Return-Path: X-Original-To: apmail-directory-commits-archive@www.apache.org Delivered-To: apmail-directory-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1AF7CD838 for ; Wed, 15 May 2013 16:11:03 +0000 (UTC) Received: (qmail 75785 invoked by uid 500); 15 May 2013 16:11:03 -0000 Delivered-To: apmail-directory-commits-archive@directory.apache.org Received: (qmail 75756 invoked by uid 500); 15 May 2013 16:11:03 -0000 Mailing-List: contact commits-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@directory.apache.org Delivered-To: mailing list commits@directory.apache.org Received: (qmail 75747 invoked by uid 99); 15 May 2013 16:11:03 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 15 May 2013 16:11:02 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 15 May 2013 16:10:54 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id BB65823888E7 for ; Wed, 15 May 2013 16:10:31 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r862084 - in /websites/staging/directory/trunk/content: ./ apacheds/advanced-ug/ Date: Wed, 15 May 2013 16:10:31 -0000 To: commits@directory.apache.org From: buildbot@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20130515161031.BB65823888E7@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: buildbot Date: Wed May 15 16:10:30 2013 New Revision: 862084 Log: Staging update by buildbot for directory Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.6-the-acdf-engine.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.6.1-how-it-works.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.6.2-selections.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.6.3-constraints.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.6.4-priority.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.7-using-acis-trail.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.7.1-enable-authenticated-users-to-browse-and-read-entries.html Removed: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.6-the-acdf-engine.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.6.1-how-it-works.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.6.2-selections.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.6.3-constraints.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.6.4-priority.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.7-using-acis-trail.html websites/staging/directory/trunk/content/apacheds/advanced-ug/4.5.7.1-enable-authenticated-users-to-browse-and-read-entries.html Modified: websites/staging/directory/trunk/content/ (props changed) websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.2-definitions.html Propchange: websites/staging/directory/trunk/content/ ------------------------------------------------------------------------------ --- cms:source-revision (original) +++ cms:source-revision Wed May 15 16:10:30 2013 @@ -1 +1 @@ -1482925 +1482929 Modified: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.2-definitions.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.2-definitions.html (original) +++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.2-definitions.html Wed May 15 16:10:30 2013 @@ -137,7 +137,7 @@ -

4.2.2 Definitions

+

4.2.2 Definitions

ACI :

Access Control Information. The set of all the information which might Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.6-the-acdf-engine.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.6-the-acdf-engine.html (added) +++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.6-the-acdf-engine.html Wed May 15 16:10:30 2013 @@ -0,0 +1,178 @@ + + + + + 4.2.6 The ACDF engine — Apache Directory + + + + + + + + + + + + +

+ +
+
+ + + +
+
+ + +
+
+ + 4.2.4 - ACI Elements + +
+
+ + 4.2 - Authorization + +
+
+ + 4.2.7 Using ACIs trail + +
+
+
+ + +

4.2.6 The ACDF engine

+

Chapter content

+ + + +
+
+ + 4.2.4 - ACI Elements + +
+
+ + 4.2 - Authorization + +
+
+ + 4.2.7 Using ACIs trail + +
+
+
+ + +
+
+
+ +
+ + \ No newline at end of file Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.6.1-how-it-works.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.6.1-how-it-works.html (added) +++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.6.1-how-it-works.html Wed May 15 16:10:30 2013 @@ -0,0 +1,172 @@ + + + + + 4.2.6.1 How it works — Apache Directory + + + + + + + + + + + + +
+ +
+
+ + + +
+
+ + +
+
+ + 4.2.6 - The ACDF Engine + +
+
+ + 4.2.6 - The ACDF Engine + +
+
+ + 4.2.6.2 Selections + +
+
+
+ + +

4.2.6.1 How it works

+

TODO...

+ + +
+
+ + 4.2.6 - The ACDF Engine + +
+
+ + 4.2.6 - The ACDF Engine + +
+
+ + 4.2.6.2 Selections + +
+
+
+ + +
+
+
+ +
+ + \ No newline at end of file Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.6.2-selections.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.6.2-selections.html (added) +++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.6.2-selections.html Wed May 15 16:10:30 2013 @@ -0,0 +1,172 @@ + + + + + 4.2.6.2 Selections — Apache Directory + + + + + + + + + + + + +
+ +
+
+ + + +
+
+ + +
+
+ + 4.2.6.1 - How it works + +
+
+ + 4.2.6 - The ACDF Engine + +
+
+ + 4.2.6.3 Constraints + +
+
+
+ + +

4.2.6.2 Selections

+

TODO...

