directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wayne Johnson" <wjohn...@mqsoftware.com>
Subject RE: ACI Problem - multiple ACI entries
Date Fri, 03 Aug 2007 16:05:55 GMT
as a PS, here is what I see when using the ACI:

# Should be accepted
ldapmodify -h localhost -p 15008 -D "cn=fred,ou=users,dc=mqsoftware,dc=com" -w **** -x
dn: cn=fred,ou=users,dc=mqsoftware,dc=com
changetype: modify
replace: userpassword
userpassword: {SHA}****
-

modifying entry "cn=fred,ou=users,dc=mqsoftware,dc=com"
ldap_modify: Insufficient access (50)
        additional info: failed to modify entry cn=fred,ou=users,dc=mqsoftware,d
c=com: null

Any logging to determine what ACI is doing?

> -----Original Message-----
> From: Wayne Johnson [mailto:wjohnson@mqsoftware.com]
> Sent: Friday, August 03, 2007 10:32 AM
> To: users@directory.apache.org
> Subject: ACI Problem - multiple ACI entries
> 
> 
> OK, so now I think I know what I'm doing, except...
>  
> I'm trying to set up ACI so that a user can see other users 
> exist, can see everything about themselves, and modify their 
> password.  It all appears to work except the modify password 
> stuff.  Are the multiple ACI entries conflisting with each other?
>  
> Here's my ACI entries:
>  
> # This ACI allows an User to see the DN of all users.
> dn: cn=UserBrowsePermissions,ou=users,dc=mqsoftware,dc=com
> objectClass: top
> objectClass: subentry
> objectClass: accessControlSubentry
> cn: UserBrowsePermissions
> subtreeSpecification: { }
> prescriptiveACI: { 
>   identificationTag "UserBrowsePermissions", 
>   precedence 14, 
>   authenticationLevel simple,
>   itemOrUserFirst userFirst: 
>   { 
>     userClasses 
>     { 
>       allUsers 
>     }, 
>     userPermissions 
>     { 
>       { 
>         protectedItems { entry, allUserAttributeTypesAndValues }, 
>         grantsAndDenials { grantBrowse, grantReturnDN }
>       } 
>     } 
>   }
>  } 
>  
> # This ACI allows an User to read everything about themselves 
> # and change their password.
> dn: cn=UserWritePermissions,ou=users,dc=mqsoftware,dc=com
> objectClass: top
> objectClass: subentry
> objectClass: accessControlSubentry
> cn: UserWritePermissions
> subtreeSpecification: { }
> prescriptiveACI: { 
>   identificationTag "UserWritePermissions", 
>   precedence 14, 
>   authenticationLevel simple,
>   itemOrUserFirst userFirst: 
>   { 
>     userClasses 
>     { 
>       thisEntry 
>     }, 
>     userPermissions 
>     { 
>       { 
>         protectedItems { entry, allUserAttributeTypesAndValues }, 
>         grantsAndDenials { grantRead, grantBrowse, 
> grantReturnDN, grantCompare, 
>           grantFilterMatch, grantInvoke }
>       },
>       { 
>         protectedItems { entry, attributeType { userPassword } }, 
>         grantsAndDenials { grantRead, grantBrowse, 
> grantReturnDN, grantModify } 
>       } 
>     } 
>   }
>  } 
>  
>  
> 
> Wayne Johnson 
> Senior Software Engineer 
> MQSoftware, Inc. 
> 1660 S Highway 100 
> Minneapolis, MN 55416 
> (952) 345-8628 
> 
>  
> 
> 

Mime
View raw message