directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lamar Hansford <lamarhansf...@yahoo.com.INVALID>
Subject Re: ACI Help
Date Fri, 06 Jan 2017 05:38:32 GMT
Ok,

I understand mostly what is going on now.  protectedItems is an unfortunate name as this field
actually indicates the view-able items. All items seem to be protected by default.

It appears that the policy is restrictive and you must explicitly indicate each attribute
which is to be exposed (unless you indicate all).  This can be done by add attributeType and
allAttributeValues.  

example:
protectedItems 
{ 
    entry, 
    attributeType { uid, publicKey }, 
    allAttributeValues { uid, publicKey } 
}


Also, two points of interest in ApacheDS Studio:

Point 1:
*  To view ACI subEntries you must select an entry, right-click, fetch->sub-entries.
Point 2:
There is a bug in the User Permission Editor where you cannot edit an ACI Attribute which
contains an existing ProtectedItems->All Attribute values.  The source for this element
becomes corrupted and must be re-entered.

Thanks for the help!
-Lamar



----- Original Message -----
From: Emmanuel Lécharny <elecharny@gmail.com>
To: users@directory.apache.org
Sent: Thursday, January 5, 2017 7:01 PM
Subject: Re: ACI Help

Hi !


comments inline...


Le 05/01/2017 à 00:10, Lamar Hansford a écrit :
> Hello,
> I am having troubles with ACI.  IN all cases the default admin account works.
This is intended.

>
> I have created the following structure:
>
> * dc=domain,dc=dc (default using ApacheDS Studio)
> -- * ou=users
> ---- * uid=platform-admin (inetOrgPerson)
> ---- * uid=testUser (inetOrgPerson)
>
> -- * ou=groups 
>
> ---- * ...etc
>
> With ACL turned on....
> Whenever I login using:
> * uid=platform-admin,ou=users,dc=domain,dc=com
>
> I cannot view the list of partitions.  If I add base DN: 
> * dc=domain,dc=com 
>
>
> I see nothing.  Not even the default partition.  Only Root DSE(6)
> NOTE:  I can see/modify non-system partitions with ACL disabled.

yes, this is also expected (kind of... Considering the complexity of the
ACI system, it's kind of magic ;-)

You need to grant some access to your elements if you want to be able to
access them.

>
> I have added [ administrativeRole=accessControlSpecificArea ] to the base partition (dc=domain,dc=dc)
> I have added the following subEntry:
> * objectClass=accessControlSubentry
> * objectClass=accessControlSubentry 
> * top
> prescriptiveACI=
>   { 
>     identificationTag "ACI", 
>     precedence 0, 
>     authenticationLevel simple, 
>     itemOrUserFirst userFirst: 
>     { 
>       userClasses { allUsers }, 
>       userPermissions 
>     { 
>       { 
>         protectedItems { }, 

you probably want to set Entry and allUserAttributeTypesAndValues in the
protectedItems set :

    protectedItems { entry, allUserAttributeTypesAndValues }
>         grantsAndDenials 
>       { 
>         grantReturnDN, 
>         grantRead, 
>         grantDiscloseOnError, 
>         grantRemove, 
>         grantAdd, 
>         grantInvoke, 
>         grantCompare, 
>         grantImport, 
>         grantRename, 
>         grantExport, 
>         grantModify, 
>         grantBrowse, 
>         grantFilterMatch 
>       }
>     }
>   }  
> }

Can you give it a try ?

>
> NOTE:
> When I restart the server the accessControlSubentries seem to get added as an attribute
to the DN:dc=domain,dc=dc. 

Actually, you should have a subentry under dc=domain,dc=dc  :

    dn: cn=mySubentry,dc=domain,dc=dc
    objectClass: top",
    objectClass: subentry",

    objectClass: accessControlSubentry",
    subtreeSpecification: <blah>
    prescriptiveACI: <blah>

is that what you have ?

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Mime
View raw message