directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oliver Schmidt" <oliver.schmidt....@arcor.de>
Subject Re: [ApacheDS] Re: Access Restriction
Date Fri, 04 Nov 2011 17:41:06 GMT
Hi Kevin,

sorry for the confusion. administrativeRole has to be added to the entry  
under which the protected items are. E.g. ou=people,ou=example.com

The subentry has also to be stored there. You should re-apply the  
userPassword in order to do at least simle authentication.

A little background:
A subentry is a kind of selector for all elements under its parent  
element. E.g. You can create a subentry under, let's say ou=people,...  
which selects all people with the attribute value memberOf=mygroup. Then  
you can add attributes to the subentry and those attributes automatically  
apply to all elements selected by the subentry. This way, you can  
automatically add attributes which are common to a specific group of  
elements. Even to elements which do not yet exist in your DIT.

--
Kind regards / freundliche Grüße
Oliver Schmidt

Sent via HP Veer

Am 04.11.2011, 17:33 Uhr, schrieb Kevin Hamilton <khamilton@umem.org>:

> Ok, so if I remove the userPassword, sn, and mail attributes from the
> entry (the new accessControlSubentry) then it lets me create it. The
> record exists as a subentry of the uid=admin2 object. When I bind to
> ApacheDS as admin2, I still cannot see anything but the tree root.
>
> Any more advice on this and why it would say my userPassword, sn, and
> mail attributes were invalid for the accessControlSubentry, subentry,
> and top objectclasses?
>
> Thanks,
> Kevin
>
> On Fri, Nov 4, 2011 at 9:48 AM, Kevin Hamilton <khamilton@umem.org>  
> wrote:
>> I am using ADS 2.0.0-M2.
>>
>> Thanks,
>> Kevin
>>
>> On Fri, Nov 4, 2011 at 9:39 AM, Emmanuel Lécharny  
>> <elecharny@apache.org> wrote:
>>> On 11/4/11 2:29 PM, Kevin Hamilton wrote:
>>>>
>>>> The cn=admin2Test,uid=admin2,ou=system was never created because the
>>>> error occurred while I was trying to create it.
>>>>
>>>> I was following Oliver's instructions by doing the following:
>>>> 2) Add a new entry below the entry where you have added the
>>>> "administrativeRole" attribute. Use the object classes
>>>> "accessControlSubentry", "subentry" and "top". As RDN attribute name,  
>>>> use
>>>> "cn" and choose a name of your preference.
>>>> 2a) You will be asked to specify the subentry. Leave it empty.
>>>> 2b) You will be asked to specify the ACI element:
>>>>      * Identificator:<your choice>
>>>>      * Priority: 0
>>>>      * Authentication level: simple=non-SASL / strong=SASL (I would  
>>>> choose
>>>> simple first)
>>>>      * User or element first: User
>>>>      * User classes: Choose "name" and specify your admin2
>>>>      * User permissions:
>>>>        * Protected elements: "entry", "all user attribute types and
>>>> values"
>>>>        * Grants and denials: Here, you can grant everything
>>>>
>>>>
>>>> When he says add a new entry below the entry where I added
>>>> administrativeRole, he means I should right click on the
>>>> uid=admin,ou=system and add an entry to that, right? That is what I
>>>> have been doing. Is this incorrect?
>>>
>>> No, this is the way it should be done.
>>>
>>> The error message is a bit suprising...
>>>
>>> What version of ADS are you using ?
>>>
>>>
>>> --
>>> Regards,
>>> Cordialement,
>>> Emmanuel Lécharny
>>> www.iktek.com
>>>
>>>
>>
>>
>>
>> --
>> Thanks,
>> Kevin
>>
>
>
>


-- 
Erstellt mit Operas revolutionärem E-Mail-Modul: http://www.opera.com/mail/

Mime
View raw message