directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Қαεζ ₪ <drae...@gmail.com>
Subject Re: Fwd: Re: ApacheDS ACL over custom schema
Date Wed, 07 Feb 2018 14:01:12 GMT
No problem, wasn't sure if my message were sent or not.

Regards.

On 7 Feb 2018 2:50 pm, "Emmanuel Lécharny" <elecharny@gmail.com> wrote:

> Sorry for the delay, I have to have a working server to test your ACIs,
> and I'm currently refactoring it, so it will take a bit of time...
>
>
>
> Le 07/02/2018 à 13:50,  Қαεζ ₪ a écrit :
> > Sure, here they are :
> >
> > Only self password modify :
> > dn: cn=allowSelfModifications,dc=mydomain,dc=fr
> > objectClass: top
> > objectClass: subentry
> > objectClass: accessControlSubentry
> > cn: allowSelfModifications
> > subtreeSpecification: { }
> > prescriptiveACI: {
> >  identificationTag "allowSelfModifications", precedence 20,
> > authenticationLevel none,
> >  itemOrUserFirst userFirst: { userClasses { thisEntry  },
> userPermissions {
> >  { protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse,
> > grantRead } },
> >  { protectedItems {allAttributeValues {userPassword}}, grantsAndDenials {
> > grantAdd,
> >  grantRemove } } } } }
> >
> > Everyone can read & browse :
> > dn: cn=allowGlobalRead,dc=mydomain,dc=fr
> > objectClass: subentry
> > objectClass: accessControlSubentry
> > objectClass: top
> > cn: allowGlobalRead
> > subtreeSpecification: { }
> > prescriptiveACI: {
> >  identificationTag "allowGlobalRead", precedence 10, authenticationLevel
> > none,
> >  itemOrUserFirst userFirst: { userClasses { allUsers }, userPermissions
> { {
> >  protectedItems {entry, allUserAttributeTypesAndValues},
> grantsAndDenials {
> >  grantRead, grantReturnDN, grantFilterMatch, grantBrowse
> >  } } } } }
> >
> > LDAPadmin=TRUE can do everything : (NOT WORKING)
> > dn: cn=allowGlobalAdministration,dc=mydomain,dc=fr
> > objectClass: top
> > objectClass: subentry
> > objectClass: accessControlSubentry
> > cn: allowGlobalAdministration
> > subtreeSpecification: { specificationFilter (LDAPadmin=TRUE) }
> > prescriptiveACI: {
> >  identificationTag "allowGlobalAdministration", precedence 30,
> > authenticationLevel none,
> >  itemOrUserFirst userFirst: { userClasses { allUsers }, userPermissions
> { {
> >  protectedItems { entry, allUserAttributeTypes,
> > allUserAttributeTypesAndValues },
> >  grantsAndDenials { grantImport, grantDiscloseOnError, grantInvoke,
> > grantAdd,
> >  grantCompare, grantExport, grantBrowse, grantRead, grantFilterMatch,
> > grantRemove,
> >  grantReturnDN, grantRename, grantModify } } } } }
> >
> > Also, it's a detail but if I do a ldapmodify with all these entry
> together
> > there is an error. I have to do one the request one acl per one acl.
> >
> > On Mon, Jan 29, 2018 at 8:56 PM, Emmanuel Lécharny <elecharny@gmail.com>
> > wrote:
> >
> >>
> >>
> >> Le 29/01/2018 à 16:47,  Қαεζ ₪ a écrit :
> >>> Hello,
> >>>
> >>> I'm currently deploying an ApacheDS server, version M24, and I'm trying
> >> to
> >>> set up 3 ACL :
> >>> - Everyone can update it's own password : Done ;
> >>> - Everyone can read & browse the LDAP : Done ;
> >>> - Only users who got LDAPadmin attributes to TRUE can do anything to
> >>> anyone, like creating a cn, with subentries and so on : Fail.
> >>>
> >>> Either I got an error 80 (Internal implementation specific error),
> either
> >>> the request is sent but has no effect : the specificationFilter
> >>> (LDAPadmin=TRUE) applied to All Users with all rights given to Entry,
> >>> AllUserAttributeTypesAndValues does not work.
> >>>
> >>> Anyone have experienced this ?
> >>
> >> Can you send us your ACL definitions ?
> >>
> >> --
> >> Emmanuel Lecharny
> >>
> >> Symas.com
> >> directory.apache.org
> >>
> >>
> >
>
> --
> Emmanuel Lecharny
>
> Symas.com
> directory.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message