Re: Warning while loading ACI (Apache DS 1.5.7)

Mon, 05 Jul 2010 08:56:02 -0700

I also have this warining in 1.5.7 but i'm using the demo ACI provided in the getting started example: 

cn="sevenSeasAuthorizationRequirementsACISubentry"
subtreeSpecification="{}"
prescriptiveACI="{
                   identificationTag "directoryManagerFullAccessACI",
                   precedence 11,
                   authenticationLevel simple,
                   itemOrUserFirst userFirst:
                   {
                     userClasses
                     {
                       name { "cn=Horatio Nelson,ou=people,o=sevenSeas" }
                     },
                     userPermissions
                     {
                       {
                         protectedItems
                         {
                           entry, allUserAttributeTypesAndValues
                         },
                         grantsAndDenials
                         {
                           grantAdd, grantDiscloseOnError, grantRead,
                           grantRemove, grantBrowse, grantExport, grantImport,
                           grantModify, grantRename, grantReturnDN,
                           grantCompare, grantFilterMatch, grantInvoke
                         }
                       }
                     }
                   }
                 }"

in my case the aci doesn't loads.. so i'm unable to use ACI in ApacheDS.
So i'm now using OpenDS in production, but i'm really waiting for a fix or a solution (i prefer ApacheDS but i need strong Access control)
The second prescriptiveACI seems to be ok, except that the 'grantDiscloseOnError' element starts on a new line without a space at first position.
PS. what do you think about JSON for ACI syntax in a next version of ApacheDS? 

Stefano.



Il 25/06/2010 22:03, Emmanuel Lecharny ha scritto:

 On 6/17/10 10:57 AM, Sudheer Kumar wrote:

dn: cn=RDSAuthorizationACISubentry,dc=xxx,dc=xx
changetype: add
objectclass: top
objectclass: subentry
objectclass: accessControlSubentry
cn: RDSAuthorizationACISubentry
subtreeSpecification: {}
prescriptiveACI: {
     identificationTag "directoryManagerFullAccessACI",
     precedence 11,
     authenticationLevel simple,
     itemOrUserFirst userFirst:
     {
       userClasses
       {
         name { "uid=adminuser,ou=people,dc=xxx,dc=com" }
       },
       userPermissions
       {
         {
           protectedItems
           {
             entry, allUserAttributeTypesAndValues
           },
           grantsAndDenials
           {
             grantAdd, grantDiscloseOnError, grantRead,
             grantRemove, grantBrowse, grantExport, grantImport,
             grantModify, grantRename, grantReturnDN,
             grantCompare, grantFilterMatch, grantInvoke
           }
         }
       }
     }
   }
prescriptiveACI: {
     identificationTag "allUsersACI",
     precedence 10,
     authenticationLevel none,
     itemOrUserFirst userFirst:
     {
       userClasses
       {
         allUsers
       },
       userPermissions
       {
         {
           protectedItems { entry, allUserAttributeTypesAndValues },
           grantsAndDenials { grantRead, grantBrowse, grantReturnDN,
                              grantCompare, grantFilterMatch,
grantDiscloseOnError }
         },
         {
           protectedItems { attributeType { userPassword } },
           grantsAndDenials { denyRead, denyCompare, denyFilterMatch }
         }
       }
     }
   }
The second prescriptiveACI seems to be ok, except that the 'grantDiscloseOnError' element starts on a new line without a space at first position. 

I don't know if it's a mail artifact or not, can you check that ?

Reply via email to