directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ersin Er" <ersin...@gmail.com>
Subject Re: RE - Simplist of ACI's - question
Date Thu, 13 Sep 2007 07:00:51 GMT
It seems I forgot to paste the subtreeSpecification attribute for my config.
Here it's:

{ specificExclusions { chopBefore: "ou=notBrowsable" } }

On 9/13/07, Ersin Er <ersin.er@gmail.com> wrote:
>
> Hi again,
>
> I do not see any problem with your configuration. I tried almost the same
> configuration and it works fine here. Here is mine:
>
> dn: dc=example,dc=com
> changetype: modify
> add: administrativeRole
> administrativeRole: accessControlSpecificArea
>
> dn: cn=authzSubentry,dc=example,dc=com
> objectClass: subentry
> objectClass: accessControlSubentry
> objectClass: top
> cn: authzSubentry
> prescriptiveACI: {
>     identificationTag "testACI",
>     precedence 10,
>     authenticationLevel none,
>     itemOrUserFirst userFirst:
>     {
>         userClasses { allUsers },
>         userPermissions
>         {
>             {
>                 precedence 10,
>                 protectedItems { allUserAttributeTypesAndValues, entry },
>                 grantsAndDenials
>                 {
>                     grantRead,
>                     grantReturnDN,
>                     grantBrowse
>                 }
>             }
>             ,
>             {
>                 precedence 10,
>                 protectedItems
>                 {
>                     attributeType { userPassword }
>                 }
>                 ,
>                 grantsAndDenials
>                 {
>                     denyCompare,
>                     denyFilterMatch,
>                     denyRead
>                 }
>             }
>         }
>     }
> }
>
> dn: ou=notBrowsable,dc=example,dc=com
> objectClass: organizationalUnit
> objectClass: top
> ou: notBrowsable
>
> dn: ou=browsable,dc=example,dc=com
> objectClass: organizationalUnit
> objectClass: top
> ou: browsable
>
> dn: ou=child1,ou=browsable,dc=example,dc=com
> objectClass: organizationalUnit
> objectClass: top
> ou: child1
>
> dn: ou=child2,ou=browsable,dc=example,dc=com
> objectClass: organizationalUnit
> objectClass: top
> ou: child2
>
> dn: ou=child3,ou=notBrowsable,dc=example,dc=com
> objectClass: organizationalUnit
> objectClass: top
> ou: child3
>
> dn: ou=child4,ou=notBrowsable,dc=example,dc=com
> objectClass: organizationalUnit
> objectClass: top
> ou: child4
>
>
> And I also attached a screenshot from Apache Directory Studio for showing
> the case.
>
> HTH,
>
>
> On 9/13/07, Robb Penoyer <robb@wyattaccelerator.com> wrote:
> >
> >
> > Hey guys, turns out I wasn't subscribed to the users list... sorry for
> > the
> > delay getting back with you.
> >
> > The ldif I am importing is pretty simple, the intent is a tree like
> > this,
> > with two regions, one enabled to browse, the other not.
> >
> >                dc=wyatt,dc=com (accessControlSpecificArea)
> >                       |
> >                    /     \
> >      ou=wyattbrowse       ou=wyattnobrowse
> >       /        \              /        \
> > ou=child1   ou=child2   ou=child1   ou=child2
> >
> >
> > Here is the ldif (the ACI I applied is below from original post):
> >
> > dn: uid=wyatt,ou=users,ou=system
> > displayName: Wyatt Directory User
> > uid: wyatt
> > userPassword: wyatt
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: inetOrgPerson
> > sn: wyatt
> > cn: wyatt
> >
> > dn: ou=wyattnobrowse,dc=example,dc=com
> > ou: wyattnobrowse
> > objectclass: top
> > objectclass: organizationalunit
> > description: Wyatt cannot browse here
> >
> > dn: ou=child1,ou=wyattnobrowse,dc=example,dc=com
> > ou: childone,
> > objectclass: top
