Hello, Lately, I’ve been teaching myself how to use Apache Directory Server’s access control subsystem.
Before getting too cute, I figured I’d try out the recipes here: http://directory.apache.org/apacheds/advanced-ug/4.2.7-using-acis-trail.html Both work as advertised, but as I’ve been reading more, some have suggested refining… http://directory.apache.org/apacheds/advanced-ug/4.2.7.2-allow-self-password-modify.html …to use maxValueCount to prevent (someone claiming to be) the user from inserting multiple userPassword values. However, as soon as I put maxValueCount in any protectedItems clause of my prescriptiveACI, all of my unprivileged user’s attributes become invisible to him. If I weren’t such a n00b, I’d think this was a bug. Here is the prescriptiveACI that I think should work: { identificationTag "userSelfModifyPassword", precedence 0, authenticationLevel none, itemOrUserFirst userFirst: { userClasses { thisEntry }, userPermissions { { protectedItems { maxValueCount { { type userPassword, maxCount 1 } } , allAttributeValues { userPassword } } , grantsAndDenials { grantAdd, grantRemove } } , { protectedItems { entry }, grantsAndDenials { grantRead, grantBrowse, grantModify } } } } } Server environment: Oracle JDK 1.7u45 ApacheDS 2.0.0-M15 Debian 7.3, AMD64 Client environment: Apache Directory Studio Oracle JDK 1.7u45 OS X 10.9.1 Any pointers on what I’m doing wrong and/or how to do it better would be greatly appreciated. Best regards, Mike Przybylski
