Dear ApacheDS Community,
I am having troubles getting Access Control working with a fresh install of
ApacheDS.
Given that the online documentation is a little thin around how to configure
ACIs, I am trying to follow the example provided (in section 3.2 - Basic
Authorization).
I am getting the same error, regardless of whether I use the example as-is in
the documentation (The Seven Sea example), or my own, so I figured that I would
first reach out to see if anyone has gotten the example to work?
The resulting error is:
LDAP result code 21 - invalidAttributeSyntax] INVALID_ATTRIBUTE_SYNTAX: failed
for MessageType : ADD_REQUEST
which is not very descriptive, so I am not sure what attribute it is
complaining about the syntax. I am including the full error below. They
syntax looks reasonable, the right number of curly braces, etc.
Nonetheless, the example in the online documentation is straight forward
enough, once I can get that working, I am confident I should be able to get
something similar working in my configuration, but until I am do, I am a bit
lost.
[Note: The only functional change I need to make to the example for my
configuration is that I want to be able to use a group instead of just a name,
but first things first in terms of getting the example to work as-is.]
After clicking '[ ] Enable Access Control' in the server configuration, and
restarting the server, I am attempting to load the example (LDIF for this
configuration) as-is via Studio (File => Import => LDIF into LDAP) from section
'3.2 - Basic Authorization'. And of course I successfully loaded the sample
"Seven Seas" LDIF first.
If anyone has gotten this to work, I would appreciate any feedback.
Thanks,
Dave Filip.
====
LDIF I am importing:
# File authz_sevenSeas.ldif
#
# Create an operational attribute "administrativeRole"
# with value "accessControlSpecificArea" in the entry "o=sevenSeas".
#
dn: o=sevenSeas
changetype: modify
add: administrativeRole
administrativeRole: accessControlSpecificArea
# Create a subentry subordinate to "o=sevenSeas" to grant all operations'
permissions
# to "cn=Horatio Nelson,ou=people,o=sevenSeas", to grant search and compare
permissions
# to all users and to deny search and compare permissions for userPassword
attribute to all users.
#
dn: cn=sevenSeasAuthorizationRequirementsACISubentry,o=sevenSeas
changetype: add
objectclass: top
objectclass: subentry
objectclass: accessControlSubentry
cn: sevenSeasAuthorizationRequirementsACISubentry
subtreeSpecification: {}
prescriptiveACI: {
identificationTag "directoryManagerFullAccessACI",
precedence 11,
authenticationLevel simple,
itemOrUserFirst userFirst:
{
userClasses
{
name { "cn=Horatio Nelson,ou=people,o=sevenSeas" }
},
userPermissions
{
{
protectedItems
{
entry, allUserAttributeTypesAndValues
},
grantsAndDenials
{
grantAdd, grantDiscloseOnError, grantRead,
grantRemove, grantBrowse, grantExport, grantImport,
grantModify, grantRename, grantReturnDN,
grantCompare, grantFilterMatch, grantInvoke
}
}
}
}
}
prescriptiveACI: {
identificationTag "allUsersACI",
precedence 10,
authenticationLevel none,
itemOrUserFirst userFirst:
{
userClasses
{
allUsers
},
userPermissions
{
{
protectedItems { entry, allUserAttributeTypesAndValues },
grantsAndDenials { grantRead, grantBrowse, grantReturnDN,
grantCompare, grantFilterMatch, grantDiscloseOnError }
},
{
protectedItems { attributeType { userPassword } },
grantsAndDenials { denyRead, denyCompare, denyFilterMatch }
}
}
}
}
====
Import Pop-Up Error:
Error while importing LDIF
- [LDAP result code 21 - invalidAttributeSyntax] INVALID_ATTRIBUTE_SYNTAX:
failed for MessageType : ADD_REQUEST
org.apache.directory.studio.connection.core.io.StudioLdapException: [LDAP
result code 21 - invalidAttributeSyntax] INVALID_ATTRIBUTE_SYNTAX: failed for
MessageType : ADD_REQUEST
Message ID : 125
Add Request :
Entry
dn: cn=sevenSeasAuthorizationRequirementsACISubentry,o=sevenSeas
objectclass: top
objectclass: subentry
objectclass: accessControlSubentry
