Hi again,

I do not see any problem with your configuration. I tried almost the same configuration and it works fine here. Here is mine:

dn: dc=example,dc=com
changetype: modify
add: administrativeRole
administrativeRole: accessControlSpecificArea

dn: cn=authzSubentry,dc=example,dc=com
objectClass: subentry
objectClass: accessControlSubentry
objectClass: top
cn: authzSubentry
prescriptiveACI: {
    identificationTag "testACI",
    precedence 10,
    authenticationLevel none,
    itemOrUserFirst userFirst:
    {
        userClasses { allUsers },
        userPermissions
        {
            {
                precedence 10,
                protectedItems { allUserAttributeTypesAndValues, entry },
                grantsAndDenials
                {
                    grantRead,
                    grantReturnDN,
                    grantBrowse
                }
            }
            ,
            {
                precedence 10,
                protectedItems
                {
                    attributeType { userPassword }
                }
                ,
                grantsAndDenials
                {
                    denyCompare,
                    denyFilterMatch,
                    denyRead
                }
            }
        }
    }
}

dn: ou=notBrowsable,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: notBrowsable

dn: ou=browsable,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: browsable

dn: ou=child1,ou=browsable,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: child1

dn: ou=child2,ou=browsable,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: child2

dn: ou=child3,ou=notBrowsable,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: child3

dn: ou=child4,ou=notBrowsable,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: child4


And I also attached a screenshot from Apache Directory Studio for showing the case.

HTH,


On 9/13/07, Robb Penoyer <robb@wyattaccelerator.com> wrote:

Hey guys, turns out I wasn't subscribed to the users list... sorry for the
delay getting back with you.

The ldif I am importing is pretty simple, the intent is a tree like this,
with two regions, one enabled to browse, the other not.

               dc=wyatt,dc=com (accessControlSpecificArea)
                      |
                   /     \
     ou=wyattbrowse       ou=wyattnobrowse
      /        \              /        \
ou=child1   ou=child2   ou=child1   ou=child2


Here is the ldif (the ACI I applied is below from original post):

dn: uid=wyatt,ou=users,ou=system
displayName: Wyatt Directory User
uid: wyatt
userPassword: wyatt
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
sn: wyatt
cn: wyatt

dn: ou=wyattnobrowse,dc=example,dc=com
ou: wyattnobrowse
objectclass: top
objectclass: organizationalunit
description: Wyatt cannot browse here

dn: ou=child1,ou=wyattnobrowse,dc=example,dc=com
ou: childone,
objectclass: top
objectclass: organizationalunit
description: Wyatt cannot browse here

dn: ou=child2,dc=example,dc=com
ou: child2
objectclass: top
objectclass: organizationalunit
description: Wyatt cannot browse here

dn: ou=wyattbrowse,dc=example,dc=com
ou: wyattsystem
objectclass: top
objectclass: organizationalunit
description: Wyatt can browse here

dn: ou=child1,ou= wyattbrowse,dc=example,dc=com
ou: childone,
objectclass: top
objectclass: organizationalunit
description: Wyatt cannot browse here

dn: ou=child2,ou=wyattbrowse,dc=example,dc=com
ou: child2
objectclass: top
objectclass: organizationalunit
description: Wyatt cannot browse here


On 9/12/07, Ersin Er <ersin.er@gmail.com> wrote:
>
> On 9/12/07, Robb Penoyer <robb@wyattaccelerator.com> wrote:
> >
> > Long time since I appeared anywhere near this project - hi all.
> >
> >
> >
> > Started playing with AAA's and such, read all the docs. Now I have a
> > question/problem.
> >
> >
> >
> > Using the standard ApacheDs 1.5.1 install, I modified the server.xml to
> > enable access
> >
> > controls. I also added the administrativeRole: accessControlSpecificArea
> >
> > attribute to the base dn for dc=example,dc=com in server.xml.
> >
> > (Verified the OA was there with studio).
> >
> >
> >
> > Added a new uid=wyatt via ldif, verified he couldn't see anything.
> >
> >
> >
> > Added a bunch of entries under dc=example,dc=com
> >
> >
> >
> > Added the following ACI ldif:
> >
> > dn: cn=authorizationsACISubentry,dc=example,dc=com
> >
> > changetype: add
> >
> > objectclass: top
> >
> > objectclass: subentry
> >
> > objectclass: accessControlSubentry
> >
> > cn: authorizationsACISubentry
> >
> > subtreeSpecification: { specificExclusions { chopBefore:
> > "ou=wyattnobrowse"
> > } }
> >
> > prescriptiveACI: {
> >
> >    identificationTag "allUsersACI",
> >
> >    precedence 10,
> >
> >    authenticationLevel none,
> >
> >    itemOrUserFirst userFirst:
> >
> >    {
> >
> >      userClasses
> >
> >      {
> >
> >        allUsers
> >
> >      },
> >
> >      userPermissions
> >
> >      {
> >
> >         {
> >
> >          protectedItems { entry, allUserAttributeTypesAndValues },
> >
> >          grantsAndDenials { grantRead, grantReturnDN, grantBrowse }
> >
> >        },
> >
> >        {
> >
> >           protectedItems { attributeType { userPassword } },
> >
> >           grantsAndDenials { denyRead, denyCompare, denyFilterMatch }
> >
> >        }
> >
> >      }
> >
> >    }
> >
> > }
> >
> >
> >
> > The result, the wyatt user still cannot see anything.  whatup? If this
> > should
> >
> > be on dev list, please let me know.
>
>
> It's fine to have this on users list.
>
> Can you please provide complete the complete ldif export? It's hard to say
> what's wrong with the information you gave. I especially would like to
> know
> where are the entries you're trying to access with respect to
> "ou=wyattnobrowse".
>
>
> Thx.
> >
>
> --
> Ersin Er
> http://www.ersin-er.name
>




--
Ersin Er
http://www.ersin-er.name