directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: Access Control
Date Wed, 19 Nov 2014 16:05:03 GMT
Le 19/11/14 12:56, Christoph Witzany a écrit :
> Hi guys!

Hi Christoph,

I'm going to have a look at this ACI later tonite. I'm in The Apache
conference closing keynote atm...


>
> I need to create an Apache Directory Server installation with multiple
> partitions.
>
> For each partition there should be one or more admin users that can
> read/browse/edit only this partition.
> Additional the partitions will contain organisational units, where again a
> set of users can manage the respective subtree.
>
> If I understood the docs right this should be doable with Prescriptive ACIs.
>
> My first try at an ACI was something like that (in a subentry of
> dc=kig1,dc=example,dc=com ):
>
> {
>     identificationTag "kigAdmin",
>     precedence 0,
>     authenticationLevel simple,
>     itemOrUserFirst itemFirst:
>     {
>         protectedItems
>         {
>             entry,
>             allUserAttributeTypes,
>             allUserAttributeTypesAndValues
>         }
>         ,
>         itemPermissions
>         {
>             {
>                 precedence 0,
>                 userClasses
>                 {
>                     name { "uid=admin,ou=kig1ki1,dc=kig1,dc=example,dc=com"
> }
>                 }
>                 ,
>                 grantsAndDenials
>                 {
>                     grantRename,
>                     grantExport,
>                     grantRemove,
>                     grantInvoke,
>                     grantDiscloseOnError,
>                     grantRead,
>                     grantAdd,
>                     grantBrowse,
>                     grantImport,
>                     grantCompare,
>                     grantReturnDN,
>                     grantModify,
>                     grantFilterMatch
>                 }
>             }
>         }
>     }
> }
>
>
>
>
> User uid=admin,ou=kig1ki1,dc=kig1,dc=example,dc=com can bind to the LDAP
> server but cannot even browse the subtree, regardless of the
> subtreeSpecification value of the accessControlSubentry.
>
> Where do I go wrong?
>
> Thx for your help!
> Christoph
>


Mime
View raw message