directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Darko Hojnik" <hoj...@virtualizing.org>
Subject Re: Error with impimeting acl
Date Sun, 17 Apr 2011 19:15:02 GMT
Hello Emmanuel,

I don't know why but ApacheDS Studio doesn't export the full three of  
example.com. So I've pasted it all in the mail in the hope that will help  
you. I got the same with an Subentry. In the mailinglist I've read that  
could be an old bug they several months is still not fixed. If it's the  
bug, ApacheDS never don't will be usable in every environment. I still  
prefer ApacheDS but I'm working alternative with 389 directory Server.  
Tomorrow I've to present a working solution to my customer for showcase.


dn: dc=example,dc=com
objectClass: domain
objectClass: top
dc: example
accessControlSubentries:  
2.5.4.3=domainaclauthorizationrequirementsacisubent
  ry,0.9.2342.19200300.100.1.25=example,0.9.2342.19200300.100.1.25=com
administrativeRole: accessControlSpecificArea
createTimestamp: 20110417193045Z
creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
entryCSN: 20110417213045.184000Z#000000#000#000000
entryUUID:: YjQzZmU0ZTEtYTIyOS00ZTc1LWI4NmUtNGMyMmE4MWVmMDJl
modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
modifyTimestamp: 20110417203043Z

dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: people
accessControlSubentries:  
2.5.4.3=domainaclauthorizationrequirementsacisubent
  ry,0.9.2342.19200300.100.1.25=example,0.9.2342.19200300.100.1.25=com
createTimestamp: 20110417193324Z
creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
entryCSN: 20110417213324.006000Z#000000#000#000000
entryUUID:: Y2RlMDIzMzktZTkxNi00MDc2LWE2Y2EtMzhiY2M1YjNlYWRl

dn: uid=domainadmin,ou=people,dc=example,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: krb5Principal
objectClass: inetOrgPerson
objectClass: krb5KDCEntry
objectClass: top
cn: Domain Administrator
krb5KeyVersionNumber: 1
krb5PrincipalName: domainadmin@EXAMPLE.COM
sn: Domain Administrator
krb5Key:: MBmgAwIBEaESBBBse6p1boUg9NNd/97pPWgQ
krb5Key:: MBGgAwIBA6EKBAh/+DFiyCCFEw==
krb5Key:: MCGgAwIBEKEaBBiuzuXmSc6nDVRFZ8FMT4lP09Crsy9zXgE=
krb5Key:: MCmgAwIBEqEiBCDIcp4KczHRss9lQcBdX7OlRpoh70jcRfzUU8Lnm+lOmg==
krb5Key:: MBmgAwIBF6ESBBAYelAhhW5cfPy8Z3Xty4OH
uid: domainadmin
userPassword:: e01ENX1PRmoySWpDc1BKRmZNQXhtUXhMR1B3PT0=
accessControlSubentries:  
2.5.4.3=domainaclauthorizationrequirementsacisubent
  ry,0.9.2342.19200300.100.1.25=example,0.9.2342.19200300.100.1.25=com
createTimestamp: 20110417193544Z
creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
entryCSN: 20110417213544.185000Z#000000#000#000000
entryUUID:: NTM2Yzg5M2EtZmM3YS00YjAxLWJjYTgtMjE1NWFhMjc5NzA3
modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
modifyTimestamp: 20110417201959Z

dn: dc=example,dc=com
changetype: modify
add: administrativeRole
administrativeRole: accessControlSpecificArea


dn: cn=DomainACLAuthorizationRequirementsACISubentry,dc=example,dc=com
changetype: add
objectclass: top
objectclass: subentry
objectclass: accessControlSubentry
cn: DomainACLAuthorizationRequirementsACISubentry
subtreeSpecification: {}
prescriptiveACI: {
     identificationTag "directoryManagerFullAccessACI",
     precedence 11,
     authenticationLevel simple,
     itemOrUserFirst userFirst:
     {
       userClasses
       {
         name { "uid=domainadmin,ou=people,dc=example,dc=com" }
       },
       userPermissions
       {
         {
           protectedItems
           {
             entry, allUserAttributeTypesAndValues
           },
           grantsAndDenials
           {
             grantAdd, grantDiscloseOnError, grantRead,
             grantRemove, grantBrowse, grantExport, grantImport,
             grantModify, grantRename, grantReturnDN,
             grantCompare, grantFilterMatch, grantInvoke
           }
         }
       }
     }
   }
prescriptiveACI: {
     identificationTag "allUsersACI",
     precedence 10,
     authenticationLevel none,
     itemOrUserFirst userFirst:
     {
       userClasses
       {
         allUsers
       },
       userPermissions
       {
         {
           protectedItems { entry, allUserAttributeTypesAndValues },
           grantsAndDenials { grantRead, grantBrowse, grantReturnDN,
                              grantCompare, grantFilterMatch,  
grantDiscloseOnError }
         },
         {
           protectedItems { attributeType { userPassword } },
           grantsAndDenials { denyRead, denyCompare, denyFilterMatch }
       }
    }




Am 17.04.2011, 11:06 Uhr, schrieb Emmanuel Lecharny <elecharny@gmail.com>:

> On 4/17/11 6:16 AM, Darko Hojnik wrote:
>> Hi there,
>>
>> I've tried a few hours along to get an working acl on the partition  
>> example.com. I've read and tried the sample on the apacheds wiki with  
>> the sevenSeas sample also at last do it all self with ApacheDS Studio.
>> By restarting ApacheDS I always get an error massage such like
>>
>> [05:49:06] WARN [org.apache.directory.server.core.authz.TupleCache] -  
>> Found accessControlSubentry  
>> 'cn=domainfullAuthorizationRequirementsACISubentry,dc=example,dc=com'  
>> without any prescriptiveACI
>
> Have you added a subentry ? If so, can you provide it ?
>
> Can you also provide AdministrativePoint entry?
>
>

Mime
View raw message