directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oliver Schmidt" <>
Subject Re: [ApacheDS] Re: Access Restriction
Date Fri, 04 Nov 2011 11:37:37 GMT
Hi Kevin,

you'll have to do the following steps now:

1) Go to the entry for which you want to enable access control. Add the
attribute "administrativeRole" with the value "accessControlSpecificArea".
AD-Studio will mention that this attribute does not belong to the schema
you use. You can ignore this.
2) Add a new entry below the entry where you have added the
"administrativeRole" attribute. Use the object classes
"accessControlSubentry", "subentry" and "top". As RDN attribute name, use
"cn" and choose a name of your preference.
2a) You will be asked to specify the subentry. Leave it empty.
2b) You will be asked to specify the ACI element:
       * Identificator: <your choice>
       * Priority: 0
       * Authentication level: simple=non-SASL / strong=SASL (I would choose
simple first)
       * User or element first: User
       * User classes: Choose "name" and specify your admin2
       * User permissions:
         * Protected elements: "entry", "all user attribute types and  
         * Grants and denials: Here, you can grant everything

Once you have set this up, you can play around with your ACI a little bit
more and maybe grant users to see their own entries and so on. There
should be some learning trails about access control in the user guides
which might also help you.

Kind regards


Am 03.11.2011, 19:13 Uhr, schrieb Kevin Hamilton <>:

> Hello Oliver and Company,
> I had successfully enabled the accessControl. My issue now is that I
> am using another superuser I created (I called it admin2) to modify my
> users. Now, I am no longer to modify my users because he does not have
> access.
> I read about Prescriptive ACIs, but the lack of examples left me kind
> of stumped. How can I grant all access to admin2 only, or something
> with the dn=uid=admin,ou=system?
> Thanks,
> Kevin
> On Wed, Nov 2, 2011 at 2:04 PM, Oliver Schmidt
> <> wrote:
>> On Wed, 02 Nov 2011 13:59:25 +0100, Kevin Hamilton <>
>> wrote:
>>> Hello everyone,
>>> My name is Kevin and I am writing to ask a question about access to
>>> ApacheDS 2.0.0-M2. Currently I have a bunch of users set up and the
>>> apacheds is used to authenticate the users on my website. My question
>>> is about accessing the apacheds. On my Apache Directory Studio, I can
>>> login as admin and see everything. The problem is that I can also log
>>> in as any other user in the database and I can see other user's
>>> information. Not sure if I am being clear.
>>> If someone has their own username and password and also the port and
>>> address of my server, they can login (using Apache Directory Studio or
>>> any other client) and see all of the records. Obviously the passwords
>>> are hashed, but it is still a liability for the users to be able to
>>> see e-mails/etc of other users.
>>> Is there any way to limit the information that certain users can see
>>> (ie, they could login, but not see any records)?
>>> Please let me know soon.
>>> Thanks,
>>> Kevin
>> Hi Kevin,
>> I'm moving this topic to the users list...
>> There's a chapter about this topic in the doco. Please see the User  
>> Guides
>> on the topic "authorization".
>> Depending on what you intend to allow/disallow your users to see in your
>> directory, you might also need to write some ACIs. If you want, I can  
>> assist
>> you setting this up.
>> Please note that ehe documentation still mentions the server.xml file.  
>> This
>> file is however obsolete in version 2.0. Instead, config is done  
>> directly in
>> the server. You can alter the configuration using ehe Directory Studio.  
>> Just
>> look under the ou=config node.
>> Kind regards
>> Oliver

Erstellt mit Operas revolutionärem E-Mail-Modul:

View raw message