directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefano Gargiulo <rastr...@gmail.com>
Subject Re: Warning while loading ACI (Apache DS 1.5.7)
Date Mon, 05 Jul 2010 15:54:27 GMT
I also have this warining in 1.5.7 but i'm using the demo ACI provided 
in the getting started example:

cn="sevenSeasAuthorizationRequirementsACISubentry"
subtreeSpecification="{}"
prescriptiveACI="{
                    identificationTag "directoryManagerFullAccessACI",
                    precedence 11,
                    authenticationLevel simple,
                    itemOrUserFirst userFirst:
                    {
                      userClasses
                      {
                        name { "cn=Horatio Nelson,ou=people,o=sevenSeas" }
                      },
                      userPermissions
                      {
                        {
                          protectedItems
                          {
                            entry, allUserAttributeTypesAndValues
                          },
                          grantsAndDenials
                          {
                            grantAdd, grantDiscloseOnError, grantRead,
                            grantRemove, grantBrowse, grantExport, grantImport,
                            grantModify, grantRename, grantReturnDN,
                            grantCompare, grantFilterMatch, grantInvoke
                          }
                        }
                      }
                    }
                  }"

in my case the aci doesn't loads.. so i'm unable to use ACI in ApacheDS.

So i'm now using OpenDS in production, but i'm really waiting for a fix 
or a solution (i prefer ApacheDS but i need strong Access control)

> The second prescriptiveACI seems to be ok, except that the 
> 'grantDiscloseOnError' element starts on a new line without a space at 
> first position. 

PS. what do you think about JSON for ACI syntax in a next version of 
ApacheDS?

Stefano.



Il 25/06/2010 22:03, Emmanuel Lecharny ha scritto:
>  On 6/17/10 10:57 AM, Sudheer Kumar wrote:
>> dn: cn=RDSAuthorizationACISubentry,dc=xxx,dc=xx
>> changetype: add
>> objectclass: top
>> objectclass: subentry
>> objectclass: accessControlSubentry
>> cn: RDSAuthorizationACISubentry
>> subtreeSpecification: {}
>> prescriptiveACI: {
>>      identificationTag "directoryManagerFullAccessACI",
>>      precedence 11,
>>      authenticationLevel simple,
>>      itemOrUserFirst userFirst:
>>      {
>>        userClasses
>>        {
>>          name { "uid=adminuser,ou=people,dc=xxx,dc=com" }
>>        },
>>        userPermissions
>>        {
>>          {
>>            protectedItems
>>            {
>>              entry, allUserAttributeTypesAndValues
>>            },
>>            grantsAndDenials
>>            {
>>              grantAdd, grantDiscloseOnError, grantRead,
>>              grantRemove, grantBrowse, grantExport, grantImport,
>>              grantModify, grantRename, grantReturnDN,
>>              grantCompare, grantFilterMatch, grantInvoke
>>            }
>>          }
>>        }
>>      }
>>    }
>> prescriptiveACI: {
>>      identificationTag "allUsersACI",
>>      precedence 10,
>>      authenticationLevel none,
>>      itemOrUserFirst userFirst:
>>      {
>>        userClasses
>>        {
>>          allUsers
>>        },
>>        userPermissions
>>        {
>>          {
>>            protectedItems { entry, allUserAttributeTypesAndValues },
>>            grantsAndDenials { grantRead, grantBrowse, grantReturnDN,
>>                               grantCompare, grantFilterMatch,
>> grantDiscloseOnError }
>>          },
>>          {
>>            protectedItems { attributeType { userPassword } },
>>            grantsAndDenials { denyRead, denyCompare, denyFilterMatch }
>>          }
>>        }
>>      }
>>    }
> The second prescriptiveACI seems to be ok, except that the 
> 'grantDiscloseOnError' element starts on a new line without a space at 
> first position.
>
> I don't know if it's a mail artifact or not, can you check that ?
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message