directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christoph Witzany <christ...@web.crofting.com>
Subject Access Control
Date Wed, 19 Nov 2014 11:56:49 GMT
Hi guys!

I need to create an Apache Directory Server installation with multiple
partitions.

For each partition there should be one or more admin users that can
read/browse/edit only this partition.
Additional the partitions will contain organisational units, where again a
set of users can manage the respective subtree.

If I understood the docs right this should be doable with Prescriptive ACIs.

My first try at an ACI was something like that (in a subentry of
dc=kig1,dc=example,dc=com ):

{
    identificationTag "kigAdmin",
    precedence 0,
    authenticationLevel simple,
    itemOrUserFirst itemFirst:
    {
        protectedItems
        {
            entry,
            allUserAttributeTypes,
            allUserAttributeTypesAndValues
        }
        ,
        itemPermissions
        {
            {
                precedence 0,
                userClasses
                {
                    name { "uid=admin,ou=kig1ki1,dc=kig1,dc=example,dc=com"
}
                }
                ,
                grantsAndDenials
                {
                    grantRename,
                    grantExport,
                    grantRemove,
                    grantInvoke,
                    grantDiscloseOnError,
                    grantRead,
                    grantAdd,
                    grantBrowse,
                    grantImport,
                    grantCompare,
                    grantReturnDN,
                    grantModify,
                    grantFilterMatch
                }
            }
        }
    }
}




User uid=admin,ou=kig1ki1,dc=kig1,dc=example,dc=com can bind to the LDAP
server but cannot even browse the subtree, regardless of the
subtreeSpecification value of the accessControlSubentry.

Where do I go wrong?

Thx for your help!
Christoph

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message