directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ersin Er" <ersin...@gmail.com>
Subject Re: Simplist of ACI's - question
Date Wed, 12 Sep 2007 05:50:32 GMT
On 9/12/07, Robb Penoyer <robb@wyattaccelerator.com> wrote:
>
> Long time since I appeared anywhere near this project - hi all.
>
>
>
> Started playing with AAA's and such, read all the docs. Now I have a
> question/problem.
>
>
>
> Using the standard ApacheDs 1.5.1 install, I modified the server.xml to
> enable access
>
> controls. I also added the administrativeRole: accessControlSpecificArea
>
> attribute to the base dn for dc=example,dc=com in server.xml.
>
> (Verified the OA was there with studio).
>
>
>
> Added a new uid=wyatt via ldif, verified he couldn't see anything.
>
>
>
> Added a bunch of entries under dc=example,dc=com
>
>
>
> Added the following ACI ldif:
>
> dn: cn=authorizationsACISubentry,dc=example,dc=com
>
> changetype: add
>
> objectclass: top
>
> objectclass: subentry
>
> objectclass: accessControlSubentry
>
> cn: authorizationsACISubentry
>
> subtreeSpecification: { specificExclusions { chopBefore:
> "ou=wyattnobrowse"
> } }
>
> prescriptiveACI: {
>
>    identificationTag "allUsersACI",
>
>    precedence 10,
>
>    authenticationLevel none,
>
>    itemOrUserFirst userFirst:
>
>    {
>
>      userClasses
>
>      {
>
>        allUsers
>
>      },
>
>      userPermissions
>
>      {
>
>         {
>
>          protectedItems { entry, allUserAttributeTypesAndValues },
>
>          grantsAndDenials { grantRead, grantReturnDN, grantBrowse }
>
>        },
>
>        {
>
>           protectedItems { attributeType { userPassword } },
>
>           grantsAndDenials { denyRead, denyCompare, denyFilterMatch }
>
>        }
>
>      }
>
>    }
>
> }
>
>
>
> The result, the wyatt user still cannot see anything.  whatup? If this
> should
>
> be on dev list, please let me know.


It's fine to have this on users list.

Can you please provide complete the complete ldif export? It's hard to say
what's wrong with the information you gave. I especially would like to know
where are the entries you're trying to access with respect to
"ou=wyattnobrowse".


Thx.
>

-- 
Ersin Er
http://www.ersin-er.name

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message