directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robb Penoyer" <r...@wyattaccelerator.com>
Subject RE - Simplist of ACI's - question
Date Wed, 12 Sep 2007 22:30:47 GMT

Hey guys, turns out I wasn't subscribed to the users list... sorry for the
delay getting back with you.

The ldif I am importing is pretty simple, the intent is a tree like this,
with two regions, one enabled to browse, the other not.

               dc=wyatt,dc=com (accessControlSpecificArea)
                      |
                   /     \
     ou=wyattbrowse       ou=wyattnobrowse
      /        \              /        \
ou=child1   ou=child2   ou=child1   ou=child2


Here is the ldif (the ACI I applied is below from original post):

dn: uid=wyatt,ou=users,ou=system
displayName: Wyatt Directory User
uid: wyatt
userPassword: wyatt
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
sn: wyatt
cn: wyatt

dn: ou=wyattnobrowse,dc=example,dc=com
ou: wyattnobrowse
objectclass: top
objectclass: organizationalunit
description: Wyatt cannot browse here

dn: ou=child1,ou=wyattnobrowse,dc=example,dc=com
ou: childone,
objectclass: top
objectclass: organizationalunit
description: Wyatt cannot browse here

dn: ou=child2,dc=example,dc=com
ou: child2
objectclass: top
objectclass: organizationalunit
description: Wyatt cannot browse here

dn: ou=wyattbrowse,dc=example,dc=com
ou: wyattsystem
objectclass: top
objectclass: organizationalunit
description: Wyatt can browse here

dn: ou=child1,ou= wyattbrowse,dc=example,dc=com
ou: childone,
objectclass: top
objectclass: organizationalunit
description: Wyatt cannot browse here

dn: ou=child2,ou=wyattbrowse,dc=example,dc=com
ou: child2
objectclass: top
objectclass: organizationalunit
description: Wyatt cannot browse here


On 9/12/07, Ersin Er <ersin.er@gmail.com> wrote:
>
> On 9/12/07, Robb Penoyer <robb@wyattaccelerator.com> wrote:
> >
> > Long time since I appeared anywhere near this project - hi all.
> >
> >
> >
> > Started playing with AAA's and such, read all the docs. Now I have a
> > question/problem.
> >
> >
> >
> > Using the standard ApacheDs 1.5.1 install, I modified the server.xml to
> > enable access
> >
> > controls. I also added the administrativeRole: accessControlSpecificArea
> >
> > attribute to the base dn for dc=example,dc=com in server.xml.
> >
> > (Verified the OA was there with studio).
> >
> >
> >
> > Added a new uid=wyatt via ldif, verified he couldn't see anything.
> >
> >
> >
> > Added a bunch of entries under dc=example,dc=com
> >
> >
> >
> > Added the following ACI ldif:
> >
> > dn: cn=authorizationsACISubentry,dc=example,dc=com
> >
> > changetype: add
> >
> > objectclass: top
> >
> > objectclass: subentry
> >
> > objectclass: accessControlSubentry
> >
> > cn: authorizationsACISubentry
> >
> > subtreeSpecification: { specificExclusions { chopBefore:
> > "ou=wyattnobrowse"
> > } }
> >
> > prescriptiveACI: {
> >
> >    identificationTag "allUsersACI",
> >
> >    precedence 10,
> >
> >    authenticationLevel none,
> >
> >    itemOrUserFirst userFirst:
> >
> >    {
> >
> >      userClasses
> >
> >      {
> >
> >        allUsers
> >
> >      },
> >
> >      userPermissions
> >
> >      {
> >
> >         {
> >
> >          protectedItems { entry, allUserAttributeTypesAndValues },
> >
> >          grantsAndDenials { grantRead, grantReturnDN, grantBrowse }
> >
> >        },
> >
> >        {
> >
> >           protectedItems { attributeType { userPassword } },
> >
> >           grantsAndDenials { denyRead, denyCompare, denyFilterMatch }
> >
> >        }
> >
> >      }
> >
> >    }
> >
> > }
> >
> >
> >
> > The result, the wyatt user still cannot see anything.  whatup? If this
> > should
> >
> > be on dev list, please let me know.
>
>
> It's fine to have this on users list.
>
> Can you please provide complete the complete ldif export? It's hard to say
> what's wrong with the information you gave. I especially would like to
> know
> where are the entries you're trying to access with respect to
> "ou=wyattnobrowse".
>
>
> Thx.
> >
>
> --
> Ersin Er
> http://www.ersin-er.name
>


Mime
View raw message