directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ersin Er" <ersin...@gmail.com>
Subject Re: RE - Simplist of ACI's - question
Date Thu, 13 Sep 2007 07:38:39 GMT
[Resending this email as the previous one was not allowed by the anti-spam
filter.]

Hi again,

I do not see any problem with your configuration. I tried almost the same
configuration and it works fine here. Here is mine:

dn: dc=example,dc=com
changetype: modify
add: administrativeRole
administrativeRole: accessControlSpecificArea

dn: cn=authzSubentry,dc=example,dc=com
objectClass: subentry
objectClass: accessControlSubentry
objectClass: top
cn: authzSubentry
subtreeSpecification: { specificExclusions { chopBefore: "ou=notBrowsable" }
}
prescriptiveACI: {
    identificationTag "testACI",
    precedence 10,
    authenticationLevel none,
    itemOrUserFirst userFirst:
    {
        userClasses { allUsers },
        userPermissions
        {
            {
                precedence 10,
                protectedItems { allUserAttributeTypesAndValues, entry },
                grantsAndDenials
                {
                    grantRead,
                    grantReturnDN,
                    grantBrowse
                }
            }
            ,
            {
                precedence 10,
                protectedItems
                {
                    attributeType { userPassword }
                }
                ,
                grantsAndDenials
                {
                    denyCompare,
                    denyFilterMatch,
                    denyRead
                }
            }
        }
    }
}

dn: ou=notBrowsable,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: notBrowsable

dn: ou=browsable,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: browsable

dn: ou=child1,ou=browsable,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: child1

dn: ou=child2,ou=browsable,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: child2

dn: ou=child3,ou=notBrowsable,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: child3

dn: ou=child4,ou=notBrowsable,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: child4


HTH,

On 9/13/07, Robb Penoyer <robb@wyattaccelerator.com> wrote:
>
>
> Hey guys, turns out I wasn't subscribed to the users list... sorry for the
> delay getting back with you.
>
> The ldif I am importing is pretty simple, the intent is a tree like this,
> with two regions, one enabled to browse, the other not.
>
>                dc=wyatt,dc=com (accessControlSpecificArea)
>                       |
>                    /     \
>      ou=wyattbrowse       ou=wyattnobrowse
>       /        \              /        \
> ou=child1   ou=child2   ou=child1   ou=child2
>
>
> Here is the ldif (the ACI I applied is below from original post):
>
> dn: uid=wyatt,ou=users,ou=system
> displayName: Wyatt Directory User
> uid: wyatt
> userPassword: wyatt
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> sn: wyatt
> cn: wyatt
>
> dn: ou=wyattnobrowse,dc=example,dc=com
> ou: wyattnobrowse
> objectclass: top
> objectclass: organizationalunit
> description: Wyatt cannot browse here
>
> dn: ou=child1,ou=wyattnobrowse,dc=example,dc=com
> ou: childone,
> objectclass: top
> objectclass: organizationalunit
> description: Wyatt cannot browse here
>
> dn: ou=child2,dc=example,dc=com
> ou: child2
> objectclass: top
> objectclass: organizationalunit
> description: Wyatt cannot browse here
>
> dn: ou=wyattbrowse,dc=example,dc=com
> ou: wyattsystem
> objectclass: top
> objectclass: organizationalunit
> description: Wyatt can browse here
>
> dn: ou=child1,ou= wyattbrowse,dc=example,dc=com
> ou: childone,
> objectclass: top
> objectclass: organizationalunit
> description: Wyatt cannot browse here
>
> dn: ou=child2,ou=wyattbrowse,dc=example,dc=com
> ou: child2
> objectclass: top
> objectclass: organizationalunit
> description: Wyatt cannot browse here
>
>
> On 9/12/07, Ersin Er <ersin.er@gmail.com> wrote:
> >
> > On 9/12/07, Robb Penoyer <robb@wyattaccelerator.com> wrote:
> > >
> > > Long time since I appeared anywhere near this project - hi all.
> > >
> > >
> > >
> > > Started playing with AAA's and such, read all the docs. Now I have a
> > > question/problem.
> > >
> > >
> > >
> > > Using the standard ApacheDs 1.5.1 install, I modified the server.xmlto
> > > enable access
> > >
> > > controls. I also added the administrativeRole:
> accessControlSpecificArea
> > >
> > > attribute to the base dn for dc=example,dc=com in server.xml.
> > >
> > > (Verified the OA was there with studio).
> > >
> > >
> > >
> > > Added a new uid=wyatt via ldif, verified he couldn't see anything.
> > >
> > >
> > >
> > > Added a bunch of entries under dc=example,dc=com
> > >
> > >
> > >
> > > Added the following ACI ldif:
> > >
> > > dn: cn=authorizationsACISubentry,dc=example,dc=com
> > >
> > > changetype: add
> > >
> > > objectclass: top
> > >
> > > objectclass: subentry
> > >
> > > objectclass: accessControlSubentry
> > >
> > > cn: authorizationsACISubentry
> > >
> > > subtreeSpecification: { specificExclusions { chopBefore:
> > > "ou=wyattnobrowse"
> > > } }
> > >
> > > prescriptiveACI: {
> > >
> > >    identificationTag "allUsersACI",
> > >
> > >    precedence 10,
> > >
> > >    authenticationLevel none,
> > >
> > >    itemOrUserFirst userFirst:
> > >
> > >    {
> > >
> > >      userClasses
> > >
> > >      {
> > >
> > >        allUsers
> > >
> > >      },
> > >
> > >      userPermissions
> > >
> > >      {
> > >
> > >         {
> > >
> > >          protectedItems { entry, allUserAttributeTypesAndValues },
> > >
> > >          grantsAndDenials { grantRead, grantReturnDN, grantBrowse }
> > >
> > >        },
> > >
> > >        {
> > >
> > >           protectedItems { attributeType { userPassword } },
> > >
> > >           grantsAndDenials { denyRead, denyCompare, denyFilterMatch }
> > >
> > >        }
> > >
> > >      }
> > >
> > >    }
> > >
> > > }
> > >
> > >
> > >
> > > The result, the wyatt user still cannot see anything.  whatup? If this
> > > should
> > >
> > > be on dev list, please let me know.
> >
> >
> > It's fine to have this on users list.
> >
> > Can you please provide complete the complete ldif export? It's hard to
> say
> > what's wrong with the information you gave. I especially would like to
> > know
> > where are the entries you're trying to access with respect to
> > "ou=wyattnobrowse".
> >
> >
> > Thx.
> > >
> >
> > --
> > Ersin Er
> > http://www.ersin-er.name
> >
>
>


-- 
Ersin Er
http://www.ersin-er.name

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message