+ + +
+
+ + 4.2.6.1 - How it works + +
+
+ + 4.2.6 - The ACDF Engine + +
+
+ + 4.2.6.3 Constraints + +
+
+
+ + +
+
+
+ +
+ + \ No newline at end of file Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.6.3-constraints.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.6.3-constraints.html (added) +++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.6.3-constraints.html Wed May 15 16:10:30 2013 @@ -0,0 +1,172 @@ + + + + + 4.2.6.3 Constraints — Apache Directory + + + + + + + + + + + + +
+ +
+
+ + + +
+
+ + +
+
+ + 4.2.6.2 - Selections + +
+
+ + 4.2.6 - The ACDF Engine + +
+
+ + 4.2.6.4 Priority + +
+
+
+ + +

4.2.6.3 Constraints

+

TODO...

+ + +
+
+ + 4.2.6.2 - Selections + +
+
+ + 4.2.6 - The ACDF Engine + +
+
+ + 4.2.6.4 Priority + +
+
+
+ + +
+
+
+ +
+ + \ No newline at end of file Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.6.4-priority.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.6.4-priority.html (added) +++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.6.4-priority.html Wed May 15 16:10:30 2013 @@ -0,0 +1,172 @@ + + + + + 4.2.6.4 Priority — Apache Directory + + + + + + + + + + + + +
+ +
+
+ + + +
+
+ + +
+
+ + 4.2.6.3 - Constraints + +
+
+ + 4.2.6 - The ACDF Engine + +
+
+ + 4.2.7 Using ACIs trail + +
+
+
+ + +

4.2.6.4 Priority

+

TODO...

+ + +
+
+ + 4.2.6.3 - Constraints + +
+
+ + 4.2.6 - The ACDF Engine + +
+
+ + 4.2.7 Using ACIs trail + +
+
+
+ + +
+
+
+ +
+ + \ No newline at end of file Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.7-using-acis-trail.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.7-using-acis-trail.html (added) +++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.7-using-acis-trail.html Wed May 15 16:10:30 2013 @@ -0,0 +1,175 @@ + + + + + 4.2.7 Using ACIs trail — Apache Directory + + + + + + + + + + + + +
+ +
+
+ + + +
+
+ + +
+
+ + 4.2.6 - The ACDF engine + +
+
+ + 4.2 - Authorization + +
+
+ + 4.2.8 ACIs administration + +
+
+
+ + +

4.2.7 Using ACIs trail

+

Chapter content

+ + + +
+
+ + 4.2.6 - The ACDF engine + +
+
+ + 4.2 - Authorization + +
+
+ + 4.2.8 ACIs administration + +
+
+
+ + +
+
+
+ +
+ + \ No newline at end of file Added: websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.7.1-enable-authenticated-users-to-browse-and-read-entries.html ============================================================================== --- websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.7.1-enable-authenticated-users-to-browse-and-read-entries.html (added) +++ websites/staging/directory/trunk/content/apacheds/advanced-ug/4.2.7.1-enable-authenticated-users-to-browse-and-read-entries.html Wed May 15 16:10:30 2013 @@ -0,0 +1,291 @@ + + + + + 4.2.7.1 Enable Authenticated Users to Browse and Read Entries — Apache Directory + + + + + + + + + + + + +
+ +
+
+ + + +
+
+ + +
+
+ + 4.2.7 Using ACIs trail + +
+
+ + 4.2.7 Using ACIs trail + +
+
+ + 4.2.8 ACIs administration + +
+
+
+ + +

4.2.7.1 Enable Authenticated Users to Browse and Read Entries

+

In this trail, we will show how we will allow all authenticated users to browse and read all the entries.

+

By default, if the access control subsystem is enabled, no one but the administrator can browse the DIT. This is obviously not convenient ...

+

Partition and Access Control Area Setup

+

For this example we presume you have setup a partition at the namingContext dc=example,dc=com and have turned on access controls. Now you want to grant browse and read access to entries and their attributes.

+

Before you can add a subentry with the prescriptiveACI you'll need to create an administrative area. For now we'll make the root of the partition the Administrative Point (AP). Every entry including this entry and those underneath will be part of the autonomous administrative area for managing access controls. To do this we must add the administrativeRole operational attribute to the AP entry.

+

AdministrationPoint setup

+

In our case, the dc=example,dc=com context entry has to contain the administrativeRole attribute, with the accessControlSpecificArea value.

