directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: [ApacheDS] proper usage of protectedItems { maxValueCount ?
Date Mon, 06 Jan 2014 05:26:58 GMT
On Mon, Jan 6, 2014 at 4:29 AM, Mike Przybylski <mikep@gimmethebrain.net>wrote:

> Hello,
>
> Lately, I’ve been teaching myself how to use Apache Directory Server’s
> access control subsystem.
>
> Before getting too cute, I figured I’d try out the recipes here:
>
>
> http://directory.apache.org/apacheds/advanced-ug/4.2.7-using-acis-trail.html
>
> Both work as advertised, but as I’ve been reading more, some have
> suggested refining…
>
>
> http://directory.apache.org/apacheds/advanced-ug/4.2.7.2-allow-self-password-modify.html
>
> …to use maxValueCount to prevent (someone claiming to be) the user from
> inserting multiple userPassword values.  However, as soon as I put
> maxValueCount in any protectedItems clause of my prescriptiveACI, all of my
> unprivileged user’s attributes become invisible to him.
>
> If I weren’t such a n00b, I’d think this was a bug.
>
> yes, I think so, am able to reproduce this, can you file a bug here
https://issues.apache.org/jira/browse/DIRSERVER

thank you

> Here is the prescriptiveACI that I think should work:
>
> {
>     identificationTag "userSelfModifyPassword",
>     precedence 0,
>     authenticationLevel none,
>     itemOrUserFirst userFirst:
>     {
>         userClasses { thisEntry },
>         userPermissions
>         {
>             {
>                 protectedItems
>                 {
>                     maxValueCount
>                     {
>                         { type userPassword, maxCount 1 }
>                     }
>                     ,
>                     allAttributeValues { userPassword }
>                 }
>                 ,
>                 grantsAndDenials { grantAdd, grantRemove }
>             }
>             ,
>             {
>                 protectedItems { entry },
>                 grantsAndDenials
>                 {
>                     grantRead,
>                     grantBrowse,
>                     grantModify
>                 }
>             }
>         }
>     }
> }
>
> Server environment:
> Oracle JDK 1.7u45
> ApacheDS 2.0.0-M15
> Debian 7.3, AMD64
>
> Client environment:
> Apache Directory Studio
> Oracle JDK 1.7u45
> OS X 10.9.1
>
> Any pointers on what I’m doing wrong and/or how to do it better would be
> greatly appreciated.
>
> Best regards,
> Mike Przybylski




-- 
Kiran Ayyagari
http://keydap.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message