directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wayne Johnson" <wjohn...@mqsoftware.com>
Subject ACI Problem - multiple ACI entries
Date Fri, 03 Aug 2007 15:32:22 GMT
OK, so now I think I know what I'm doing, except...
 
I'm trying to set up ACI so that a user can see other users exist, can see everything about
themselves, and modify their password.  It all appears to work except the modify password
stuff.  Are the multiple ACI entries conflisting with each other?
 
Here's my ACI entries:
 
# This ACI allows an User to see the DN of all users.
dn: cn=UserBrowsePermissions,ou=users,dc=mqsoftware,dc=com
objectClass: top
objectClass: subentry
objectClass: accessControlSubentry
cn: UserBrowsePermissions
subtreeSpecification: { }
prescriptiveACI: { 
  identificationTag "UserBrowsePermissions", 
  precedence 14, 
  authenticationLevel simple,
  itemOrUserFirst userFirst: 
  { 
    userClasses 
    { 
      allUsers 
    }, 
    userPermissions 
    { 
      { 
        protectedItems { entry, allUserAttributeTypesAndValues }, 
        grantsAndDenials { grantBrowse, grantReturnDN }
      } 
    } 
  }
 } 
 
# This ACI allows an User to read everything about themselves 
# and change their password.
dn: cn=UserWritePermissions,ou=users,dc=mqsoftware,dc=com
objectClass: top
objectClass: subentry
objectClass: accessControlSubentry
cn: UserWritePermissions
subtreeSpecification: { }
prescriptiveACI: { 
  identificationTag "UserWritePermissions", 
  precedence 14, 
  authenticationLevel simple,
  itemOrUserFirst userFirst: 
  { 
    userClasses 
    { 
      thisEntry 
    }, 
    userPermissions 
    { 
      { 
        protectedItems { entry, allUserAttributeTypesAndValues }, 
        grantsAndDenials { grantRead, grantBrowse, grantReturnDN, grantCompare, 
          grantFilterMatch, grantInvoke }
      },
      { 
        protectedItems { entry, attributeType { userPassword } }, 
        grantsAndDenials { grantRead, grantBrowse, grantReturnDN, grantModify } 
      } 
    } 
  }
 } 
 
 

Wayne Johnson 
Senior Software Engineer 
MQSoftware, Inc. 
1660 S Highway 100 
Minneapolis, MN 55416 
(952) 345-8628 

 

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message