directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Kyrmegalos <andrea...@vivodinet.gr>
Subject Unable to make ACI to work
Date Sun, 15 Jun 2008 17:07:01 GMT
Hello,
  I am trying to setup the ACI authorization system. Unfortunately, I 
haven't been able to.

I am using version 1.0.2 on a windowsXP machine.

The partition is defined as follows:

<bean id="testparPartitionConfiguration" 
class="org.apache.directory.server.core.partition.impl.btree.MutableBTreePartitionConfiguration">
    <property name="name" value="testpar" />
    <property name="cacheSize" value="10"/>
    <property name="suffix" value="o=testpar" />
    <property name="optimizerEnabled" value="true" />
    <property name="synchOnWrite" value="true" />
    <property name="indexedAttributes">
      <set>
        <bean 
class="org.apache.directory.server.core.partition.impl.btree.MutableIndexConfiguration">
          <property name="attributeId" value="cn" />
          <property name="cacheSize" value="10" />
        </bean>
        <bean 
class="org.apache.directory.server.core.partition.impl.btree.MutableIndexConfiguration">
          <property name="attributeId" value="uid" />
          <property name="cacheSize" value="10" />
        </bean>
        <bean 
class="org.apache.directory.server.core.partition.impl.btree.MutableIndexConfiguration">
          <property name="attributeId" value="objectClass" />
          <property name="cacheSize" value="10" />
        </bean>
      </set>
    </property>
    <property name="contextEntry">
      <value>
        objectClass: top
        objectClass: organization
        objectClass: extensibleObject
        o: testpar
      </value>
    </property>
</bean>


The partition dump is:

# ========================================================================
# ApacheDS Tools Version: 1.0.2
# Partition Directory: c:\program 
files\apacheds-1.0.2\var\partitions\testpar
# ========================================================================


#---------------------
# Entry: 1
#---------------------

dn: o=testpar
o: testpar
administrativerole: accessControlSpecificArea
objectclass: top
objectclass: organization
objectclass: extensibleObject
accessControlSubentries: 
2.5.4.3=testparauthorizationrequirementsacisubentry,2.5
 .4.10=testpar
modifyTimestamp: 20080615160255Z
modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system


#---------------------
# Entry: 2
#---------------------

dn: ou=people,o=testpar
createTimestamp: 20080615160255Z
ou: people
objectclass: organizationalunit
objectclass: top
accessControlSubentries: 
2.5.4.3=testparauthorizationrequirementsacisubentry,2.5
 .4.10=testpar
description: Contains entries which describe persons (employees)
creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system


#---------------------
# Entry: 3
#---------------------

dn: uid=testme,ou=people,o=testpar
uid: testme
userpassword:: e1NIQX1Pcjd4b1V6T3pTRFd6b2tzdmdRcTV0ZEpSc2c9
sn: testme
createTimestamp: 20080615160255Z
ou: people
cn: testme testme
givenname: testme
o: testpar
objectclass: person
objectclass: inetorgperson
objectclass: organizationalperson
objectclass: top
accessControlSubentries: 
2.5.4.3=testparauthorizationrequirementsacisubentry,2.5
 .4.10=testpar
creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system


#---------------------
# Entry: 4
#---------------------

dn: cn=testparauthorizationrequirementsacisubentry,o=testpar
createTimestamp: 20080615160255Z
cn: testparauthorizationrequirementsacisubentry
prescriptiveaci:: base64encoded entry here
prescriptiveaci:: base64encoded entry here
accessControlSubentries: 
2.5.4.3=testparauthorizationrequirementsacisubentry,2.5
 .4.10=testpar
objectclass: subentry
objectclass: accesscontrolsubentry
objectclass: top
subtreespecification: {}
creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system

The decoded first prescriptiveaci entry is:

{
  identificationTag "directoryManagerFullAccessACI",
  precedence 11,
  authenticationLevel simple,
  itemOrUserFirst userFirst:
  {
    userClasses{name{"uid=testme,ou=people,o=testpar"}},
    userPermissions
    {
      {
        protectedItems{entry},
        
grantsAndDenials{grantAdd,grantDiscloseOnError,grantRead,grantRemove,grantBrowse,grantExport,grantImport,grantModify,grantRename,grantReturnDN}
      },
      {
        protectedItems{allUserAttributeTypesAndValues},
        
grantsAndDenials{grantAdd,grantDiscloseOnError,grantRead,grantRemove,grantCompare,grantFilterMatch,grantInvoke}
      }
    }
  }
}

The decoded second prescriptiveaci entry is:

{
  identificationTag "allUsersACI",
  precedence 10,
  authenticationLevel none,
  itemOrUserFirst userFirst:
  {
    userClasses{allUsers},
    userPermissions
    {
      {
        protectedItems{entry},
        
grantsAndDenials{grantDiscloseOnError,grantRead,grantBrowse,grantReturnDN}
      },
      {
        protectedItems{allUserAttributeTypesAndValues},
        
grantsAndDenials{grantDiscloseOnError,grantRead,grantCompare,grantFilterMatch}
      },
      {
        protectedItems{attributeType{userPassword}},
        grantsAndDenials{denyRead,denyCompare,denyFilterMatch}
      },
      {
        protectedItems{attributeValue{superUser}},
        grantsAndDenials{denyRead,denyCompare,denyFilterMatch}
      }
    }
  }
}

Anonymous access is disabled and the ACI system is enabled in server.xml
Both prescripriveaci entries seems to be ignored. Any ideas?

Andreas

Mime
View raw message