I m using ApacheDS in order to manage users profile for my web application. For that, i have created the following partition for my application : version: 1 dn: ou=users,o=MYSYSTEM objectclass: organizationalUnitobjectclass: top ou: users description: contains all user entries supposed to use the MYSYSTEM system dn: uid=afirst,ou=users,o=MYSYSTEMobjectClass: inetOrgPerson objectClass: person objectClass: organizationalPerson objectClass: top cn: The first user in MYSYSTEM sn: Adam description: First User in MYSYSTEM mail: [email protected] registeredAddress: address of adam title: Scientist uid: afirst userPassword:: dn: uid=esecond,ou=users,o=MYSYSTEM objectClass: inetOrgPerson objectClass: person objectClass: organizationalPerson objectClass: top cn: The first user in MYSYSTEM sn: Eve description: Second User in MYSYSTEM mail: [email protected] registeredAddress: address of eve title: Scientist uid: esecond userPassword:: dn: o=MYSYSTEM objectclass: extensibleObject objectclass: top objectclass: domain dc: MYSYSTEM description: MYSYSTEM system managment o: MYSYSTEM The idea was to enable only a given user to access only its own profile . So I activated the ApacheDS ACI and I followed the apacheds guide http://joacim.breiler.com/apacheds/ch03s05.html by adding the administrative role (accessControlSpecificArea) for the o=MYSYSTEM entry and I added the following subentry (accessControleSubentry): ... subtreespecification: {} prescriptiveACI: { identificationTag "authTag", precedence 0,authenticationLevel simple,itemOrUserFirst userFirst: { userClasses { thisEntry }, userPermissions { { protectedItems { entry, allUserAttributeTypesAndValues }, grantsAndDenials { grantBrowse, grantFilterMatch, grantRead, grantReturnDN, grantCompare } } }}} Now, My problem is if I make a connection with afirst user's dn (through apacheds studio), the connection is ok but i dont retrieve anything from the user profile.I am uncertain of the correctness the above ACI rules, is it too restrictive? Any idea ? Thanks in advance.