prescriptiveACI: { identificationTag "directoryManagerFullAccessACI",
precedence 11, authenticationLevel simple, itemOrUserFirst userFirst: {
userClasses { name { "cn=Horatio
Nelson,ou=people,o=sevenSeas" } }, userPermissions {
{ protectedItems { entry,
allUserAttributeTypesAndValues }, grantsAndDenials
{ grantAdd, grantDiscloseOnError, grantRead,
grantRemove, grantBrowse, grantExport, grantImport,
grantModify, grantRename, grantReturnDN, grantCompare,
grantFilterMatch, grantInvoke } } } }
prescriptiveACI: { identificationTag "allUsersACI", precedence 10,
authenticationLevel none, itemOrUserFirst userFirst: { userClasses
{ allUsers }, userPermissions { {
protectedItems { entry, allUserAttributeTypesAndValues },
grantsAndDenials { grantRead, grantBrowse, grantReturnDN,
grantCompare, grantFilterMatch, grantDiscloseOnError } },
{ protectedItems { attributeType { userPassword } },
grantsAndDenials { denyRead, denyCompare, denyFilterMatch } }
} } }
subtreeSpecification: {}
cn: sevenSeasAuthorizationRequirementsACISubentry
}: UNKNOWN
: ERR_13246_INVALID_VALUE_PER_SYNTAX Invalid upValue per syntax
at
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.toStudioLdapException(DirectoryApiConnectionWrapper.java:1356)
at
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.access$4(DirectoryApiConnectionWrapper.java:1348)
at
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$6.run(DirectoryApiConnectionWrapper.java:910)
at
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1265)
at
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkConnectionAndRunAndMonitor(DirectoryApiConnectionWrapper.java:1210)
at
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.createEntry(DirectoryApiConnectionWrapper.java:922)
at
org.apache.directory.studio.ldapbrowser.core.jobs.ImportLdifRunnable.importLdifRecord(ImportLdifRunnable.java:445)
at
org.apache.directory.studio.ldapbrowser.core.jobs.ImportLdifRunnable.importLdif(ImportLdifRunnable.java:272)
at
org.apache.directory.studio.ldapbrowser.core.jobs.ImportLdifRunnable.run(ImportLdifRunnable.java:218)
at
org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:109)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:63)
Caused by:
org.apache.directory.api.ldap.model.exception.LdapInvalidAttributeValueException:
INVALID_ATTRIBUTE_SYNTAX: failed for MessageType : ADD_REQUEST
Message ID : 125
Add Request :
Entry
dn: cn=sevenSeasAuthorizationRequirementsACISubentry,o=sevenSeas
objectclass: top
objectclass: subentry
objectclass: accessControlSubentry
prescriptiveACI: { identificationTag "directoryManagerFullAccessACI",
precedence 11, authenticationLevel simple, itemOrUserFirst userFirst: {
userClasses { name { "cn=Horatio
Nelson,ou=people,o=sevenSeas" } }, userPermissions {
{ protectedItems { entry,
allUserAttributeTypesAndValues }, grantsAndDenials
{ grantAdd, grantDiscloseOnError, grantRead,
grantRemove, grantBrowse, grantExport, grantImport,
grantModify, grantRename, grantReturnDN, grantCompare,
grantFilterMatch, grantInvoke } } } }
prescriptiveACI: { identificationTag "allUsersACI", precedence 10,
authenticationLevel none, itemOrUserFirst userFirst: { userClasses
{ allUsers }, userPermissions { {
protectedItems { entry, allUserAttributeTypesAndValues },
grantsAndDenials { grantRead, grantBrowse, grantReturnDN,
grantCompare, grantFilterMatch, grantDiscloseOnError } },
{ protectedItems { attributeType { userPassword } },
grantsAndDenials { denyRead, denyCompare, denyFilterMatch } }
} } }
subtreeSpecification: {}
cn: sevenSeasAuthorizationRequirementsACISubentry
}: UNKNOWN
: ERR_13246_INVALID_VALUE_PER_SYNTAX Invalid upValue per syntax
at
org.apache.directory.api.ldap.model.message.ResultCodeEnum.processResponse(ResultCodeEnum.java:2101)
at
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkResponse(DirectoryApiConnectionWrapper.java:1343)
at
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.access$12(DirectoryApiConnectionWrapper.java:1339)
at
