Return-Path: Delivered-To: apmail-directory-users-archive@www.apache.org Received: (qmail 76011 invoked from network); 3 Aug 2007 15:32:47 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 3 Aug 2007 15:32:47 -0000 Received: (qmail 72660 invoked by uid 500); 3 Aug 2007 15:32:47 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 72630 invoked by uid 500); 3 Aug 2007 15:32:47 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 72619 invoked by uid 99); 3 Aug 2007 15:32:47 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 03 Aug 2007 08:32:47 -0700 X-ASF-Spam-Status: No, hits=2.0 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of wjohnson@mqsoftware.com designates 66.192.70.108 as permitted sender) Received: from [66.192.70.108] (HELO emailmn.mqsoftware.com) (66.192.70.108) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 03 Aug 2007 15:32:43 +0000 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C7D5E3.7C6F7FE5" Subject: ACI Problem - multiple ACI entries Date: Fri, 3 Aug 2007 10:32:22 -0500 Message-ID: <63BEA5E623E09F4D92233FB12A9F7943C413ED@emailmn.mqsoftware.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: ACI Problem - multiple ACI entries Thread-Index: AcfV43xWqK+ozm8cRq2Tff0dwVISmQ== From: "Wayne Johnson" To: X-Virus-Checked: Checked by ClamAV on apache.org ------_=_NextPart_001_01C7D5E3.7C6F7FE5 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable OK, so now I think I know what I'm doing, except... =20 I'm trying to set up ACI so that a user can see other users exist, can = see everything about themselves, and modify their password. It all = appears to work except the modify password stuff. Are the multiple ACI = entries conflisting with each other? =20 Here's my ACI entries: =20 # This ACI allows an User to see the DN of all users. dn: cn=3DUserBrowsePermissions,ou=3Dusers,dc=3Dmqsoftware,dc=3Dcom objectClass: top objectClass: subentry objectClass: accessControlSubentry cn: UserBrowsePermissions subtreeSpecification: { } prescriptiveACI: {=20 identificationTag "UserBrowsePermissions",=20 precedence 14,=20 authenticationLevel simple, itemOrUserFirst userFirst:=20 {=20 userClasses=20 {=20 allUsers=20 },=20 userPermissions=20 {=20 {=20 protectedItems { entry, allUserAttributeTypesAndValues },=20 grantsAndDenials { grantBrowse, grantReturnDN } }=20 }=20 } }=20 =20 # This ACI allows an User to read everything about themselves=20 # and change their password. dn: cn=3DUserWritePermissions,ou=3Dusers,dc=3Dmqsoftware,dc=3Dcom objectClass: top objectClass: subentry objectClass: accessControlSubentry cn: UserWritePermissions subtreeSpecification: { } prescriptiveACI: {=20 identificationTag "UserWritePermissions",=20 precedence 14,=20 authenticationLevel simple, itemOrUserFirst userFirst:=20 {=20 userClasses=20 {=20 thisEntry=20 },=20 userPermissions=20 {=20 {=20 protectedItems { entry, allUserAttributeTypesAndValues },=20 grantsAndDenials { grantRead, grantBrowse, grantReturnDN, = grantCompare,=20 grantFilterMatch, grantInvoke } }, {=20 protectedItems { entry, attributeType { userPassword } },=20 grantsAndDenials { grantRead, grantBrowse, grantReturnDN, = grantModify }=20 }=20 }=20 } }=20 =20 =20 Wayne Johnson=20 Senior Software Engineer=20 MQSoftware, Inc.=20 1660 S Highway 100=20 Minneapolis, MN 55416=20 (952) 345-8628=20 =20 ------_=_NextPart_001_01C7D5E3.7C6F7FE5--