I m using ApacheDS in order to manage users profile for my web application. For 
that, i have created the following partition for my application :
version: 1
dn: ou=users,o=MYSYSTEM objectclass: organizationalUnitobjectclass: top ou: 
users description: contains all user entries supposed to use the MYSYSTEM system
dn: uid=afirst,ou=users,o=MYSYSTEMobjectClass: inetOrgPerson objectClass: 
person objectClass: organizationalPerson objectClass: top cn: The first user in 
MYSYSTEM sn: Adam description: First User in MYSYSTEM mail: 
[email protected] registeredAddress: address of adam title: Scientist uid: 
afirst userPassword::
dn: uid=esecond,ou=users,o=MYSYSTEM objectClass: inetOrgPerson objectClass: 
person objectClass: organizationalPerson objectClass: top cn: The first user in 
MYSYSTEM sn: Eve description: Second User in MYSYSTEM mail: 
[email protected] registeredAddress: address of eve title: Scientist uid: 
esecond userPassword::
dn: o=MYSYSTEM objectclass: extensibleObject objectclass: top objectclass: 
domain dc: MYSYSTEM description: MYSYSTEM system managment o: MYSYSTEM
The idea was to enable only a given user to access only its own profile . So I 
activated the ApacheDS ACI and I followed the apacheds guide 
http://joacim.breiler.com/apacheds/ch03s05.html by adding the administrative 
role (accessControlSpecificArea) for the o=MYSYSTEM entry and I added the 
following subentry (accessControleSubentry):
...
subtreespecification: {}
prescriptiveACI: { identificationTag "authTag",
precedence 0,authenticationLevel simple,itemOrUserFirst userFirst: {    
userClasses { thisEntry },    userPermissions     {        {            
protectedItems { entry, allUserAttributeTypesAndValues },            
grantsAndDenials             {                grantBrowse,                
grantFilterMatch,                grantRead,                grantReturnDN,       
         grantCompare             }        }    }}}
Now, My problem is if I make a connection with afirst user's dn (through 
apacheds studio), the connection is ok but i dont retrieve anything from the 
user profile.I am uncertain of the correctness the above ACI rules, is it too 
restrictive?
Any idea ? Thanks in advance.                                     

Reply via email to