> > objectclass: organizationalunit
> > description: Wyatt cannot browse here
> >
> > dn: ou=child2,dc=example,dc=com
> > ou: child2
> > objectclass: top
> > objectclass: organizationalunit
> > description: Wyatt cannot browse here
> >
> > dn: ou=wyattbrowse,dc=example,dc=com
> > ou: wyattsystem
> > objectclass: top
> > objectclass: organizationalunit
> > description: Wyatt can browse here
> >
> > dn: ou=child1,ou= wyattbrowse,dc=example,dc=com
> > ou: childone,
> > objectclass: top
> > objectclass: organizationalunit
> > description: Wyatt cannot browse here
> >
> > dn: ou=child2,ou=wyattbrowse,dc=example,dc=com
> > ou: child2
> > objectclass: top
> > objectclass: organizationalunit
> > description: Wyatt cannot browse here
> >
> >
> > On 9/12/07, Ersin Er <ersin.er@gmail.com> wrote:
> > >
> > > On 9/12/07, Robb Penoyer <robb@wyattaccelerator.com> wrote:
> > > >
> > > > Long time since I appeared anywhere near this project - hi all.
> > > >
> > > >
> > > >
> > > > Started playing with AAA's and such, read all the docs. Now I have a
> > > > question/problem.
> > > >
> > > >
> > > >
> > > > Using the standard ApacheDs 1.5.1 install, I modified the server.xmlto
> > > > enable access
> > > >
> > > > controls. I also added the administrativeRole:
> > accessControlSpecificArea
> > > >
> > > > attribute to the base dn for dc=example,dc=com in server.xml.
> > > >
> > > > (Verified the OA was there with studio).
> > > >
> > > >
> > > >
> > > > Added a new uid=wyatt via ldif, verified he couldn't see anything.
> > > >
> > > >
> > > >
> > > > Added a bunch of entries under dc=example,dc=com
> > > >
> > > >
> > > >
> > > > Added the following ACI ldif:
> > > >
> > > > dn: cn=authorizationsACISubentry,dc=example,dc=com
> > > >
> > > > changetype: add
> > > >
> > > > objectclass: top
> > > >
> > > > objectclass: subentry
> > > >
> > > > objectclass: accessControlSubentry
> > > >
> > > > cn: authorizationsACISubentry
> > > >
> > > > subtreeSpecification: { specificExclusions { chopBefore:
> > > > "ou=wyattnobrowse"
> > > > } }
> > > >
> > > > prescriptiveACI: {
> > > >
> > > >    identificationTag "allUsersACI",
> > > >
> > > >    precedence 10,
> > > >
> > > >    authenticationLevel none,
> > > >
> > > >    itemOrUserFirst userFirst:
> > > >
> > > >    {
> > > >
> > > >      userClasses
> > > >
> > > >      {
> > > >
> > > >        allUsers
> > > >
> > > >      },
> > > >
> > > >      userPermissions
> > > >
> > > >      {
> > > >
> > > >         {
> > > >
> > > >          protectedItems { entry, allUserAttributeTypesAndValues },
> > > >
> > > >          grantsAndDenials { grantRead, grantReturnDN, grantBrowse }
> > > >
> > > >        },
> > > >
> > > >        {
> > > >
> > > >           protectedItems { attributeType { userPassword } },
> > > >
> > > >           grantsAndDenials { denyRead, denyCompare, denyFilterMatch
> > }
> > > >
> > > >        }
> > > >
> > > >      }
> > > >
> > > >    }
> > > >
> > > > }
> > > >
> > > >
> > > >
> > > > The result, the wyatt user still cannot see anything.  whatup? If
> > this
> > > > should
> > > >
> > > > be on dev list, please let me know.
> > >
> > >
> > > It's fine to have this on users list.
> > >
> > > Can you please provide complete the complete ldif export? It's hard to
> > say
> > > what's wrong with the information you gave. I especially would like to
> > > know
> > > where are the entries you're trying to access with respect to
> > > "ou=wyattnobrowse".
> > >
> > >
> > > Thx.
> > > >
> > >
> > > --
> > > Ersin Er
> > > http://www.ersin-er.name
> > >
> >
> >
>
>
> --
> Ersin Er
> http://www.ersin-er.name
>
>


-- 
Ersin Er
http://www.ersin-er.name

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message