directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chris Custine" <ccust...@apache.org>
Subject Re: ACI Problem - multiple ACI entries
Date Fri, 03 Aug 2007 23:04:32 GMT
Hi Wayne,
First, just as an FYI, you can have more than one prescriptiveACI in an
entry, so you didn't need both of the entries and could combine the ACIs
into one entry.  Try making the precedence of your write perms higher than
the read perms.  Even though the specificity of the write perms (due to
attributeType { userPassword }) is higher and should override, I just want
to make sure that there isn't a bug there.

I can't see anything obvious here, but if those suggestions don't help maybe
someone with more ACI knowledge will see something.

Thanks,
Chris

On 8/3/07, Wayne Johnson <wjohnson@mqsoftware.com> wrote:
>
> as a PS, here is what I see when using the ACI:
>
> # Should be accepted
> ldapmodify -h localhost -p 15008 -D
> "cn=fred,ou=users,dc=mqsoftware,dc=com" -w **** -x
> dn: cn=fred,ou=users,dc=mqsoftware,dc=com
> changetype: modify
> replace: userpassword
> userpassword: {SHA}****
> -
>
> modifying entry "cn=fred,ou=users,dc=mqsoftware,dc=com"
> ldap_modify: Insufficient access (50)
>         additional info: failed to modify entry
> cn=fred,ou=users,dc=mqsoftware,d
> c=com: null
>
> Any logging to determine what ACI is doing?
>
> > -----Original Message-----
> > From: Wayne Johnson [mailto:wjohnson@mqsoftware.com]
> > Sent: Friday, August 03, 2007 10:32 AM
> > To: users@directory.apache.org
> > Subject: ACI Problem - multiple ACI entries
> >
> >
> > OK, so now I think I know what I'm doing, except...
> >
> > I'm trying to set up ACI so that a user can see other users
> > exist, can see everything about themselves, and modify their
> > password.  It all appears to work except the modify password
> > stuff.  Are the multiple ACI entries conflisting with each other?
> >
> > Here's my ACI entries:
> >
> > # This ACI allows an User to see the DN of all users.
> > dn: cn=UserBrowsePermissions,ou=users,dc=mqsoftware,dc=com
> > objectClass: top
> > objectClass: subentry
> > objectClass: accessControlSubentry
> > cn: UserBrowsePermissions
> > subtreeSpecification: { }
> > prescriptiveACI: {
> >   identificationTag "UserBrowsePermissions",
> >   precedence 14,
> >   authenticationLevel simple,
> >   itemOrUserFirst userFirst:
> >   {
> >     userClasses
> >     {
> >       allUsers
> >     },
> >     userPermissions
> >     {
> >       {
> >         protectedItems { entry, allUserAttributeTypesAndValues },
> >         grantsAndDenials { grantBrowse, grantReturnDN }
> >       }
> >     }
> >   }
> >  }
> >
> > # This ACI allows an User to read everything about themselves
> > # and change their password.
> > dn: cn=UserWritePermissions,ou=users,dc=mqsoftware,dc=com
> > objectClass: top
> > objectClass: subentry
> > objectClass: accessControlSubentry
> > cn: UserWritePermissions
> > subtreeSpecification: { }
> > prescriptiveACI: {
> >   identificationTag "UserWritePermissions",
> >   precedence 14,
> >   authenticationLevel simple,
> >   itemOrUserFirst userFirst:
> >   {
> >     userClasses
> >     {
> >       thisEntry
> >     },
> >     userPermissions
> >     {
> >       {
> >         protectedItems { entry, allUserAttributeTypesAndValues },
> >         grantsAndDenials { grantRead, grantBrowse,
> > grantReturnDN, grantCompare,
> >           grantFilterMatch, grantInvoke }
> >       },
> >       {
> >         protectedItems { entry, attributeType { userPassword } },
> >         grantsAndDenials { grantRead, grantBrowse,
> > grantReturnDN, grantModify }
> >       }
> >     }
> >   }
> >  }
> >
> >
> >
> > Wayne Johnson
> > Senior Software Engineer
> > MQSoftware, Inc.
> > 1660 S Highway 100
> > Minneapolis, MN 55416
> > (952) 345-8628
> >
> >
> >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message