directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <elecha...@gmail.com>
Subject Re: [ApacheDS] prescriptiveACI not working
Date Sat, 21 May 2011 00:36:39 GMT

On 5/20/11 6:24 PM, Ron Woods wrote:
> HI,
>
> I have been going through the examples on this page in the manual http://directory.apache.org/apacheds/1.5/32-basic-authorization.html
> (I am using ApacheDS 1.5.7 with Apache Directory Studio Version: 1.5.3.v20100330)
>
> I am trying to apply the prescriptiveACI's to my own company directory partition, "o=vaytek".
> Per the instructions, I enabled the "accessControlEnabled" flag in server.xml.
> I have added to the top node "o=vaytek" the attribute "administrativeRole" with value
"accessControlSpecificArea" to make it the administrative point.
> I have added a subentry with prescriptiveACI's
>
> 1)      to deny allUsers access to the userPassword,
>
> 2)      to allow allUsers to search and compare other attributes, and
>
> 3)      to assign a specific user as the directory manager with full access,
> as follows:
>
> dn: cn=vaytekAuthorizationRequirementsACISubentry,o=vaytek
> objectClass: subentry
> objectClass: accessControlSubentry
> objectClass: top
> cn: vaytekAuthorizationRequirementsACISubentry
> subtreeSpecification: { }
> prescriptiveACI: {
>      identificationTag "allUsersACI",
>      precedence 10,
>      authenticationLevel simple,
>      itemOrUserFirst userFirst:
>      {
>          userClasses { allUsers },
>          userPermissions
>          {
>              {
>                  protectedItems
>                  {
>                      attributeType { userPassword }
>                  }
>                  ,
>                  grantsAndDenials
>                  {
>                      denyCompare,
>                      denyFilterMatch,
>                      denyRead
>                  }
>              }
>              ,
>              {
>                  protectedItems { allUserAttributeTypesAndValues, entry },
>                  grantsAndDenials
>                  {
>                      grantRead,
>                      grantReturnDN,
>                      grantCompare,
>                      grantDiscloseOnError,
>                      grantBrowse,
>                      grantFilterMatch
>                  }
>              }
>          }
>      }
> }
> prescriptiveACI: {
>      identificationTag "directoryManagerFullAccessACI",
>      precedence 11,
>      authenticationLevel simple,
>      itemOrUserFirst userFirst:
>      {
>          userClasses
>          {
>              name { "uid=rwoods,ou=Users,o=vaytek" }
>          }
>          ,
>          userPermissions
>          {
>              {
>                  protectedItems { allUserAttributeTypesAndValues, entry },
>                  grantsAndDenials
>                  {
>                      grantReturnDN,
>                      grantDiscloseOnError,
>                      grantExport,
>                      grantRemove,
>                      grantFilterMatch,
>                      grantBrowse,
>                      grantModify,
>                      grantImport,
>                      grantRead,
>                      grantRename,
>                      grantCompare,
>                      grantInvoke,
>                      grantAdd
>                  }
>              }
>          }
>      }
> }
>
> However, when I connect in Apache Directory Studio as user rwoods, then all I can see
is RootDSE and nothing below it.

Just wondering : did you stopped and started the server after having 
injected the ACI ?

There is a bug in 1.5.7 which has been fixed in trunk that make the ACI 
not to be reloaded when the server is restarted, making the ACI 
subsystem totally useless.

I'm not saying that there is a workaround, or any solution to fix this 
issue in 1.5.7, sadly, but to inform you about this problem.

We hope to get a new ADS release quite fast, but I'm more or less 
talking in term of weeks, not days.

Truly sorry for that :/

-- 
Regards,
Cordialement,
Emmanuel L├ęcharny
www.iktek.com


Mime
View raw message