directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevin Hamilton <khamil...@umem.org>
Subject Re: [ApacheDS] Re: Access Restriction
Date Fri, 04 Nov 2011 17:58:40 GMT
I got it working!

Thank you all so much for your help. You guys are life savers!

-Kevin

On Fri, Nov 4, 2011 at 1:41 PM, Oliver Schmidt
<oliver.schmidt.wue@arcor.de> wrote:
> Hi Kevin,
>
> sorry for the confusion. administrativeRole has to be added to the entry
> under which the protected items are. E.g. ou=people,ou=example.com
>
> The subentry has also to be stored there. You should re-apply the
> userPassword in order to do at least simle authentication.
>
> A little background:
> A subentry is a kind of selector for all elements under its parent element.
> E.g. You can create a subentry under, let's say ou=people,... which selects
> all people with the attribute value memberOf=mygroup. Then you can add
> attributes to the subentry and those attributes automatically apply to all
> elements selected by the subentry. This way, you can automatically add
> attributes which are common to a specific group of elements. Even to
> elements which do not yet exist in your DIT.
>
> --
> Kind regards / freundliche Grüße
> Oliver Schmidt
>
> Sent via HP Veer
>
> Am 04.11.2011, 17:33 Uhr, schrieb Kevin Hamilton <khamilton@umem.org>:
>
>> Ok, so if I remove the userPassword, sn, and mail attributes from the
>> entry (the new accessControlSubentry) then it lets me create it. The
>> record exists as a subentry of the uid=admin2 object. When I bind to
>> ApacheDS as admin2, I still cannot see anything but the tree root.
>>
>> Any more advice on this and why it would say my userPassword, sn, and
>> mail attributes were invalid for the accessControlSubentry, subentry,
>> and top objectclasses?
>>
>> Thanks,
>> Kevin
>>
>> On Fri, Nov 4, 2011 at 9:48 AM, Kevin Hamilton <khamilton@umem.org> wrote:
>>>
>>> I am using ADS 2.0.0-M2.
>>>
>>> Thanks,
>>> Kevin
>>>
>>> On Fri, Nov 4, 2011 at 9:39 AM, Emmanuel Lécharny <elecharny@apache.org>
>>> wrote:
>>>>
>>>> On 11/4/11 2:29 PM, Kevin Hamilton wrote:
>>>>>
>>>>> The cn=admin2Test,uid=admin2,ou=system was never created because the
>>>>> error occurred while I was trying to create it.
>>>>>
>>>>> I was following Oliver's instructions by doing the following:
>>>>> 2) Add a new entry below the entry where you have added the
>>>>> "administrativeRole" attribute. Use the object classes
>>>>> "accessControlSubentry", "subentry" and "top". As RDN attribute name,
>>>>> use
>>>>> "cn" and choose a name of your preference.
>>>>> 2a) You will be asked to specify the subentry. Leave it empty.
>>>>> 2b) You will be asked to specify the ACI element:
>>>>>     * Identificator:<your choice>
>>>>>     * Priority: 0
>>>>>     * Authentication level: simple=non-SASL / strong=SASL (I would
>>>>> choose
>>>>> simple first)
>>>>>     * User or element first: User
>>>>>     * User classes: Choose "name" and specify your admin2
>>>>>     * User permissions:
>>>>>       * Protected elements: "entry", "all user attribute types and
>>>>> values"
>>>>>       * Grants and denials: Here, you can grant everything
>>>>>
>>>>>
>>>>> When he says add a new entry below the entry where I added
>>>>> administrativeRole, he means I should right click on the
>>>>> uid=admin,ou=system and add an entry to that, right? That is what I
>>>>> have been doing. Is this incorrect?
>>>>
>>>> No, this is the way it should be done.
>>>>
>>>> The error message is a bit suprising...
>>>>
>>>> What version of ADS are you using ?
>>>>
>>>>
>>>> --
>>>> Regards,
>>>> Cordialement,
>>>> Emmanuel Lécharny
>>>> www.iktek.com
>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> Thanks,
>>> Kevin
>>>
>>
>>
>>
>
>
> --
> Erstellt mit Operas revolutionärem E-Mail-Modul: http://www.opera.com/mail/
>



-- 
Thanks,
Kevin

Mime
View raw message