hehe, now that was easy. Guess I just need some coffe to get focused again after all the docs "just seem to be there"(r) :)
looks like i somehow started reading the whole thing backwards On 4/4/07, Ersin Er <[EMAIL PROTECTED]> wrote:
Hi Martin, You may want to follow the instruction on the following page: http://directory.apache.org/apacheds/1.0/32-basic-authorization.html It it does not help, let us know for further help. On 4/4/07, Martin Marcher <[EMAIL PROTECTED]> wrote: > Hello, > > I just jumped into apacheds and doing basic stuff for directory > integration (apacheds-1.0.1). > > Now what I can't find is docs that I can use to set up ACIs, does > anybody have links for this? > > I found the authoriztation[1] and the subsequent pages. But even the > "Enable Search for all users"[2] is somewhat unclear to me. > > We're trying to switch as much of our services as possible to java > since our company develops mainly in that area, however I'm not a Java > programmer. > > Back to the topic, following the example in [2] I think the following > should be true: > > ACIs are handled over ldif entries, which in turn are applied to the a > subtree or a single element, meaning if I need an ACI for a subtree or > entry in apacheds i have to add an: > > objectClass: accessControlSubentry > > to the entry I want to grant/deny access. > > Translating the java code on [2] to ldif the following should result: > > I kept the newlines in prescriptive aci for reading purpose: > (if this is correct maybe someone could post it to [3]) > --snip-- > dn: cn=enableSearchForAllUsers,dc=example,dc=com > ObjectClass: accessControlSubentry > subtreeSpecification: {} > prescriptiveACI: > { > identificationTag "enableSearchForAllUsers", > precedence 14, > authenticationLevel simple, > itemOrUserFirst userFirst: > { > userClasses { allUsers }, > userPermissions > { > { > protectedItems {entry, allUserAttributeTypesAndValues}, > grantsAndDenials { grantRead, grantReturnDN, grantBrowse } > } > } > } > } > --snap-- > > Now with this Information say I have an inetPersonOrg at the following location: > > --snip-- > dn: uid=john.doe,ou=accounts,ou=people,dc=example,dc=com > ObjectClass: inetOrgPerson > ObjectClass: organizationalPerson > ObjectClass: person > ObjectClass: posixAccount > ObjectClass: shadowAccount > ObjectClass: top > cn: John Doe > cn: Jonathan Doe > gidnumber: 1000 > homedirectory: /home/john.doe > sn: Doe > uid: john.doe > uidnumber: 1000 > displayname: John Doe > givenname: John > givenname: Johnathan > --snap-- > > Now I want only "dn: > uid=john.doe,ou=accounts,ou=people,dc=example,dc=com" to be able to > access it (self read/modify - everything in essence) > > --snip-- > dn: uid=john.doe,ou=accounts,ou=people,dc=example,dc=com > changetype: modify > add: ObjectClass > ObjectClass: accessControlSubentry > - > add: subtreeSpecification > subtreeSpecification: {} > - > add: prescriptiveACI > prescriptiveACI: > { > identificationTag "enableJohnDoeSelfAccess", > precedence 50, > authenticationLevel simple, > itemOrUserFirst userFirst: > { > userClasses { thisEntry }, > userPermissions > { > { > protectedItems {entry, allUserAttributeTypesAndValues}, > grantsAndDenials { grantModify, grantRead, grant ReturnDN, grantBrowse } > } > } > } > } > --snap-- > > Did I get that right, or is it completely wrong. > > Summary: > > 1 to modify ACIs create an ldif and modify the subtree of entry itself > 2 ACIs are defined in the ObjectClass: accessControlSubentry and the > attribute prescriptiveACI with the Syntax mentionend somewhere in [1] > I think (at least there's an EBNF notations linked somewhere in that > area) > > [1] http://directory.apache.org/apacheds/1.0/authorization.html > [2] http://directory.apache.org/apacheds/1.0/enablesearchforallusers.html > [3] http://cwiki.apache.org/confluence/pages/createpage.action?spaceKey=DIRxSRVx10&title=enableSearchForAllUsers.ldif&linkCreation=true&fromPageId=26217 > -- > Martin Marcher > [EMAIL PROTECTED] > http://www.mycorners.com > https://www.xing.com/profile/Martin_Marcher > http://www.linkedin.com/in/martinmarcher > http://www.studivz.net/profile.php?ids=9f83ea8c5996b8ec > http://www.amazon.de/gp/registry/wishlist/3KDAGCL2NKOIM/ref=reg_hu-wl_goto-registry/302-4432803-5146435?ie=UTF8&sort=date-added > -- Ersin
-- Martin Marcher [EMAIL PROTECTED] http://www.mycorners.com https://www.xing.com/profile/Martin_Marcher http://www.linkedin.com/in/martinmarcher http://www.studivz.net/profile.php?ids=9f83ea8c5996b8ec http://www.amazon.de/gp/registry/wishlist/3KDAGCL2NKOIM/ref=reg_hu-wl_goto-registry/302-4432803-5146435?ie=UTF8&sort=date-added
