Return-Path: X-Original-To: apmail-directory-users-archive@www.apache.org Delivered-To: apmail-directory-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 723C79A3A for ; Fri, 4 Nov 2011 17:59:06 +0000 (UTC) Received: (qmail 67568 invoked by uid 500); 4 Nov 2011 17:59:06 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 67528 invoked by uid 500); 4 Nov 2011 17:59:06 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 67520 invoked by uid 99); 4 Nov 2011 17:59:06 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 Nov 2011 17:59:06 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: 209.85.215.178 is neither permitted nor denied by domain of khamilton@umem.org) Received: from [209.85.215.178] (HELO mail-ey0-f178.google.com) (209.85.215.178) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 Nov 2011 17:59:00 +0000 Received: by eye13 with SMTP id 13so2546210eye.37 for ; Fri, 04 Nov 2011 10:58:40 -0700 (PDT) MIME-Version: 1.0 Received: by 10.14.24.155 with SMTP id x27mr1503171eex.243.1320429520201; Fri, 04 Nov 2011 10:58:40 -0700 (PDT) Received: by 10.14.29.14 with HTTP; Fri, 4 Nov 2011 10:58:40 -0700 (PDT) In-Reply-To: References: <4EB3E227.3070704@gmail.com> <4EB3E628.3000004@apache.org> <4EB3EB23.3000103@apache.org> Date: Fri, 4 Nov 2011 13:58:40 -0400 Message-ID: Subject: Re: [ApacheDS] Re: Access Restriction From: Kevin Hamilton To: users@directory.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org I got it working! Thank you all so much for your help. You guys are life savers! -Kevin On Fri, Nov 4, 2011 at 1:41 PM, Oliver Schmidt wrote: > Hi Kevin, > > sorry for the confusion. administrativeRole has to be added to the entry > under which the protected items are. E.g. ou=3Dpeople,ou=3Dexample.com > > The subentry has also to be stored there. You should re-apply the > userPassword in order to do at least simle authentication. > > A little background: > A subentry is a kind of selector for all elements under its parent elemen= t. > E.g. You can create a subentry under, let's say ou=3Dpeople,... which sel= ects > all people with the attribute value memberOf=3Dmygroup. Then you can add > attributes to the subentry and those attributes automatically apply to al= l > elements selected by the subentry. This way, you can automatically add > attributes which are common to a specific group of elements. Even to > elements which do not yet exist in your DIT. > > -- > Kind regards / freundliche Gr=FC=DFe > Oliver Schmidt > > Sent via HP Veer > > Am 04.11.2011, 17:33 Uhr, schrieb Kevin Hamilton : > >> Ok, so if I remove the userPassword, sn, and mail attributes from the >> entry (the new accessControlSubentry) then it lets me create it. The >> record exists as a subentry of the uid=3Dadmin2 object. When I bind to >> ApacheDS as admin2, I still cannot see anything but the tree root. >> >> Any more advice on this and why it would say my userPassword, sn, and >> mail attributes were invalid for the accessControlSubentry, subentry, >> and top objectclasses? >> >> Thanks, >> Kevin >> >> On Fri, Nov 4, 2011 at 9:48 AM, Kevin Hamilton wrot= e: >>> >>> I am using ADS 2.0.0-M2. >>> >>> Thanks, >>> Kevin >>> >>> On Fri, Nov 4, 2011 at 9:39 AM, Emmanuel L=E9charny >>> wrote: >>>> >>>> On 11/4/11 2:29 PM, Kevin Hamilton wrote: >>>>> >>>>> The cn=3Dadmin2Test,uid=3Dadmin2,ou=3Dsystem was never created becaus= e the >>>>> error occurred while I was trying to create it. >>>>> >>>>> I was following Oliver's instructions by doing the following: >>>>> 2) Add a new entry below the entry where you have added the >>>>> "administrativeRole" attribute. Use the object classes >>>>> "accessControlSubentry", "subentry" and "top". As RDN attribute name, >>>>> use >>>>> "cn" and choose a name of your preference. >>>>> 2a) You will be asked to specify the subentry. Leave it empty. >>>>> 2b) You will be asked to specify the ACI element: >>>>> =A0 =A0 * Identificator: >>>>> =A0 =A0 * Priority: 0 >>>>> =A0 =A0 * Authentication level: simple=3Dnon-SASL / strong=3DSASL (I = would >>>>> choose >>>>> simple first) >>>>> =A0 =A0 * User or element first: User >>>>> =A0 =A0 * User classes: Choose "name" and specify your admin2 >>>>> =A0 =A0 * User permissions: >>>>> =A0 =A0 =A0 * Protected elements: "entry", "all user attribute types = and >>>>> values" >>>>> =A0 =A0 =A0 * Grants and denials: Here, you can grant everything >>>>> >>>>> >>>>> When he says add a new entry below the entry where I added >>>>> administrativeRole, he means I should right click on the >>>>> uid=3Dadmin,ou=3Dsystem and add an entry to that, right? That is what= I >>>>> have been doing. Is this incorrect? >>>> >>>> No, this is the way it should be done. >>>> >>>> The error message is a bit suprising... >>>> >>>> What version of ADS are you using ? >>>> >>>> >>>> -- >>>> Regards, >>>> Cordialement, >>>> Emmanuel L=E9charny >>>> www.iktek.com >>>> >>>> >>> >>> >>> >>> -- >>> Thanks, >>> Kevin >>> >> >> >> > > > -- > Erstellt mit Operas revolution=E4rem E-Mail-Modul: http://www.opera.com/m= ail/ > --=20 Thanks, Kevin