directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Przybylski <mi...@gimmethebrain.net>
Subject [ApacheDS] proper usage of protectedItems { maxValueCount ?
Date Sun, 05 Jan 2014 22:59:20 GMT
Hello,

Lately, I’ve been teaching myself how to use Apache Directory Server’s access control
subsystem.

Before getting too cute, I figured I’d try out the recipes here:

http://directory.apache.org/apacheds/advanced-ug/4.2.7-using-acis-trail.html

Both work as advertised, but as I’ve been reading more, some have suggested refining…

http://directory.apache.org/apacheds/advanced-ug/4.2.7.2-allow-self-password-modify.html

…to use maxValueCount to prevent (someone claiming to be) the user from inserting multiple
userPassword values.  However, as soon as I put maxValueCount in any protectedItems clause
of my prescriptiveACI, all of my unprivileged user’s attributes become invisible to him.

If I weren’t such a n00b, I’d think this was a bug.

Here is the prescriptiveACI that I think should work:

{
    identificationTag "userSelfModifyPassword",
    precedence 0,
    authenticationLevel none,
    itemOrUserFirst userFirst: 
    {
        userClasses { thisEntry },
        userPermissions 
        {
            {
                protectedItems 
                {
                    maxValueCount 
                    {
                        { type userPassword, maxCount 1 }
                    }
                    ,
                    allAttributeValues { userPassword } 
                }
                ,
                grantsAndDenials { grantAdd, grantRemove } 
            }
            ,
            {
                protectedItems { entry },
                grantsAndDenials 
                {
                    grantRead,
                    grantBrowse,
                    grantModify 
                }
            }
        }
    }
}

Server environment:
Oracle JDK 1.7u45
ApacheDS 2.0.0-M15
Debian 7.3, AMD64

Client environment:
Apache Directory Studio
Oracle JDK 1.7u45
OS X 10.9.1

Any pointers on what I’m doing wrong and/or how to do it better would be greatly appreciated.

Best regards,
Mike Przybylski
Mime
View raw message