directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ersin Er" <ersin...@gmail.com>
Subject Re: RE - Simplist of ACI's - question
Date Fri, 14 Sep 2007 02:36:35 GMT
Here is a working LDIF File for me:

http://people.apache.org/~ersiner/data/ACI.Test.ldif

Please give it a try.

HTH,

On 9/14/07, Robb Penoyer <robb@wyattaccelerator.com> wrote:
>
> OK,
>
> I have to be an idiot... but here it is, this is your ldif. Fresh new
> install of 1.5.1, XP SP2, Java 1.5.0_12, only config change was to turn
> ACI's on. Fails to import.... if you have any pointer, that would be
> great,but you're busy, I'll keep playing with it and update the thread.
>
> R-
>
> dn: cn=authzSubentry,dc=example,dc=com
> objectClass: subentry
> objectClass: accessControlSubentry
> objectClass: top
> cn: authzSubentry
> subtreeSpecification:
>         { specificExclusions { chopBefore: "ou=notBrowsable" }}
> prescriptiveACI:
> {
>         identificationTag "testACI",
>         precedence 10,
>         authenticationLevel none,
>         itemOrUserFirst userFirst:
>         {
>                 userClasses { allUsers },
>                 userPermissions
>                 {
>                         {
>                                 protectedItems {
> allUserAttributeTypesAndValues, entry },
>                                 grantsAndDenials { grantRead,
> grantReturnDN,
> grantBrowse }
>                         }
>                         ,
>                         {
>                                 protectedItems { attributeType {
> userPassword } }
>                                 ,
>                                 grantsAndDenials {denyCompare,
> denyFilterMatch, denyRead }
>                         }
>                 }
>         }
> }
>
> -----Original Message-----
> From: Ersin Er [mailto:ersin.er@gmail.com]
> Sent: Thursday, September 13, 2007 3:01 AM
> To: users@directory.apache.org
> Subject: Re: RE - Simplist of ACI's - question
>
> It seems I forgot to paste the subtreeSpecification attribute for my
> config.
> Here it's:
>
> { specificExclusions { chopBefore: "ou=notBrowsable" } }
>
> On 9/13/07, Ersin Er <ersin.er@gmail.com> wrote:
> >
> > Hi again,
> >
> > I do not see any problem with your configuration. I tried almost the
> same
> > configuration and it works fine here. Here is mine:
> >
> > dn: dc=example,dc=com
> > changetype: modify
> > add: administrativeRole
> > administrativeRole: accessControlSpecificArea
> >
> > dn: cn=authzSubentry,dc=example,dc=com
> > objectClass: subentry
> > objectClass: accessControlSubentry
> > objectClass: top
> > cn: authzSubentry
> > prescriptiveACI: {
> >     identificationTag "testACI",
> >     precedence 10,
> >     authenticationLevel none,
> >     itemOrUserFirst userFirst:
> >     {
> >         userClasses { allUsers },
> >         userPermissions
> >         {
> >             {
> >                 precedence 10,
> >                 protectedItems { allUserAttributeTypesAndValues, entry
> },
> >                 grantsAndDenials
> >                 {
> >                     grantRead,
> >                     grantReturnDN,
> >                     grantBrowse
> >                 }
> >             }
> >             ,
> >             {
> >                 precedence 10,
> >                 protectedItems
> >                 {
> >                     attributeType { userPassword }
> >                 }
> >                 ,
> >                 grantsAndDenials
> >                 {
> >                     denyCompare,
> >                     denyFilterMatch,
> >                     denyRead
> >                 }
> >             }
> >         }
> >     }
> > }
> >
> > dn: ou=notBrowsable,dc=example,dc=com
> > objectClass: organizationalUnit
> > objectClass: top
> > ou: notBrowsable
> >
> > dn: ou=browsable,dc=example,dc=com
> > objectClass: organizationalUnit
> > objectClass: top
> > ou: browsable
> >
> > dn: ou=child1,ou=browsable,dc=example,dc=com
> > objectClass: organizationalUnit
> > objectClass: top
> > ou: child1
> >
> > dn: ou=child2,ou=browsable,dc=example,dc=com
> > objectClass: organizationalUnit
> > objectClass: top
> > ou: child2
> >
> > dn: ou=child3,ou=notBrowsable,dc=example,dc=com
> > objectClass: organizationalUnit
> > objectClass: top
> > ou: child3
> >
> > dn: ou=child4,ou=notBrowsable,dc=example,dc=com
> > objectClass: organizationalUnit
> > objectClass: top
> > ou: child4
> >
> >
> > And I also attached a screenshot from Apache Directory Studio for
> showing
> > the case.
> >
> > HTH,
> >
> >
> > On 9/13/07, Robb Penoyer <robb@wyattaccelerator.com> wrote:
> > >
> > >
> > > Hey guys, turns out I wasn't subscribed to the users list... sorry for
> > > the
> > > delay getting back with you.
> > >
> > > The ldif I am importing is pretty simple, the intent is a tree like
> > > this,
> > > with two regions, one enabled to browse, the other not.
> > >
> > >                dc=wyatt,dc=com (accessControlSpecificArea)
