directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ersin Er" <ersin...@gmail.com>
Subject Re: RE - Simplist of ACI's - question
Date Fri, 14 Sep 2007 03:00:21 GMT
On 9/14/07, Robb Penoyer <robb@wyattaccelerator.com> wrote:
>
>
> That is exactly the case for me....   I guess I should go learn dmsl and
> avoid this whole controversy. Thanks for the help man.


Cool!
Go on please. So we'll have more content on Authorization on the mailing
list. ;-)

-----Original Message-----
> From: Ersin Er [mailto:ersin.er@gmail.com]
> Sent: Thursday, September 13, 2007 10:54 PM
> To: users@directory.apache.org
> Subject: Re: RE - Simplist of ACI's - question
>
> On 9/14/07, Robb Penoyer <robb@wyattaccelerator.com> wrote:
> >
> >
> > Well that worked famously. I did modify the ldif to contain the
> > administrative role setup and a new non-system user.
> >
> > I do not see a difference in either of your ACI's...?
>
>
> Maybe small whitespace changes.
>
> BTW, here is the screenshot of the working case for me:
>
> http://people.apache.org/~ersiner/data/ACI.Test.jpg
>
> Is it also the case for you now? Is it OK?
>
> -----Original Message-----
> > From: Ersin Er [mailto:ersin.er@gmail.com]
> > Sent: Thursday, September 13, 2007 10:37 PM
> > To: users@directory.apache.org
> > Subject: Re: RE - Simplist of ACI's - question
> >
> > Here is a working LDIF File for me:
> >
> > http://people.apache.org/~ersiner/data/ACI.Test.ldif
> >
> > Please give it a try.
> >
> > HTH,
> >
> > On 9/14/07, Robb Penoyer <robb@wyattaccelerator.com> wrote:
> > >
> > > OK,
> > >
> > > I have to be an idiot... but here it is, this is your ldif. Fresh new
> > > install of 1.5.1, XP SP2, Java 1.5.0_12, only config change was to
> turn
> > > ACI's on. Fails to import.... if you have any pointer, that would be
> > > great,but you're busy, I'll keep playing with it and update the
> thread.
> > >
> > > R-
> > >
> > > dn: cn=authzSubentry,dc=example,dc=com
> > > objectClass: subentry
> > > objectClass: accessControlSubentry
> > > objectClass: top
> > > cn: authzSubentry
> > > subtreeSpecification:
> > >         { specificExclusions { chopBefore: "ou=notBrowsable" }}
> > > prescriptiveACI:
> > > {
> > >         identificationTag "testACI",
> > >         precedence 10,
> > >         authenticationLevel none,
> > >         itemOrUserFirst userFirst:
> > >         {
> > >                 userClasses { allUsers },
> > >                 userPermissions
> > >                 {
> > >                         {
> > >                                 protectedItems {
> > > allUserAttributeTypesAndValues, entry },
> > >                                 grantsAndDenials { grantRead,
> > > grantReturnDN,
> > > grantBrowse }
> > >                         }
> > >                         ,
> > >                         {
> > >                                 protectedItems { attributeType {
> > > userPassword } }
> > >                                 ,
> > >                                 grantsAndDenials {denyCompare,
> > > denyFilterMatch, denyRead }
> > >                         }
> > >                 }
> > >         }
> > > }
> > >
> > > -----Original Message-----
> > > From: Ersin Er [mailto:ersin.er@gmail.com]
> > > Sent: Thursday, September 13, 2007 3:01 AM
> > > To: users@directory.apache.org
> > > Subject: Re: RE - Simplist of ACI's - question
> > >
> > > It seems I forgot to paste the subtreeSpecification attribute for my
> > > config.
