directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tayler M. Albitz" <>
Subject [ApacheDS] - Simple example for the ACI subsystem not working
Date Thu, 18 Jul 2013 05:17:33 GMT

I'm running apacheds 2.0M11 and Studio 2.0.0v20130308. 

I'm looking at the example in the documentation here: 

I have access control enabled and created the operational attribute administrativeRole with
value "accessControlSpecificArea" in the entry "o=sevenSeas". 

I have created created a subentry subordinate to "o=sevenSeas" to grant all operations' permissions
to "cn=Horatio Nelson,ou=people,o=sevenSeas", who acts as directory manager 

I have created a new attribute value should added to the previously created Subentry's prescriptiveACI
attribute to grant search and compare permissions to all users. 

cn: sevenseasAuthorizationRequirementsACISubentry 
createTimestamp: 20130718045513.434Z 
creatorsName: 0.9.2342.19200300.100.1.1=admin, 
entryCSN: 20130718050528.059000Z#000000#001#000000 
entryDN: cn=sevenseasAuthorizationRequirementsACISubentry,o=sevenseas 
entryParentId: b38b8ff5-1ea8-4a05-a4b5-a3c6aa1d5063 
entryUUID:: NTk2ZGEwMjUtYmIzMy00NDgzLWE1YmEtYmY0YmJhM2Y3NGMx 
modifiersName: 0.9.2342.19200300.100.1.1=admin, 
modifyTimestamp: 20130718050528.059Z 
objectClass: subentry 
objectClass: top 
prescriptiveACI: { identificationTag "allUsersSearchAndCompareACI", preceden 
ce 10, authenticationLevel simple, itemOrUserFirst userFirst: { userClasses 
{ allUsers }, userPermissions { { protectedItems { entry, allUserAttribute 
TypesAndValues }, grantsAndDenials { grantFilterMatch, grantRead, grantComp 
are, grantReturnDN, grantBrowse, grantDiscloseOnError } } } } } 
prescriptiveACI: { identificationTag "directoryManagerFullAccessACI", preced 
ence 11, authenticationLevel simple, itemOrUserFirst userFirst: { userClass 
es { name { "cn=Horatio Nelson,ou=people,o=sevenseas" } }, userPermissions 
{ { protectedItems { entry, allUserAttributeTypesAndValues }, grantsAndDeni 
als { grantFilterMatch, grantInvoke, grantRemove, grantBrowse, grantDisclos 
eOnError, grantModify, grantRename, grantExport, grantRead, grantImport, gr 
antCompare, grantReturnDN, grantAdd } } } } } 
subtreeSpecification: { } 

I can get connected as user "Horatio Nelson" and set my base to ou=people,o=sevenseas, but
I don't see any data. I suspect I'm missing something. Just not sure what. 

Thanks in advance, 

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message