directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Karasulu" <akaras...@apache.org>
Subject Re: Simplist of ACI's - question
Date Wed, 12 Sep 2007 20:03:24 GMT
Hey hey hey what's happening Robb!  Good to see you.  Guys Robb is from way
back in the days of LDAPd.  Glad to see you move off of LDAPd to ApacheDS
:).

You're in good hands with Ersin but basically we need more data on this to
figure out
what's going on.

Good to see you,
Alex

On 9/12/07, Ersin Er <ersin.er@gmail.com> wrote:
>
> On 9/12/07, Robb Penoyer <robb@wyattaccelerator.com> wrote:
> >
> > Long time since I appeared anywhere near this project - hi all.
> >
> >
> >
> > Started playing with AAA's and such, read all the docs. Now I have a
> > question/problem.
> >
> >
> >
> > Using the standard ApacheDs 1.5.1 install, I modified the server.xml to
> > enable access
> >
> > controls. I also added the administrativeRole: accessControlSpecificArea
> >
> > attribute to the base dn for dc=example,dc=com in server.xml.
> >
> > (Verified the OA was there with studio).
> >
> >
> >
> > Added a new uid=wyatt via ldif, verified he couldn't see anything.
> >
> >
> >
> > Added a bunch of entries under dc=example,dc=com
> >
> >
> >
> > Added the following ACI ldif:
> >
> > dn: cn=authorizationsACISubentry,dc=example,dc=com
> >
> > changetype: add
> >
> > objectclass: top
> >
> > objectclass: subentry
> >
> > objectclass: accessControlSubentry
> >
> > cn: authorizationsACISubentry
> >
> > subtreeSpecification: { specificExclusions { chopBefore:
> > "ou=wyattnobrowse"
> > } }
> >
> > prescriptiveACI: {
> >
> >    identificationTag "allUsersACI",
> >
> >    precedence 10,
> >
> >    authenticationLevel none,
> >
> >    itemOrUserFirst userFirst:
> >
> >    {
> >
> >      userClasses
> >
> >      {
> >
> >        allUsers
> >
> >      },
> >
> >      userPermissions
> >
> >      {
> >
> >         {
> >
> >          protectedItems { entry, allUserAttributeTypesAndValues },
> >
> >          grantsAndDenials { grantRead, grantReturnDN, grantBrowse }
> >
> >        },
> >
> >        {
> >
> >           protectedItems { attributeType { userPassword } },
> >
> >           grantsAndDenials { denyRead, denyCompare, denyFilterMatch }
> >
> >        }
> >
> >      }
> >
> >    }
> >
> > }
> >
> >
> >
> > The result, the wyatt user still cannot see anything.  whatup? If this
> > should
> >
> > be on dev list, please let me know.
>
>
> It's fine to have this on users list.
>
> Can you please provide complete the complete ldif export? It's hard to say
> what's wrong with the information you gave. I especially would like to
> know
> where are the entries you're trying to access with respect to
> "ou=wyattnobrowse".
>
>
> Thx.
> >
>
> --
> Ersin Er
> http://www.ersin-er.name
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message