> > > Here it's:
> > >
> > > { specificExclusions { chopBefore: "ou=notBrowsable" } }
> > >
> > > On 9/13/07, Ersin Er <ersin.er@gmail.com> wrote:
> > > >
> > > > Hi again,
> > > >
> > > > I do not see any problem with your configuration. I tried almost the
> > > same
> > > > configuration and it works fine here. Here is mine:
> > > >
> > > > dn: dc=example,dc=com
> > > > changetype: modify
> > > > add: administrativeRole
> > > > administrativeRole: accessControlSpecificArea
> > > >
> > > > dn: cn=authzSubentry,dc=example,dc=com
> > > > objectClass: subentry
> > > > objectClass: accessControlSubentry
> > > > objectClass: top
> > > > cn: authzSubentry
> > > > prescriptiveACI: {
> > > >     identificationTag "testACI",
> > > >     precedence 10,
> > > >     authenticationLevel none,
> > > >     itemOrUserFirst userFirst:
> > > >     {
> > > >         userClasses { allUsers },
> > > >         userPermissions
> > > >         {
> > > >             {
> > > >                 precedence 10,
> > > >                 protectedItems { allUserAttributeTypesAndValues,
> entry
> > > },
> > > >                 grantsAndDenials
> > > >                 {
> > > >                     grantRead,
> > > >                     grantReturnDN,
> > > >                     grantBrowse
> > > >                 }
> > > >             }
> > > >             ,
> > > >             {
> > > >                 precedence 10,
> > > >                 protectedItems
> > > >                 {
> > > >                     attributeType { userPassword }
> > > >                 }
> > > >                 ,
> > > >                 grantsAndDenials
> > > >                 {
> > > >                     denyCompare,
> > > >                     denyFilterMatch,
> > > >                     denyRead
> > > >                 }
> > > >             }
> > > >         }
> > > >     }
> > > > }
> > > >
> > > > dn: ou=notBrowsable,dc=example,dc=com
> > > > objectClass: organizationalUnit
> > > > objectClass: top
> > > > ou: notBrowsable
> > > >
> > > > dn: ou=browsable,dc=example,dc=com
> > > > objectClass: organizationalUnit
> > > > objectClass: top
> > > > ou: browsable
> > > >
> > > > dn: ou=child1,ou=browsable,dc=example,dc=com
> > > > objectClass: organizationalUnit
> > > > objectClass: top
> > > > ou: child1
> > > >
> > > > dn: ou=child2,ou=browsable,dc=example,dc=com
> > > > objectClass: organizationalUnit
> > > > objectClass: top
> > > > ou: child2
> > > >
> > > > dn: ou=child3,ou=notBrowsable,dc=example,dc=com
> > > > objectClass: organizationalUnit
> > > > objectClass: top
> > > > ou: child3
> > > >
> > > > dn: ou=child4,ou=notBrowsable,dc=example,dc=com
> > > > objectClass: organizationalUnit
> > > > objectClass: top
> > > > ou: child4
> > > >
> > > >
> > > > And I also attached a screenshot from Apache Directory Studio for
> > > showing
> > > > the case.
> > > >
> > > > HTH,
> > > >
> > > >
> > > > On 9/13/07, Robb Penoyer <robb@wyattaccelerator.com> wrote:
> > > > >
> > > > >
> > > > > Hey guys, turns out I wasn't subscribed to the users list... sorry
> > for
> > > > > the
> > > > > delay getting back with you.
> > > > >
> > > > > The ldif I am importing is pretty simple, the intent is a tree
> like
> > > > > this,
> > > > > with two regions, one enabled to browse, the other not.
> > > > >
> > > > >                dc=wyatt,dc=com (accessControlSpecificArea)
> > > > >                       |
> > > > >                    /     \
> > > > >      ou=wyattbrowse       ou=wyattnobrowse
> > > > >       /        \              /        \
> > > > > ou=child1   ou=child2   ou=child1   ou=child2
> > > > >
> > > > >
> > > > > Here is the ldif (the ACI I applied is below from original post):
> > > > >
> > > > > dn: uid=wyatt,ou=users,ou=system
> > > > > displayName: Wyatt Directory User
> > > > > uid: wyatt
> > > > > userPassword: wyatt
> > > > > objectClass: top
> > > > > objectClass: person
> > > > > objectClass: organizationalPerson
> > > > > objectClass: inetOrgPerson
> > > > > sn: wyatt
> > > > > cn: wyatt
> > > > >
> > > > > dn: ou=wyattnobrowse,dc=example,dc=com
> > > > > ou: wyattnobrowse
> > > > > objectclass: top
> > > > > objectclass: organizationalunit
> > > > > description: Wyatt cannot browse here
> > > > >
> > > > > dn: ou=child1,ou=wyattnobrowse,dc=example,dc=com
> > > > > ou: childone,
> > > > > objectclass: top
> > > > > objectclass: organizationalunit
> > > > > description: Wyatt cannot browse here
> > > > >
> > > > > dn: ou=child2,dc=example,dc=com
> > > > > ou: child2
> > > > > objectclass: top
> > > > > objectclass: organizationalunit
> > > > > description: Wyatt cannot browse here
> > > > >
> > > > > dn: ou=wyattbrowse,dc=example,dc=com
> > > > > ou: wyattsystem
> > > > > objectclass: top
> > > > > objectclass: organizationalunit
> > > > > description: Wyatt can browse here
> > > > >
> > > > > dn: ou=child1,ou= wyattbrowse,dc=example,dc=com
> > > > > ou: childone,
> > > > > objectclass: top
> > > > > objectclass: organizationalunit
> > > > > description: Wyatt cannot browse here
> > > > >
> > > > > dn: ou=child2,ou=wyattbrowse,dc=example,dc=com
> > > > > ou: child2
> > > > > objectclass: top
> > > > > objectclass: organizationalunit
> > > > > description: Wyatt cannot browse here
> > > > >
> > > > >
> > > > > On 9/12/07, Ersin Er <ersin.er@gmail.com> wrote:
> > > > > >
> > > > > > On 9/12/07, Robb Penoyer <robb@wyattaccelerator.com> wrote:
> > > > > > >
> > > > > > > Long time since I appeared anywhere near this project -
hi
> all.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Started playing with AAA's and such, read all the docs.
