directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Adamson <mikeat...@gmail.com>
Subject Re: [ApacheDS] ACLS - Set a user in a partition to be an admin
Date Thu, 12 May 2011 12:33:59 GMT
Hi,

You need to give the o=US,DC=mydomain,DC=org node an administrativeRole
attribute with a value of accessControlSpecificArea and then create a sub
entry for it like:

dn: cn=adminSubentry,o=US,dc=mydomain,dc=org
changetype: add
objectclass: top
objectclass: subentry
objectclass: accessControlSubentry
cn: adminSubentry
subtreeSpecification: {}
prescriptiveACI: {
    identificationTag "administratorFullAccessACI",
    precedence 100,
    authenticationLevel simple,
    itemOrUserFirst userFirst: {
        userClasses {
            name { "uid=adminguy,ou=people(,o=US...,DC=org)." }
        },
        userPermissions {
            {
               protectedItems {
                   entry, allUserAttributeTypesAndValues
               },
               grantsAndDenials {
                   grantAdd, grantDiscloseOnError, grantRead,
                   grantRemove, grantBrowse, grantExport, grantImport,
                   grantModify, grantRename, grantReturnDN,
                   grantCompare, grantFilterMatch, grantInvoke
               }
           }
       }
   }
   }

I haven't had much joy applying these things with directory studio, it's
easier to put it all in an ldif file and import it.

Cheers,

MikeA

On 11 May 2011 18:33, Steven Altsman <steven.altsman@gmail.com> wrote:

> Hi All,
>
> Pretty straightforward question, methinks: I have
> o=US,DC=mydomain,DC=org and in there I have
> uid=adminguy,ou=people(,o=US...,DC=org).  I want him to admin over
> o=US,DC=mydomain,DC=org.  I've got ApacheDS and Eclipse with Directory
> Studio extensions.
>
> Ibis redibis nunquam per bella peribis
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message