> > >                       |
> > >                    /     \
> > >      ou=wyattbrowse       ou=wyattnobrowse
> > >       /        \              /        \
> > > ou=child1   ou=child2   ou=child1   ou=child2
> > >
> > >
> > > Here is the ldif (the ACI I applied is below from original post):
> > >
> > > dn: uid=wyatt,ou=users,ou=system
> > > displayName: Wyatt Directory User
> > > uid: wyatt
> > > userPassword: wyatt
> > > objectClass: top
> > > objectClass: person
> > > objectClass: organizationalPerson
> > > objectClass: inetOrgPerson
> > > sn: wyatt
> > > cn: wyatt
> > >
> > > dn: ou=wyattnobrowse,dc=example,dc=com
> > > ou: wyattnobrowse
> > > objectclass: top
> > > objectclass: organizationalunit
> > > description: Wyatt cannot browse here
> > >
> > > dn: ou=child1,ou=wyattnobrowse,dc=example,dc=com
> > > ou: childone,
> > > objectclass: top
> > > objectclass: organizationalunit
> > > description: Wyatt cannot browse here
> > >
> > > dn: ou=child2,dc=example,dc=com
> > > ou: child2
> > > objectclass: top
> > > objectclass: organizationalunit
> > > description: Wyatt cannot browse here
> > >
> > > dn: ou=wyattbrowse,dc=example,dc=com
> > > ou: wyattsystem
> > > objectclass: top
> > > objectclass: organizationalunit
> > > description: Wyatt can browse here
> > >
> > > dn: ou=child1,ou= wyattbrowse,dc=example,dc=com
> > > ou: childone,
> > > objectclass: top
> > > objectclass: organizationalunit
> > > description: Wyatt cannot browse here
> > >
> > > dn: ou=child2,ou=wyattbrowse,dc=example,dc=com
> > > ou: child2
> > > objectclass: top
> > > objectclass: organizationalunit
> > > description: Wyatt cannot browse here
> > >
> > >
> > > On 9/12/07, Ersin Er <ersin.er@gmail.com> wrote:
> > > >
> > > > On 9/12/07, Robb Penoyer <robb@wyattaccelerator.com> wrote:
> > > > >
> > > > > Long time since I appeared anywhere near this project - hi all.
> > > > >
> > > > >
> > > > >
> > > > > Started playing with AAA's and such, read all the docs. Now I have
> a
> > > > > question/problem.
> > > > >
> > > > >
> > > > >
> > > > > Using the standard ApacheDs 1.5.1 install, I modified the
> server.xmlto
> > > > > enable access
> > > > >
> > > > > controls. I also added the administrativeRole:
> > > accessControlSpecificArea
> > > > >
> > > > > attribute to the base dn for dc=example,dc=com in server.xml.
> > > > >
> > > > > (Verified the OA was there with studio).
> > > > >
> > > > >
> > > > >
> > > > > Added a new uid=wyatt via ldif, verified he couldn't see anything.
> > > > >
> > > > >
> > > > >
> > > > > Added a bunch of entries under dc=example,dc=com
> > > > >
> > > > >
> > > > >
> > > > > Added the following ACI ldif:
> > > > >
> > > > > dn: cn=authorizationsACISubentry,dc=example,dc=com
> > > > >
> > > > > changetype: add
> > > > >
> > > > > objectclass: top
> > > > >
> > > > > objectclass: subentry
> > > > >
> > > > > objectclass: accessControlSubentry
> > > > >
> > > > > cn: authorizationsACISubentry
> > > > >
> > > > > subtreeSpecification: { specificExclusions { chopBefore:
> > > > > "ou=wyattnobrowse"
> > > > > } }
> > > > >
> > > > > prescriptiveACI: {
> > > > >
> > > > >    identificationTag "allUsersACI",
> > > > >
> > > > >    precedence 10,
> > > > >
> > > > >    authenticationLevel none,
> > > > >
> > > > >    itemOrUserFirst userFirst:
> > > > >
> > > > >    {
> > > > >
> > > > >      userClasses
> > > > >
> > > > >      {
> > > > >
> > > > >        allUsers
> > > > >
> > > > >      },
> > > > >
> > > > >      userPermissions
> > > > >
> > > > >      {
> > > > >
> > > > >         {
> > > > >
> > > > >          protectedItems { entry, allUserAttributeTypesAndValues },
> > > > >
> > > > >          grantsAndDenials { grantRead, grantReturnDN, grantBrowse
> }
> > > > >
> > > > >        },
> > > > >
> > > > >        {
> > > > >
> > > > >           protectedItems { attributeType { userPassword } },
> > > > >
> > > > >           grantsAndDenials { denyRead, denyCompare,
> denyFilterMatch
> > > }
> > > > >
> > > > >        }
> > > > >
> > > > >      }
> > > > >
> > > > >    }
> > > > >
> > > > > }
> > > > >
> > > > >
> > > > >
> > > > > The result, the wyatt user still cannot see anything.  whatup? If
> > > this
> > > > > should
> > > > >
> > > > > be on dev list, please let me know.
> > > >
> > > >
> > > > It's fine to have this on users list.
> > > >
> > > > Can you please provide complete the complete ldif export? It's hard
> to
> > > say
> > > > what's wrong with the information you gave. I especially would like
> to
> > > > know
> > > > where are the entries you're trying to access with respect to
> > > > "ou=wyattnobrowse".
> > > >
> > > >
> > > > Thx.
> > > > >
> > > >
> > > > --
> > > > Ersin Er
> > > > http://www.ersin-er.name
> > > >
> > >
> > >
> >
> >
> > --
> > Ersin Er
> > http://www.ersin-er.name
> >
> >
>
>
> --
> Ersin Er
> http://www.ersin-er.name
>
>


-- 
Ersin Er
http://www.ersin-er.name

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message