directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robb Penoyer" <r...@wyattaccelerator.com>
Subject Simplist of ACI's - question
Date Tue, 11 Sep 2007 22:38:59 GMT
Long time since I appeared anywhere near this project - hi all.

 

Started playing with AAA's and such, read all the docs. Now I have a
question/problem.

 

Using the standard ApacheDs 1.5.1 install, I modified the server.xml to
enable access 

controls. I also added the administrativeRole: accessControlSpecificArea 

attribute to the base dn for dc=example,dc=com in server.xml. 

(Verified the OA was there with studio).

 

Added a new uid=wyatt via ldif, verified he couldn't see anything.

 

Added a bunch of entries under dc=example,dc=com

 

Added the following ACI ldif:

dn: cn=authorizationsACISubentry,dc=example,dc=com

changetype: add

objectclass: top

objectclass: subentry

objectclass: accessControlSubentry

cn: authorizationsACISubentry

subtreeSpecification: { specificExclusions { chopBefore: "ou=wyattnobrowse"
} }

prescriptiveACI: {

   identificationTag "allUsersACI",

   precedence 10,

   authenticationLevel none,

   itemOrUserFirst userFirst:

   {

     userClasses

     {

       allUsers

     },

     userPermissions

     {

        {

         protectedItems { entry, allUserAttributeTypesAndValues },

         grantsAndDenials { grantRead, grantReturnDN, grantBrowse }

       },

       {

          protectedItems { attributeType { userPassword } },

          grantsAndDenials { denyRead, denyCompare, denyFilterMatch }

       }

     }

   }

 }

 

The result, the wyatt user still cannot see anything.  whatup? If this
should 

be on dev list, please let me know.

 

Thx.

 

 


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message