directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ron Woods <rwo...@vaytek.com>
Subject RE: [ApacheDS] prescriptiveACI not working
Date Mon, 23 May 2011 16:24:28 GMT
Hi, Emmanuel,

Yes, I did stop and start the server after inserting the prescriptiveACI attributes, but it
still didn't work.

Sorry to hear that there is no current workaround; however, we can probably wait for the next
release:  Our application is still in design, at present.

While waiting for a reply to my question, I discovered that Apache Directory Studio can create
servers.  I did that and noticed the version is 1.5.6. Thinking that maybe it would work in
the prior version, I imported our directory into that server.  I added the prescriptiveACI,
but it didn't work in that context, either.  Should it be working in version 1.5.6?

Ron Woods

-----Original Message-----
From: Emmanuel Lecharny [mailto:elecharny@gmail.com] 
Sent: Friday, May 20, 2011 7:37 PM
To: users@directory.apache.org
Subject: Re: [ApacheDS] prescriptiveACI not working


On 5/20/11 6:24 PM, Ron Woods wrote:
> HI,
>
> I have been going through the examples on this page in the manual 
> http://directory.apache.org/apacheds/1.5/32-basic-authorization.html
> (I am using ApacheDS 1.5.7 with Apache Directory Studio Version: 
> 1.5.3.v20100330)
>
> I am trying to apply the prescriptiveACI's to my own company directory partition, "o=vaytek".
> Per the instructions, I enabled the "accessControlEnabled" flag in server.xml.
> I have added to the top node "o=vaytek" the attribute "administrativeRole" with value
"accessControlSpecificArea" to make it the administrative point.
> I have added a subentry with prescriptiveACI's
>
> 1)      to deny allUsers access to the userPassword,
>
> 2)      to allow allUsers to search and compare other attributes, and
>
> 3)      to assign a specific user as the directory manager with full access,
> as follows:
>
> dn: cn=vaytekAuthorizationRequirementsACISubentry,o=vaytek
> objectClass: subentry
> objectClass: accessControlSubentry
> objectClass: top
> cn: vaytekAuthorizationRequirementsACISubentry
> subtreeSpecification: { }
> prescriptiveACI: {
>      identificationTag "allUsersACI",
>      precedence 10,
>      authenticationLevel simple,
>      itemOrUserFirst userFirst:
>      {
>          userClasses { allUsers },
>          userPermissions
>          {
>              {
>                  protectedItems
>                  {
>                      attributeType { userPassword }
>                  }
>                  ,
>                  grantsAndDenials
>                  {
>                      denyCompare,
>                      denyFilterMatch,
>                      denyRead
>                  }
>              }
>              ,
>              {
>                  protectedItems { allUserAttributeTypesAndValues, entry },
>                  grantsAndDenials
>                  {
>                      grantRead,
>                      grantReturnDN,
>                      grantCompare,
>                      grantDiscloseOnError,
>                      grantBrowse,
>                      grantFilterMatch
>                  }
>              }
>          }
>      }
> }
> prescriptiveACI: {
>      identificationTag "directoryManagerFullAccessACI",
>      precedence 11,
>      authenticationLevel simple,
>      itemOrUserFirst userFirst:
>      {
>          userClasses
>          {
>              name { "uid=rwoods,ou=Users,o=vaytek" }
>          }
>          ,
>          userPermissions
>          {
>              {
>                  protectedItems { allUserAttributeTypesAndValues, entry },
>                  grantsAndDenials
>                  {
>                      grantReturnDN,
>                      grantDiscloseOnError,
>                      grantExport,
>                      grantRemove,
>                      grantFilterMatch,
>                      grantBrowse,
>                      grantModify,
>                      grantImport,
>                      grantRead,
>                      grantRename,
>                      grantCompare,
>                      grantInvoke,
>                      grantAdd
>                  }
>              }
>          }
>      }
> }
>
> However, when I connect in Apache Directory Studio as user rwoods, then all I can see
is RootDSE and nothing below it.

Just wondering : did you stopped and started the server after having injected the ACI ?

There is a bug in 1.5.7 which has been fixed in trunk that make the ACI not to be reloaded
when the server is restarted, making the ACI subsystem totally useless.

I'm not saying that there is a workaround, or any solution to fix this issue in 1.5.7, sadly,
but to inform you about this problem.

We hope to get a new ADS release quite fast, but I'm more or less talking in term of weeks,
not days.

Truly sorry for that :/

--
Regards,
Cordialement,
Emmanuel L├ęcharny
www.iktek.com

Mime
View raw message