directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lamar Hansford <lamarhansf...@yahoo.com.INVALID>
Subject ACI Help
Date Wed, 04 Jan 2017 23:10:10 GMT
Hello,
I am having troubles with ACI.  IN all cases the default admin account works.

I have created the following structure:

* dc=domain,dc=dc (default using ApacheDS Studio)
-- * ou=users
---- * uid=platform-admin (inetOrgPerson)
---- * uid=testUser (inetOrgPerson)

-- * ou=groups 

---- * ...etc

With ACL turned on....
Whenever I login using:
* uid=platform-admin,ou=users,dc=domain,dc=com

I cannot view the list of partitions.  If I add base DN: 
* dc=domain,dc=com 


I see nothing.  Not even the default partition.  Only Root DSE(6)
NOTE:  I can see/modify non-system partitions with ACL disabled.

I have added [ administrativeRole=accessControlSpecificArea ] to the base partition (dc=domain,dc=dc)
I have added the following subEntry:
* objectClass=accessControlSubentry
* objectClass=accessControlSubentry 
* top
prescriptiveACI=
  { 
    identificationTag "ACI", 
    precedence 0, 
    authenticationLevel simple, 
    itemOrUserFirst userFirst: 
    { 
      userClasses { allUsers }, 
      userPermissions 
    { 
      { 
        protectedItems { }, 
        grantsAndDenials 
      { 
        grantReturnDN, 
        grantRead, 
        grantDiscloseOnError, 
        grantRemove, 
        grantAdd, 
        grantInvoke, 
        grantCompare, 
        grantImport, 
        grantRename, 
        grantExport, 
        grantModify, 
        grantBrowse, 
        grantFilterMatch 
      }
    }
  }  
}

NOTE:
When I restart the server the accessControlSubentries seem to get added as an attribute to
the DN:dc=domain,dc=dc.  I can no longer delete them.  As a result I now have multiple accumulated
entries.  However, I created a new partition and see the same issue.

Summary of the Issue:
with ACL enabled I cannot get a regular user to see any partitions or DN.  With/without administrativeRole
enabled.

Any ideas?

Mime
View raw message