From users-return-4235-apmail-directory-users-archive=directory.apache.org@directory.apache.org Fri Nov 4 12:23:53 2011 Return-Path: X-Original-To: apmail-directory-users-archive@www.apache.org Delivered-To: apmail-directory-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CBC6F9A39 for ; Fri, 4 Nov 2011 12:23:53 +0000 (UTC) Received: (qmail 53877 invoked by uid 500); 4 Nov 2011 12:23:53 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 53836 invoked by uid 500); 4 Nov 2011 12:23:53 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 53828 invoked by uid 99); 4 Nov 2011 12:23:53 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 Nov 2011 12:23:53 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: 209.85.215.178 is neither permitted nor denied by domain of khamilton@umem.org) Received: from [209.85.215.178] (HELO mail-ey0-f178.google.com) (209.85.215.178) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 Nov 2011 12:23:47 +0000 Received: by eye13 with SMTP id 13so2156371eye.37 for ; Fri, 04 Nov 2011 05:23:27 -0700 (PDT) MIME-Version: 1.0 Received: by 10.14.1.3 with SMTP id 3mr1399669eec.179.1320409407027; Fri, 04 Nov 2011 05:23:27 -0700 (PDT) Received: by 10.14.29.14 with HTTP; Fri, 4 Nov 2011 05:23:26 -0700 (PDT) In-Reply-To: References: Date: Fri, 4 Nov 2011 08:23:26 -0400 Message-ID: Subject: Re: [ApacheDS] Re: Access Restriction From: Kevin Hamilton To: users@directory.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org Hey Oliver, Thanks so much for your response. I followed your instructions and still had trouble. I checked the source of the prescriptive ACI in my new entry. The source is below. { identificationTag "admin2Tag", precedence 0, authenticationLevel simple, itemOrUserFirst userFirst: { userClasses { name { "uid=3Dadmin2,ou=3Dsystem" } } , userPermissions { { protectedItems { allUserAttributeTypesAndValues, entry }, grantsAndDenials { grantBrowse, grantCompare, grantRename, grantExport, grantRead, grantModify, grantDiscloseOnError, grantFilterMatch, grantImport, grantAdd, grantInvoke, grantRemove, grantReturnDN } } } } } When I try to add this, I get a constraint violation that says ERR_277 Attribute userPassword not declared in objectClasses of entry cn=3Dadmin2Test,uid=3Dadmin2,ou=3Dsystem So the main admin2 user is of objectclasses inetOrgPerson, organizationalPerson, person, and top. He has attributes cn, sn, mail, uid, userPassword. The DN is uid=3Dadmin2,ou=3Dsystem. I use the PasswordHashingInterceptor and I use a SSHA512. I am not sure how to go about fixing it. Any help would be greatly appreciated. Thanks so much in advance, Kevin On Fri, Nov 4, 2011 at 7:37 AM, Oliver Schmidt wrote: > Hi Kevin, > > you'll have to do the following steps now: > > 1) Go to the entry for which you want to enable access control. Add the > attribute "administrativeRole" with the value "accessControlSpecificArea"= . > AD-Studio will mention that this attribute does not belong to the schema > you use. You can ignore this. > 2) Add a new entry below the entry where you have added the > "administrativeRole" attribute. Use the object classes > "accessControlSubentry", "subentry" and "top". As RDN attribute name, use > "cn" and choose a name of your preference. > 2a) You will be asked to specify the subentry. Leave it empty. > 2b) You will be asked to specify the ACI element: > =A0 =A0 =A0* Identificator: > =A0 =A0 =A0* Priority: 0 > =A0 =A0 =A0* Authentication level: simple=3Dnon-SASL / strong=3DSASL (I w= ould choose > simple first) > =A0 =A0 =A0* User or element first: User > =A0 =A0 =A0* User classes: Choose "name" and specify your admin2 > =A0 =A0 =A0* User permissions: > =A0 =A0 =A0 =A0* Protected elements: "entry", "all user attribute types a= nd values" > =A0 =A0 =A0 =A0* Grants and denials: Here, you can grant everything > > Once you have set this up, you can play around with your ACI a little bit > more and maybe grant users to see their own entries and so on. There > should be some learning trails about access control in the user guides > which might also help you. > > -- > Kind regards > > Oliver > > Am 03.11.2011, 19:13 Uhr, schrieb Kevin Hamilton : > >> Hello Oliver and Company, >> >> I had successfully enabled the accessControl. My issue now is that I >> am using another superuser I created (I called it admin2) to modify my >> users. Now, I am no longer to modify my users because he does not have >> access. >> >> I read about Prescriptive ACIs, but the lack of examples left me kind >> of stumped. How can I grant all access to admin2 only, or something >> with the dn=3Duid=3Dadmin,ou=3Dsystem? >> >> Thanks, >> Kevin >> >> On Wed, Nov 2, 2011 at 2:04 PM, Oliver Schmidt >> wrote: >>> >>> On Wed, 02 Nov 2011 13:59:25 +0100, Kevin Hamilton >>> wrote: >>> >>>> Hello everyone, >>>> >>>> My name is Kevin and I am writing to ask a question about access to >>>> ApacheDS 2.0.0-M2. Currently I have a bunch of users set up and the >>>> apacheds is used to authenticate the users on my website. My question >>>> is about accessing the apacheds. On my Apache Directory Studio, I can >>>> login as admin and see everything. The problem is that I can also log >>>> in as any other user in the database and I can see other user's >>>> information. Not sure if I am being clear. >>>> >>>> If someone has their own username and password and also the port and >>>> address of my server, they can login (using Apache Directory Studio or >>>> any other client) and see all of the records. Obviously the passwords >>>> are hashed, but it is still a liability for the users to be able to >>>> see e-mails/etc of other users. >>>> >>>> Is there any way to limit the information that certain users can see >>>> (ie, they could login, but not see any records)? >>>> >>>> Please let me know soon. >>>> >>>> Thanks, >>>> Kevin >>> >>> >>> Hi Kevin, >>> >>> I'm moving this topic to the users list... >>> >>> There's a chapter about this topic in the doco. Please see the User >>> Guides >>> on the topic "authorization". >>> >>> Depending on what you intend to allow/disallow your users to see in you= r >>> directory, you might also need to write some ACIs. If you want, I can >>> assist >>> you setting this up. >>> >>> Please note that ehe documentation still mentions the server.xml file. >>> This >>> file is however obsolete in version 2.0. Instead, config is done direct= ly >>> in >>> the server. You can alter the configuration using ehe Directory Studio. >>> Just >>> look under the ou=3Dconfig node. >>> >>> Kind regards >>> Oliver >>> >> >> >> > > > -- > Erstellt mit Operas revolution=E4rem E-Mail-Modul: http://www.opera.com/m= ail/ > --=20 Thanks, Kevin