+

Let's first connect to the server using the admin user, and select the dc=example,dc=com entry :

+

!Screen shot 2010-07-04 at 8.45.09 PM.png|border=1!

+

We will now add the directoryOperation attribute administrativeRole to this entry :

+

!Screen shot 2010-07-04 at 10.17.54 PM.png|border=1!

+

and we select the accessControlSpecificArea value :

+

!Screen shot 2010-07-04 at 10.18.49 PM.png|border=1!

+

Here is the resulting entry :

+

!Screen shot 2010-07-04 at 10.19.44 PM.png|border=1!

+

Subentry addition

+

Now, we have to create a subentry in which we will add the prescriptiveACI granting access to all the users.

+

Let's define the ACI first.

+

ACIItem Description

+

Here's the ACIItem we will add :

+
{ 
+  identificationTag "enableSearchForAllUsers",
+  precedence 14,
+  authenticationLevel simple,
+  itemOrUserFirst userFirst: 
+  { 
+    userClasses { allUsers }, 
+    userPermissions 
+    { 
+      {
+          protectedItems {entry, allUserAttributeTypesAndValues}, 
+          grantsAndDenials { grantRead, grantReturnDN, grantBrowse } 
+      }
+    } 
+  } 
+}
+
+ + +

There are several parameters to this simple ACIItem. Here's a breif +exaplanation of each field and it's meaning or significance.

+ + + + + + + + +
Fields Description
identificationTag Identifies the ACIItem within an entry.
precedence Determine which ACI to apply with conflicting ACIItems.
authenticationLevel User's level of trust with values of none, simple, +strong
itemOrUserFirst Determines order of item permissions or user +permissions.
userClasses The set of users the permissions apply to.
userPermissions Permissions on protected items
+ +

In our case, we want to grant all the users :

+
userClasses { allUsers }
+
+ + +

to be granted a read access :

+
  grantsAndDenials { grantRead, grantReturnDN, grantBrowse }
+
+ + +

for the Entry and all the values :

+
  protectedItems {entry, allUserAttributeTypesAndValues},
+
+ + +

The granted permissions are used to allow the user to browse the tree +(grantBrowse), read the entries (grantRead) and return the DN for +aliases (grantReturnDN).

+

+

PrescriptiveACI addition

+

Now that we have defined the ACIItem, we have to add it into a subentry +associated with the administration point. This is just an entry under the +administration Point, here, we will call it cn=enableSearchForAllUsers, +dc=example,dc=com.

+

The entry is described below in a LDIF format :

+
dn: cn=enableSearchForAllUsers,dc=example,dc=com
+objectClass: top
+objectClass: subentry
+objectClass: accessControlSubentry
+subtreeSpecification: {}
+prescriptiveACI: 
+{ 
+  identificationTag "enableSearchForAllUsers",
+  precedence 14,
+  authenticationLevel simple,
+  itemOrUserFirst userFirst: 
+  { 
+    userClasses { allUsers }, 
+    userPermissions 
+    { 
+      {
+          protectedItems {entry, allUserAttributeTypesAndValues}
+          grantsAndDenials { grantRead, grantReturnDN, grantBrowse }
+    }
+  }
+}
+
+ + +

}

+

It's also easy to create such an entry with Apache Directory Studio. +First, right click on the context entry, and select 'new Entry' :

+

!Screen shot 2010-07-04 at 11.57.50 PM.png|border=1!

+

Then create a new entry from scratch, and select the 'subentry' and +'accessControlSubentry' ObjectClasses :

+

!Screen shot 2010-07-04 at 11.59.28 PM.png|border=1!

+

Create the RDN for this new entry :

+

!Screen shot 2010-07-05 at 12.01.43 AM.png|border=1!

+

Pass the subtree editor, we don't need to define anything here, and go to +the Attributes definition :

+

!Screen shot 2010-07-05 at 12.03.21 AM.png|border=1!

+

The next step is to add the rescriptiveACI value, using the dedicated +editor :

+

!Screen shot 2010-07-05 at 12.12.16 AM.png|border=1!

+

When the selection has been done, we have to add the permissions :

+

!Screen shot 2010-07-05 at 12.13.47 AM.png|border=1!

+

Once done, all the entries under dc=example,dc=com are ruled by this ACI

+ + +
+
+ + 4.2.7 Using ACIs trail + +
+
+ + 4.2.7 Using ACIs trail + +
+
+ + 4.2.8 ACIs administration + +
+
+
+ + +
+
+
+ +
+ + \ No newline at end of file