directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: Apache DS ACLs
Date Tue, 03 Sep 2013 14:13:03 GMT
which version are you using?


On Tue, Sep 3, 2013 at 7:20 PM, Christian Felsing <pug@felsing.net> wrote:

> Hello,
>
> now I got DS partially running with ACLs, but following ACL does not
> what I expected:
>
> {
>     identificationTag "mtaAclElement",
>     precedence 0,
>     authenticationLevel simple,
>     itemOrUserFirst userFirst:
>     {
>         userClasses
>         {
>             name { "cn=mta,dc=ip6,dc=li" }
>         }
>         ,
>         userPermissions
>         {
>             {
>                 protectedItems
>                 {
>                     entry,
>                     attributeType
>                     {
>                         tsnetDomainName,
>                         tsnetMailHost,
>                         uid
>                     }
>                 }
>                 ,
>                 grantsAndDenials
>                 {
>                     grantBrowse,
>                     grantRead,
>                     grantReturnDN,
>                     grantCompare
>                 }
>             }
>         }
>     }
> }
>
> This ACL should allow DN cn=mta,dc=ip6,dc=li access to attributes
> uid
> tsnetDomainName
> tsnetMailHost
> and to list all DN entries. A test (temporary allow to list all
> attributes) proved that this ACL matches.
>
> but
> ldapsearch -H ldap://192.168.116.29:10389 -x -D "cn=mta,dc=ip6,dc=li" -w
> VerySecretPassword -b "dc=ip6,dc=li"
>
> lists DN entries only:
>
> # pug@felsing.net, freemail, ip6.li
> dn: uid=pug@felsing.net,ou=freemail,dc=ip6,dc=li
> ...
>
> Attributes listed on attributeType are not shown.
>
> Is attributeType the right discriminator?
>
> best regards
> Christian
>



-- 
Kiran Ayyagari
http://keydap.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message