directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robb Penoyer" <r...@wyattaccelerator.com>
Subject RE: RE - Simplist of ACI's - question
Date Thu, 13 Sep 2007 23:55:01 GMT
OK,

I have to be an idiot... but here it is, this is your ldif. Fresh new
install of 1.5.1, XP SP2, Java 1.5.0_12, only config change was to turn
ACI's on. Fails to import.... if you have any pointer, that would be
great,but you're busy, I'll keep playing with it and update the thread.

R-

dn: cn=authzSubentry,dc=example,dc=com
objectClass: subentry
objectClass: accessControlSubentry
objectClass: top
cn: authzSubentry
subtreeSpecification: 
	{ specificExclusions { chopBefore: "ou=notBrowsable" }}
prescriptiveACI: 
{
	identificationTag "testACI",
	precedence 10,
	authenticationLevel none,
	itemOrUserFirst userFirst: 
	{
		userClasses { allUsers },
		userPermissions 
		{
			{
				protectedItems {
allUserAttributeTypesAndValues, entry },
				grantsAndDenials { grantRead, grantReturnDN,
grantBrowse }
			}
			,
			{
				protectedItems { attributeType {
userPassword } }
				,
				grantsAndDenials {denyCompare,
denyFilterMatch, denyRead } 
			}
		}
	}
}

-----Original Message-----
From: Ersin Er [mailto:ersin.er@gmail.com] 
Sent: Thursday, September 13, 2007 3:01 AM
To: users@directory.apache.org
Subject: Re: RE - Simplist of ACI's - question

It seems I forgot to paste the subtreeSpecification attribute for my config.
Here it's:

{ specificExclusions { chopBefore: "ou=notBrowsable" } }

On 9/13/07, Ersin Er <ersin.er@gmail.com> wrote:
>
> Hi again,
>
> I do not see any problem with your configuration. I tried almost the same
> configuration and it works fine here. Here is mine:
>
> dn: dc=example,dc=com
> changetype: modify
> add: administrativeRole
> administrativeRole: accessControlSpecificArea
>
> dn: cn=authzSubentry,dc=example,dc=com
> objectClass: subentry
> objectClass: accessControlSubentry
> objectClass: top
> cn: authzSubentry
> prescriptiveACI: {
>     identificationTag "testACI",
>     precedence 10,
>     authenticationLevel none,
>     itemOrUserFirst userFirst:
>     {
>         userClasses { allUsers },
>         userPermissions
>         {
>             {
>                 precedence 10,
>                 protectedItems { allUserAttributeTypesAndValues, entry },
>                 grantsAndDenials
>                 {
>                     grantRead,
>                     grantReturnDN,
>                     grantBrowse
>                 }
>             }
>             ,
>             {
>                 precedence 10,
>                 protectedItems
>                 {
>                     attributeType { userPassword }
>                 }
>                 ,
>                 grantsAndDenials
>                 {
>                     denyCompare,
>                     denyFilterMatch,
>                     denyRead
>                 }
>             }
>         }
>     }
> }
>
> dn: ou=notBrowsable,dc=example,dc=com
> objectClass: organizationalUnit
> objectClass: top
> ou: notBrowsable
>
> dn: ou=browsable,dc=example,dc=com
> objectClass: organizationalUnit
> objectClass: top
> ou: browsable
>
> dn: ou=child1,ou=browsable,dc=example,dc=com
> objectClass: organizationalUnit
> objectClass: top
> ou: child1
>
> dn: ou=child2,ou=browsable,dc=example,dc=com
> objectClass: organizationalUnit
> objectClass: top
> ou: child2
>
> dn: ou=child3,ou=notBrowsable,dc=example,dc=com
> objectClass: organizationalUnit
> objectClass: top
> ou: child3
>
> dn: ou=child4,ou=notBrowsable,dc=example,dc=com
> objectClass: organizationalUnit
> objectClass: top
> ou: child4
>
>
> And I also attached a screenshot from Apache Directory Studio for showing
> the case.
>
> HTH,
>
>
> On 9/13/07, Robb Penoyer <robb@wyattaccelerator.com> wrote:
> >
> >
> > Hey guys, turns out I wasn't subscribed to the users list... sorry for
> > the
> > delay getting back with you.
> >
> > The ldif I am importing is pretty simple, the intent is a tree like
> > this,
> > with two regions, one enabled to browse, the other not.
> >
> >                dc=wyatt,dc=com (accessControlSpecificArea)
> >                       |
> >                    /     \
> >      ou=wyattbrowse       ou=wyattnobrowse
> >       /        \              /        \
> > ou=child1   ou=child2   ou=child1   ou=child2
> >
> >
> > Here is the ldif (the ACI I applied is below from original post):
> >
> > dn: uid=wyatt,ou=users,ou=system
> > displayName: Wyatt Directory User
> > uid: wyatt
> > userPassword: wyatt
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: inetOrgPerson
> > sn: wyatt
> > cn: wyatt
> >
> > dn: ou=wyattnobrowse,dc=example,dc=com
> > ou: wyattnobrowse
> > objectclass: top
> > objectclass: organizationalunit
> > description: Wyatt cannot browse here
> >
> > dn: ou=child1,ou=wyattnobrowse,dc=example,dc=com
> > ou: childone,
> > objectclass: top
> > objectclass: organizationalunit
> > description: Wyatt cannot browse here
> >
> > dn: ou=child2,dc=example,dc=com
> > ou: child2
> > objectclass: top
> > objectclass: organizationalunit
> > description: Wyatt cannot browse here
> >
> > dn: ou=wyattbrowse,dc=example,dc=com
> > ou: wyattsystem
> > objectclass: top
> > objectclass: organizationalunit
> > description: Wyatt can browse here
> >
> > dn: ou=child1,ou= wyattbrowse,dc=example,dc=com
> > ou: childone,
> > objectclass: top
> > objectclass: organizationalunit
> > description: Wyatt cannot browse here
> >
> > dn: ou=child2,ou=wyattbrowse,dc=example,dc=com
> > ou: child2
> > objectclass: top
> > objectclass: organizationalunit
> > description: Wyatt cannot browse here
> >
> >
> > On 9/12/07, Ersin Er <ersin.er@gmail.com> wrote:
> > >
> > > On 9/12/07, Robb Penoyer <robb@wyattaccelerator.com> wrote:
> > > >
> > > > Long time since I appeared anywhere near this project - hi all.
> > > >
> > > >
> > > >
> > > > Started playing with AAA's and such, read all the docs. Now I have a
> > > > question/problem.
> > > >
> > > >
> > > >
> > > > Using the standard ApacheDs 1.5.1 install, I modified the
server.xmlto
> > > > enable access
> > > >
> > > > controls. I also added the administrativeRole:
> > accessControlSpecificArea
> > > >
> > > > attribute to the base dn for dc=example,dc=com in server.xml.
> > > >
> > > > (Verified the OA was there with studio).
> > > >
> > > >
> > > >
> > > > Added a new uid=wyatt via ldif, verified he couldn't see anything.
> > > >
> > > >
> > > >
> > > > Added a bunch of entries under dc=example,dc=com
> > > >
> > > >
> > > >
> > > > Added the following ACI ldif:
> > > >
> > > > dn: cn=authorizationsACISubentry,dc=example,dc=com
> > > >
> > > > changetype: add
> > > >
> > > > objectclass: top
> > > >
> > > > objectclass: subentry
> > > >
> > > > objectclass: accessControlSubentry
> > > >
> > > > cn: authorizationsACISubentry
> > > >
> > > > subtreeSpecification: { specificExclusions { chopBefore:
> > > > "ou=wyattnobrowse"
> > > > } }
> > > >
> > > > prescriptiveACI: {
> > > >
> > > >    identificationTag "allUsersACI",
> > > >
> > > >    precedence 10,
> > > >
> > > >    authenticationLevel none,
> > > >
> > > >    itemOrUserFirst userFirst:
> > > >
> > > >    {
> > > >
> > > >      userClasses
> > > >
> > > >      {
> > > >
> > > >        allUsers
> > > >
> > > >      },
> > > >
> > > >      userPermissions
> > > >
> > > >      {
> > > >
> > > >         {
> > > >
> > > >          protectedItems { entry, allUserAttributeTypesAndValues },
> > > >
> > > >          grantsAndDenials { grantRead, grantReturnDN, grantBrowse }
> > > >
> > > >        },
> > > >
> > > >        {
> > > >
> > > >           protectedItems { attributeType { userPassword } },
> > > >
> > > >           grantsAndDenials { denyRead, denyCompare, denyFilterMatch
> > }
> > > >
> > > >        }
> > > >
> > > >      }
> > > >
> > > >    }
> > > >
> > > > }
> > > >
> > > >
> > > >
> > > > The result, the wyatt user still cannot see anything.  whatup? If
> > this
> > > > should
> > > >
> > > > be on dev list, please let me know.
> > >
> > >
> > > It's fine to have this on users list.
> > >
> > > Can you please provide complete the complete ldif export? It's hard to
> > say
> > > what's wrong with the information you gave. I especially would like to
> > > know
> > > where are the entries you're trying to access with respect to
> > > "ou=wyattnobrowse".
> > >
> > >
> > > Thx.
> > > >
> > >
> > > --
> > > Ersin Er
> > > http://www.ersin-er.name
> > >
> >
> >
>
>
> --
> Ersin Er
> http://www.ersin-er.name
>
>


-- 
Ersin Er
http://www.ersin-er.name


Mime
View raw message