Now I
> > have
> > > a
> > > > > > > question/problem.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Using the standard ApacheDs 1.5.1 install, I modified the
> > > server.xmlto
> > > > > > > enable access
> > > > > > >
> > > > > > > controls. I also added the administrativeRole:
> > > > > accessControlSpecificArea
> > > > > > >
> > > > > > > attribute to the base dn for dc=example,dc=com in server.xml.
> > > > > > >
> > > > > > > (Verified the OA was there with studio).
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Added a new uid=wyatt via ldif, verified he couldn't see
> > anything.
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Added a bunch of entries under dc=example,dc=com
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Added the following ACI ldif:
> > > > > > >
> > > > > > > dn: cn=authorizationsACISubentry,dc=example,dc=com
> > > > > > >
> > > > > > > changetype: add
> > > > > > >
> > > > > > > objectclass: top
> > > > > > >
> > > > > > > objectclass: subentry
> > > > > > >
> > > > > > > objectclass: accessControlSubentry
> > > > > > >
> > > > > > > cn: authorizationsACISubentry
> > > > > > >
> > > > > > > subtreeSpecification: { specificExclusions { chopBefore:
> > > > > > > "ou=wyattnobrowse"
> > > > > > > } }
> > > > > > >
> > > > > > > prescriptiveACI: {
> > > > > > >
> > > > > > >    identificationTag "allUsersACI",
> > > > > > >
> > > > > > >    precedence 10,
> > > > > > >
> > > > > > >    authenticationLevel none,
> > > > > > >
> > > > > > >    itemOrUserFirst userFirst:
> > > > > > >
> > > > > > >    {
> > > > > > >
> > > > > > >      userClasses
> > > > > > >
> > > > > > >      {
> > > > > > >
> > > > > > >        allUsers
> > > > > > >
> > > > > > >      },
> > > > > > >
> > > > > > >      userPermissions
> > > > > > >
> > > > > > >      {
> > > > > > >
> > > > > > >         {
> > > > > > >
> > > > > > >          protectedItems { entry,
> allUserAttributeTypesAndValues
> > },
> > > > > > >
> > > > > > >          grantsAndDenials { grantRead, grantReturnDN,
> > grantBrowse
> > > }
> > > > > > >
> > > > > > >        },
> > > > > > >
> > > > > > >        {
> > > > > > >
> > > > > > >           protectedItems { attributeType { userPassword
} },
> > > > > > >
> > > > > > >           grantsAndDenials { denyRead, denyCompare,
> > > denyFilterMatch
> > > > > }
> > > > > > >
> > > > > > >        }
> > > > > > >
> > > > > > >      }
> > > > > > >
> > > > > > >    }
> > > > > > >
> > > > > > > }
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > The result, the wyatt user still cannot see anything. 
whatup?
> > If
> > > > > this
> > > > > > > should
> > > > > > >
> > > > > > > be on dev list, please let me know.
> > > > > >
> > > > > >
> > > > > > It's fine to have this on users list.
> > > > > >
> > > > > > Can you please provide complete the complete ldif export? It's
> > hard
> > > to
> > > > > say
> > > > > > what's wrong with the information you gave. I especially would
> > like
> > > to
> > > > > > know
> > > > > > where are the entries you're trying to access with respect to
> > > > > > "ou=wyattnobrowse".
> > > > > >
> > > > > >
> > > > > > Thx.
> > > > > > >
> > > > > >
> > > > > > --
> > > > > > Ersin Er
> > > > > > http://www.ersin-er.name
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > Ersin Er
> > > > http://www.ersin-er.name
> > > >
> > > >
> > >
> > >
> > > --
> > > Ersin Er
> > > http://www.ersin-er.name
> > >
> > >
> >
> >
> > --
> > Ersin Er
> > http://www.ersin-er.name
> >
> >
>
>
> --
> Ersin Er
> http://www.ersin-er.name
>
>


-- 
Ersin Er
http://www.ersin-er.name

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message