directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Burch <>
Subject ApacheDS 2.0.0 Enabling the ACI subsystem without Studio
Date Fri, 03 Feb 2017 03:36:26 GMT
I have a set of ldif's for my 1.5.4 directory which define prescriptive 
ACIs to allow and restrict access to certain attributes, such as 
password information. (They were originally cribbed from examples in the 
1.5 documentation.)

I have just successfully run these ldifs against my new 2.0.0-M23, but 
was surprised when my QA script had multiple failures. My ACI's did not 
appear to be working!

When I went back to my 1.5.4 installation notes, I discovered the ACI 
subsystem needs to be enabled. Unfortunately, 2.0 does not have a 
server.xml file, so I can't simply include the aciAuthorizationInterceptor.

I checked the wiki:

... just a TODO.

... and:

... just says "The authorization (ACI) subsystem is disabled by default. 
You have to enable it using the Apache Directory Studio configuration 

When I examined config.ldif_migrated, I found this entry:

# default, config
dn: ads-directoryServiceId=default,ou=config
ads-directoryserviceid: default
ads-dssyncperiodmillis: 15000
ads-dsallowanonymousaccess: TRUE
ads-dsreplicaid: 1
ads-dsaccesscontrolenabled: FALSE
ads-dspasswordhidden: FALSE
ads-dsdenormalizeopattrsenabled: FALSE
ads-enabled: TRUE
objectclass: top
objectclass: ads-base
objectclass: ads-directoryService

I ran an ldapmodify:

dn: ads-directoryServiceId=default,ou=config
changetype: modify
replace: ads-dsaccesscontrolenabled
ads-dsaccesscontrolenabled: TRUE

... after restarting the server was pleased to see my QA scripts ran 

Incidentally, I also have a lower precedence ACI which allows allUsers 
grantRead, grantReturnDN and grantBrowse. This ACI appears to be 
stronger than the default config:

ads-dsallowanonymousaccess: TRUE

This is the result I want to achieve - my anonymous users are now 
permitted to read some attributes of some entries.

Have I overlooked anything important? If not, then the TODO page needs 
to be linked back to 3.2 (or vice versa), and one or both pages should 
document to the ldapmodify technique.



View raw message