directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ron Woods <rwo...@vaytek.com>
Subject [ApacheDS] prescriptiveACI not working
Date Fri, 20 May 2011 16:24:37 GMT
HI,

I have been going through the examples on this page in the manual http://directory.apache.org/apacheds/1.5/32-basic-authorization.html
(I am using ApacheDS 1.5.7 with Apache Directory Studio Version: 1.5.3.v20100330)

I am trying to apply the prescriptiveACI's to my own company directory partition, "o=vaytek".
Per the instructions, I enabled the "accessControlEnabled" flag in server.xml.
I have added to the top node "o=vaytek" the attribute "administrativeRole" with value "accessControlSpecificArea"
to make it the administrative point.
I have added a subentry with prescriptiveACI's

1)      to deny allUsers access to the userPassword,

2)      to allow allUsers to search and compare other attributes, and

3)      to assign a specific user as the directory manager with full access,
as follows:

dn: cn=vaytekAuthorizationRequirementsACISubentry,o=vaytek
objectClass: subentry
objectClass: accessControlSubentry
objectClass: top
cn: vaytekAuthorizationRequirementsACISubentry
subtreeSpecification: { }
prescriptiveACI: {
    identificationTag "allUsersACI",
    precedence 10,
    authenticationLevel simple,
    itemOrUserFirst userFirst:
    {
        userClasses { allUsers },
        userPermissions
        {
            {
                protectedItems
                {
                    attributeType { userPassword }
                }
                ,
                grantsAndDenials
                {
                    denyCompare,
                    denyFilterMatch,
                    denyRead
                }
            }
            ,
            {
                protectedItems { allUserAttributeTypesAndValues, entry },
                grantsAndDenials
                {
                    grantRead,
                    grantReturnDN,
                    grantCompare,
                    grantDiscloseOnError,
                    grantBrowse,
                    grantFilterMatch
                }
            }
        }
    }
}
prescriptiveACI: {
    identificationTag "directoryManagerFullAccessACI",
    precedence 11,
    authenticationLevel simple,
    itemOrUserFirst userFirst:
    {
        userClasses
        {
            name { "uid=rwoods,ou=Users,o=vaytek" }
        }
        ,
        userPermissions
        {
            {
                protectedItems { allUserAttributeTypesAndValues, entry },
                grantsAndDenials
                {
                    grantReturnDN,
                    grantDiscloseOnError,
                    grantExport,
                    grantRemove,
                    grantFilterMatch,
                    grantBrowse,
                    grantModify,
                    grantImport,
                    grantRead,
                    grantRename,
                    grantCompare,
                    grantInvoke,
                    grantAdd
                }
            }
        }
    }
}

However, when I connect in Apache Directory Studio as user rwoods, then all I can see is RootDSE
and nothing below it.
Ditto if I connect as any other user.  The user entries are in "ou=users,o=vaytek", in a similar
manner to the doc example "ou=people,o=sevenSeas".
I checked the mailing list archives and found this thread
http://mail-archives.apache.org/mod_mbox/directory-users/201105.mbox/%3cBANLkTimQO8SKB4Na--TSYbHR5mf1qQvaEw@mail.gmail.com%3e
but I've already set the administrativeRole attribute.
Any help to get this working would be greatly appreciated.

Ron Woods

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message