On 5/20/11 6:24 PM, Ron Woods wrote:
HI,
I have been going through the examples on this page in the manual
http://directory.apache.org/apacheds/1.5/32-basic-authorization.html
(I am using ApacheDS 1.5.7 with Apache Directory Studio Version:
1.5.3.v20100330)
I am trying to apply the prescriptiveACI's to my own company directory partition,
"o=vaytek".
Per the instructions, I enabled the "accessControlEnabled" flag in server.xml.
I have added to the top node "o=vaytek" the attribute "administrativeRole" with value
"accessControlSpecificArea" to make it the administrative point.
I have added a subentry with prescriptiveACI's
1) to deny allUsers access to the userPassword,
2) to allow allUsers to search and compare other attributes, and
3) to assign a specific user as the directory manager with full access,
as follows:
dn: cn=vaytekAuthorizationRequirementsACISubentry,o=vaytek
objectClass: subentry
objectClass: accessControlSubentry
objectClass: top
cn: vaytekAuthorizationRequirementsACISubentry
subtreeSpecification: { }
prescriptiveACI: {
identificationTag "allUsersACI",
precedence 10,
authenticationLevel simple,
itemOrUserFirst userFirst:
{
userClasses { allUsers },
userPermissions
{
{
protectedItems
{
attributeType { userPassword }
}
,
grantsAndDenials
{
denyCompare,
denyFilterMatch,
denyRead
}
}
,
{
protectedItems { allUserAttributeTypesAndValues, entry },
grantsAndDenials
{
grantRead,
grantReturnDN,
grantCompare,
grantDiscloseOnError,
grantBrowse,
grantFilterMatch
}
}
}
}
}
prescriptiveACI: {
identificationTag "directoryManagerFullAccessACI",
precedence 11,
authenticationLevel simple,
itemOrUserFirst userFirst:
{
userClasses
{
name { "uid=rwoods,ou=Users,o=vaytek" }
}
,
userPermissions
{
{
protectedItems { allUserAttributeTypesAndValues, entry },
grantsAndDenials
{
grantReturnDN,
grantDiscloseOnError,
grantExport,
grantRemove,
grantFilterMatch,
grantBrowse,
grantModify,
grantImport,
grantRead,
grantRename,
grantCompare,
grantInvoke,
grantAdd
}
}
}
}
}
However, when I connect in Apache Directory Studio as user rwoods, then all I
can see is RootDSE and nothing below it.
Just wondering : did you stopped and started the server after having
injected the ACI ?
There is a bug in 1.5.7 which has been fixed in trunk that make the ACI
not to be reloaded when the server is restarted, making the ACI
subsystem totally useless.
I'm not saying that there is a workaround, or any solution to fix this
issue in 1.5.7, sadly, but to inform you about this problem.
We hope to get a new ADS release quite fast, but I'm more or less
talking in term of weeks, not days.
Truly sorry for that :/
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
