http://www.amazon.de/gp/registry/wishlist/3KDAGCL2NKOIM/ref=reg_hu-wl_goto-registry/302-4432803-5146435?ie=UTF8&sort=date-added

Mime
View raw message