ApacheDS 2.0.0 Enabling the ACI subsystem without Studio

Thu, 02 Feb 2017 19:37:48 -0800

I have a set of ldif's for my 1.5.4 directory which define prescriptive ACIs to allow and restrict access to certain attributes, such as password information. (They were originally cribbed from examples in the 1.5 documentation.)
I have just successfully run these ldifs against my new 2.0.0-M23, but was surprised when my QA script had multiple failures. My ACI's did not appear to be working! 


When I went back to my 1.5.4 installation notes, I discovered the ACI 
subsystem needs to be enabled. Unfortunately, 2.0 does not have a 
server.xml file, so I can't simply include the aciAuthorizationInterceptor.


I checked the wiki:

http://directory.apache.org/apacheds/advanced-ug/4.2.3-enabling-access-control.html

... just a TODO.

... and:

http://directory.apache.org/apacheds/basic-ug/3.2-basic-authorization.html


... just says "The authorization (ACI) subsystem is disabled by default. 
You have to enable it using the Apache Directory Studio configuration 
editor".


When I examined config.ldif_migrated, I found this entry:

# default, config
dn: ads-directoryServiceId=default,ou=config
ads-directoryserviceid: default
ads-dssyncperiodmillis: 15000
ads-dsallowanonymousaccess: TRUE
ads-dsreplicaid: 1
ads-dsaccesscontrolenabled: FALSE
ads-dspasswordhidden: FALSE
ads-dsdenormalizeopattrsenabled: FALSE
ads-enabled: TRUE
objectclass: top
objectclass: ads-base
objectclass: ads-directoryService

I ran an ldapmodify:

dn: ads-directoryServiceId=default,ou=config
changetype: modify
replace: ads-dsaccesscontrolenabled
ads-dsaccesscontrolenabled: TRUE


... after restarting the server was pleased to see my QA scripts ran 
successfully.



Incidentally, I also have a lower precedence ACI which allows allUsers 
grantRead, grantReturnDN and grantBrowse. This ACI appears to be 
stronger than the default config:


ads-dsallowanonymousaccess: TRUE


This is the result I want to achieve - my anonymous users are now 
permitted to read some attributes of some entries.



Have I overlooked anything important? If not, then the TODO page needs 
to be linked back to 3.2 (or vice versa), and one or both pages should 
document to the ldapmodify technique.


Regards,

Brian














    











					Reply via email to