Le 19/11/14 12:56, Christoph Witzany a écrit :
> Hi guys!
Hi Christoph,
I'm going to have a look at this ACI later tonite. I'm in The Apache
conference closing keynote atm...
>
> I need to create an Apache Directory Server installation with multiple
> partitions.
>
> For each partition there should be one or more admin users that can
> read/browse/edit only this partition.
> Additional the partitions will contain organisational units, where again a
> set of users can manage the respective subtree.
>
> If I understood the docs right this should be doable with Prescriptive ACIs.
>
> My first try at an ACI was something like that (in a subentry of
> dc=kig1,dc=example,dc=com ):
>
> {
> identificationTag "kigAdmin",
> precedence 0,
> authenticationLevel simple,
> itemOrUserFirst itemFirst:
> {
> protectedItems
> {
> entry,
> allUserAttributeTypes,
> allUserAttributeTypesAndValues
> }
> ,
> itemPermissions
> {
> {
> precedence 0,
> userClasses
> {
> name { "uid=admin,ou=kig1ki1,dc=kig1,dc=example,dc=com"
> }
> }
> ,
> grantsAndDenials
> {
> grantRename,
> grantExport,
> grantRemove,
> grantInvoke,
> grantDiscloseOnError,
> grantRead,
> grantAdd,
> grantBrowse,
> grantImport,
> grantCompare,
> grantReturnDN,
> grantModify,
> grantFilterMatch
> }
> }
> }
> }
> }
>
>
>
>
> User uid=admin,ou=kig1ki1,dc=kig1,dc=example,dc=com can bind to the LDAP
> server but cannot even browse the subtree, regardless of the
> subtreeSpecification value of the accessControlSubentry.
>
> Where do I go wrong?
>
> Thx for your help!
> Christoph
>
