directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevin Hamilton <>
Subject Re: [ApacheDS] Re: Access Restriction
Date Fri, 04 Nov 2011 12:23:26 GMT
Hey Oliver,

Thanks so much for your response. I followed your instructions and
still had trouble.

I checked the source of the prescriptive ACI in my new entry. The
source is below.

    identificationTag "admin2Tag",
    precedence 0,
    authenticationLevel simple,
    itemOrUserFirst userFirst:
            name { "uid=admin2,ou=system" }
                protectedItems { allUserAttributeTypesAndValues, entry },

When I try to add this, I get a constraint violation that says ERR_277
Attribute userPassword not declared in objectClasses of entry

So the main admin2 user is of objectclasses inetOrgPerson,
organizationalPerson, person, and top. He has attributes cn, sn, mail,
uid, userPassword. The DN is uid=admin2,ou=system.

I use the PasswordHashingInterceptor and I use a SSHA512. I am not
sure how to go about fixing it.

Any help would be greatly appreciated.

Thanks so much in advance,

On Fri, Nov 4, 2011 at 7:37 AM, Oliver Schmidt
<> wrote:
> Hi Kevin,
> you'll have to do the following steps now:
> 1) Go to the entry for which you want to enable access control. Add the
> attribute "administrativeRole" with the value "accessControlSpecificArea".
> AD-Studio will mention that this attribute does not belong to the schema
> you use. You can ignore this.
> 2) Add a new entry below the entry where you have added the
> "administrativeRole" attribute. Use the object classes
> "accessControlSubentry", "subentry" and "top". As RDN attribute name, use
> "cn" and choose a name of your preference.
> 2a) You will be asked to specify the subentry. Leave it empty.
> 2b) You will be asked to specify the ACI element:
>      * Identificator: <your choice>
>      * Priority: 0
>      * Authentication level: simple=non-SASL / strong=SASL (I would choose
> simple first)
>      * User or element first: User
>      * User classes: Choose "name" and specify your admin2
>      * User permissions:
>        * Protected elements: "entry", "all user attribute types and values"
>        * Grants and denials: Here, you can grant everything
> Once you have set this up, you can play around with your ACI a little bit
> more and maybe grant users to see their own entries and so on. There
> should be some learning trails about access control in the user guides
> which might also help you.
> --
> Kind regards
> Oliver
> Am 03.11.2011, 19:13 Uhr, schrieb Kevin Hamilton <>:
>> Hello Oliver and Company,
>> I had successfully enabled the accessControl. My issue now is that I
>> am using another superuser I created (I called it admin2) to modify my
>> users. Now, I am no longer to modify my users because he does not have
>> access.
>> I read about Prescriptive ACIs, but the lack of examples left me kind
>> of stumped. How can I grant all access to admin2 only, or something
>> with the dn=uid=admin,ou=system?
>> Thanks,
>> Kevin
>> On Wed, Nov 2, 2011 at 2:04 PM, Oliver Schmidt
>> <> wrote:
>>> On Wed, 02 Nov 2011 13:59:25 +0100, Kevin Hamilton <>
>>> wrote:
>>>> Hello everyone,
>>>> My name is Kevin and I am writing to ask a question about access to
>>>> ApacheDS 2.0.0-M2. Currently I have a bunch of users set up and the
>>>> apacheds is used to authenticate the users on my website. My question
>>>> is about accessing the apacheds. On my Apache Directory Studio, I can
>>>> login as admin and see everything. The problem is that I can also log
>>>> in as any other user in the database and I can see other user's
>>>> information. Not sure if I am being clear.
>>>> If someone has their own username and password and also the port and
>>>> address of my server, they can login (using Apache Directory Studio or
>>>> any other client) and see all of the records. Obviously the passwords
>>>> are hashed, but it is still a liability for the users to be able to
>>>> see e-mails/etc of other users.
>>>> Is there any way to limit the information that certain users can see
>>>> (ie, they could login, but not see any records)?
>>>> Please let me know soon.
>>>> Thanks,
>>>> Kevin
>>> Hi Kevin,
>>> I'm moving this topic to the users list...
>>> There's a chapter about this topic in the doco. Please see the User
>>> Guides
>>> on the topic "authorization".
>>> Depending on what you intend to allow/disallow your users to see in your
>>> directory, you might also need to write some ACIs. If you want, I can
>>> assist
>>> you setting this up.
>>> Please note that ehe documentation still mentions the server.xml file.
>>> This
>>> file is however obsolete in version 2.0. Instead, config is done directly
>>> in
>>> the server. You can alter the configuration using ehe Directory Studio.
>>> Just
>>> look under the ou=config node.
>>> Kind regards
>>> Oliver
> --
> Erstellt mit Operas revolutionärem E-Mail-Modul:


View raw message