directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Varun Dev" <>
Subject RE: [apacheds] issues with ACI
Date Fri, 19 Jun 2009 11:01:25 GMT
Hi Stefan,
Thank you for your response.. please find my further replies inline.

>Hi Varun,
>Varun Dev wrote:
>> Hi,
>> I am new to apacheds and LDAP, I have recently downloaded and
>> apacheds. I want setup access control in my directory. When I import
>> example files on a fresh installation
>> apache_ds_tutorial.ldif
>> authz_sevenSeas.ldif
>> the user - Horatio Nelson does not have any permissions as per
>> prescriptiveaci in  sevenSeasAuthorizationRequirementsACISubentry
>> In apacheds 1.0, Horatio Nelson can login, when I try to edit some
>> attribute of a user I get following error in the apache studio and I
>> don't see any trace in log files.
>I haven't tested with 1.0, please use 1.5.4.
>> In apacheds 1.5, Horatio Nelson can't even log in throwing the
>> error 
>> Error while opening connection
>>  - [LDAP: error code 50 - INSUFFICIENT_ACCESS_RIGHTS: failed for
>> SearchReques
>You get this error using Studio, right?
>I also get this error when using Studio, however this is an issues of
>Studio, call it bug or feature ;-). When opening the connection Studio
>tries to fetch all available namingContexts (ou=system, ou=schema) and
>the schema (cn=schema). However with activated access control the
>rejects this with error 50. So one option is to allow the read access
>these trees using ACIs. But we have to consider to change studio to not
>search for those entries or to pop up this messages.

I think fetching all available namingContexts is a server behavior not
the studio behavior. When I login using PhpLdapAdmin, same happens.

>Anyway, when I click away the error message it works fine. Horatio
>Nelson could browse and edit the o=sevenSeas tree. And other sailors
>could browse, but not edit and don't see the userPassword attribute.
>Could you test please?
Yes I tried again and it behaves in the same way as you explained.

>Kind Regards,

With apacheds 1.0, apache studio and PhpLdapAdmin logs in fine and also
works fine with the example.
I need a web interface that is why I am using PhpLdapAdmin, and it fails
to work because of the exceptions that apacheds 1.5 throws when loging

Can this be fixed???

As you also mentioned, I guess I can try to give search permissions to
all users as a temporary fix to login without exceptions, but am not
sure if it will work. Can you tell me how can I do this, will I have to
create accessControlSubentry for each context?


View raw message