directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: Fwd: Re: ApacheDS ACL over custom schema
Date Wed, 07 Feb 2018 13:50:02 GMT
Sorry for the delay, I have to have a working server to test your ACIs,
and I'm currently refactoring it, so it will take a bit of time...



Le 07/02/2018 à 13:50,  Қαεζ ₪ a écrit :
> Sure, here they are :
> 
> Only self password modify :
> dn: cn=allowSelfModifications,dc=mydomain,dc=fr
> objectClass: top
> objectClass: subentry
> objectClass: accessControlSubentry
> cn: allowSelfModifications
> subtreeSpecification: { }
> prescriptiveACI: {
>  identificationTag "allowSelfModifications", precedence 20,
> authenticationLevel none,
>  itemOrUserFirst userFirst: { userClasses { thisEntry  }, userPermissions {
>  { protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse,
> grantRead } },
>  { protectedItems {allAttributeValues {userPassword}}, grantsAndDenials {
> grantAdd,
>  grantRemove } } } } }
> 
> Everyone can read & browse :
> dn: cn=allowGlobalRead,dc=mydomain,dc=fr
> objectClass: subentry
> objectClass: accessControlSubentry
> objectClass: top
> cn: allowGlobalRead
> subtreeSpecification: { }
> prescriptiveACI: {
>  identificationTag "allowGlobalRead", precedence 10, authenticationLevel
> none,
>  itemOrUserFirst userFirst: { userClasses { allUsers }, userPermissions { {
>  protectedItems {entry, allUserAttributeTypesAndValues}, grantsAndDenials {
>  grantRead, grantReturnDN, grantFilterMatch, grantBrowse
>  } } } } }
> 
> LDAPadmin=TRUE can do everything : (NOT WORKING)
> dn: cn=allowGlobalAdministration,dc=mydomain,dc=fr
> objectClass: top
> objectClass: subentry
> objectClass: accessControlSubentry
> cn: allowGlobalAdministration
> subtreeSpecification: { specificationFilter (LDAPadmin=TRUE) }
> prescriptiveACI: {
>  identificationTag "allowGlobalAdministration", precedence 30,
> authenticationLevel none,
>  itemOrUserFirst userFirst: { userClasses { allUsers }, userPermissions { {
>  protectedItems { entry, allUserAttributeTypes,
> allUserAttributeTypesAndValues },
>  grantsAndDenials { grantImport, grantDiscloseOnError, grantInvoke,
> grantAdd,
>  grantCompare, grantExport, grantBrowse, grantRead, grantFilterMatch,
> grantRemove,
>  grantReturnDN, grantRename, grantModify } } } } }
> 
> Also, it's a detail but if I do a ldapmodify with all these entry together
> there is an error. I have to do one the request one acl per one acl.
> 
> On Mon, Jan 29, 2018 at 8:56 PM, Emmanuel Lécharny <elecharny@gmail.com>
> wrote:
> 
>>
>>
>> Le 29/01/2018 à 16:47,  Қαεζ ₪ a écrit :
>>> Hello,
>>>
>>> I'm currently deploying an ApacheDS server, version M24, and I'm trying
>> to
>>> set up 3 ACL :
>>> - Everyone can update it's own password : Done ;
>>> - Everyone can read & browse the LDAP : Done ;
>>> - Only users who got LDAPadmin attributes to TRUE can do anything to
>>> anyone, like creating a cn, with subentries and so on : Fail.
>>>
>>> Either I got an error 80 (Internal implementation specific error), either
>>> the request is sent but has no effect : the specificationFilter
>>> (LDAPadmin=TRUE) applied to All Users with all rights given to Entry,
>>> AllUserAttributeTypesAndValues does not work.
>>>
>>> Anyone have experienced this ?
>>
>> Can you send us your ACL definitions ?
>>
>> --
>> Emmanuel Lecharny
>>
>> Symas.com
>> directory.apache.org
>>
>>
> 

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org


Mime
View raw message