directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ersin Er" <ersin...@gmail.com>
Subject Re: ACI Problem - multiple ACI entries
Date Sat, 04 Aug 2007 20:43:37 GMT
You may have a problem with precedences. Have a look at here please:

http://cwiki.apache.org/DIRxSBOX/draft-aci-based-access-control-step-by-step-guide.html

HTH,

On 8/3/07, Wayne Johnson <wjohnson@mqsoftware.com> wrote:
>
> OK, so now I think I know what I'm doing, except...
>
> I'm trying to set up ACI so that a user can see other users exist, can see
> everything about themselves, and modify their password.  It all appears to
> work except the modify password stuff.  Are the multiple ACI entries
> conflisting with each other?
>
> Here's my ACI entries:
>
> # This ACI allows an User to see the DN of all users.
> dn: cn=UserBrowsePermissions,ou=users,dc=mqsoftware,dc=com
> objectClass: top
> objectClass: subentry
> objectClass: accessControlSubentry
> cn: UserBrowsePermissions
> subtreeSpecification: { }
> prescriptiveACI: {
>   identificationTag "UserBrowsePermissions",
>   precedence 14,
>   authenticationLevel simple,
>   itemOrUserFirst userFirst:
>   {
>     userClasses
>     {
>       allUsers
>     },
>     userPermissions
>     {
>       {
>         protectedItems { entry, allUserAttributeTypesAndValues },
>         grantsAndDenials { grantBrowse, grantReturnDN }
>       }
>     }
>   }
> }
>
> # This ACI allows an User to read everything about themselves
> # and change their password.
> dn: cn=UserWritePermissions,ou=users,dc=mqsoftware,dc=com
> objectClass: top
> objectClass: subentry
> objectClass: accessControlSubentry
> cn: UserWritePermissions
> subtreeSpecification: { }
> prescriptiveACI: {
>   identificationTag "UserWritePermissions",
>   precedence 14,
>   authenticationLevel simple,
>   itemOrUserFirst userFirst:
>   {
>     userClasses
>     {
>       thisEntry
>     },
>     userPermissions
>     {
>       {
>         protectedItems { entry, allUserAttributeTypesAndValues },
>         grantsAndDenials { grantRead, grantBrowse, grantReturnDN,
> grantCompare,
>           grantFilterMatch, grantInvoke }
>       },
>       {
>         protectedItems { entry, attributeType { userPassword } },
>         grantsAndDenials { grantRead, grantBrowse, grantReturnDN,
> grantModify }
>       }
>     }
>   }
> }
>
>
>
> Wayne Johnson
> Senior Software Engineer
> MQSoftware, Inc.
> 1660 S Highway 100
> Minneapolis, MN 55416
> (952) 345-8628
>
>
>


-- 
Ersin Er

R.A. and Ph.D Student at the Dept. of Computer Eng. in Hacettepe University
http://www.cs.hacettepe.edu.tr

Committer and PMC Member of The Apache Directory Project
http://directory.apache.org

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message