org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$6.run(DirectoryApiConnectionWrapper.java:906)
... 8 more
[LDAP result code 21 - invalidAttributeSyntax] INVALID_ATTRIBUTE_SYNTAX:
failed for MessageType : ADD_REQUEST
Message ID : 125
Add Request :
Entry
dn: cn=sevenSeasAuthorizationRequirementsACISubentry,o=sevenSeas
objectclass: top
objectclass: subentry
objectclass: accessControlSubentry
prescriptiveACI: { identificationTag "directoryManagerFullAccessACI",
precedence 11, authenticationLevel simple, itemOrUserFirst userFirst: {
userClasses { name { "cn=Horatio
Nelson,ou=people,o=sevenSeas" } }, userPermissions {
{ protectedItems { entry,
allUserAttributeTypesAndValues }, grantsAndDenials
{ grantAdd, grantDiscloseOnError, grantRead,
grantRemove, grantBrowse, grantExport, grantImport,
grantModify, grantRename, grantReturnDN, grantCompare,
grantFilterMatch, grantInvoke } } } }
prescriptiveACI: { identificationTag "allUsersACI", precedence 10,
authenticationLevel none, itemOrUserFirst userFirst: { userClasses
{ allUsers }, userPermissions { {
protectedItems { entry, allUserAttributeTypesAndValues },
grantsAndDenials { grantRead, grantBrowse, grantReturnDN,
grantCompare, grantFilterMatch, grantDiscloseOnError } },
{ protectedItems { attributeType { userPassword } },
grantsAndDenials { denyRead, denyCompare, denyFilterMatch } }
} } }
subtreeSpecification: {}
cn: sevenSeasAuthorizationRequirementsACISubentry
}: UNKNOWN
: ERR_13246_INVALID_VALUE_PER_SYNTAX Invalid upValue per syntax
====
And from the Modification Logs:
#!RESULT OK
#!CONNECTION ldap://mars.colornet.com:10389
#!DATE 2021-04-07T18:30:04.878
dn: o=sevenSeas
changetype: modify
add: administrativeRole
administrativeRole: accessControlSpecificArea
-
#!RESULT ERROR
#!CONNECTION ldap://mars.colornet.com:10389
#!DATE 2021-04-07T18:30:04.905
#!ERROR [LDAP result code 21 - invalidAttributeSyntax]
INVALID_ATTRIBUTE_SYNTAX: failed for MessageType : ADD_REQUEST Message ID : 125
Add Request : Entry dn:
cn=sevenSeasAuthorizationRequirementsACISubentry,o=sevenSeas objectclass:
top objectclass: subentry objectclass: accessControlSubentry
prescriptiveACI: { identificationTag "directoryManagerFullAccessACI",
precedence 11, authenticationLevel simple, itemOrUserFirst userFirst: {
userClasses { name { "cn=Horatio
Nelson,ou=people,o=sevenSeas" } }, userPermissions {
{ protectedItems { entry,
allUserAttributeTypesAndValues }, grantsAndDenials
{ grantAdd, grantDiscloseOnError, grantRead,
grantRemove, grantBrowse, grantExport, grantImport,
grantModify, grantRename, grantReturnDN, grantCompare,
grantFilterMatch, grantInvoke } } } }
prescriptiveACI: { identificationTag "allUsersACI", precedence 10,
authenticationLevel none, itemOrUserFirst userFirst: { userClasses
{ allUsers }, userPermissions { {
protectedItems { entry, allUserAttributeTypesAndValues },
grantsAndDenials { grantRead, grantBrowse, grantReturnDN,
grantCompare, grantFilterMatch, grantDiscloseOnError } },
{ protectedItems { attributeType { userPassword } },
grantsAndDenials { denyRead, denyCompare, denyFilterMatch } }
} } } subtreeSpecification: {} cn:
sevenSeasAuthorizationRequirementsACISubentry }: UNKNOWN :
ERR_13246_INVALID_VALUE_PER_SYNTAX Invalid upValue per syntax
dn: cn=sevenSeasAuthorizationRequirementsACISubentry,o=sevenSeas
changetype: add
prescriptiveACI:: eyAgIGlkZW50aWZpY2F0aW9uVGFnICJkaXJlY3RvcnlNYW5hZ2VyRnVsbEFj
Y2Vzc0FDSSIsICAgcHJlY2VkZW5jZSAxMSwgICBhdXRoZW50aWNhdGlvbkxldmVsIHNpbXBsZSwgI
CBpdGVtT3JVc2VyRmlyc3QgdXNlckZpcnN0OiAgIHsgICAgICAgdXNlckNsYXNzZXMgICAgICAgey
AgICAgICAgICAgbmFtZSB7ICJjbj1Ib3JhdGlvIE5lbHNvbixvdT1wZW9wbGUsbz1zZXZlblNlYXM
iIH0gICAgICAgfSwgICAgICAgdXNlclBlcm1pc3Npb25zICAgICAgIHsgICAgICAgICAgICB7ICAg
ICAgICAgICAgICAgcHJvdGVjdGVkSXRlbXMgICAgICAgICAgICAgICB7ICAgICAgICAgICAgICAgI
CAgIGVudHJ5LCBhbGxVc2VyQXR0cmlidXRlVHlwZXNBbmRWYWx1ZXMgICAgICAgICAgICAgICB9LC
AgICAgICAgICAgICAgIGdyYW50c0FuZERlbmlhbHMgICAgICAgICAgICAgICB7ICAgICAgICAgICA
gICAgICAgIGdyYW50QWRkLCBncmFudERpc2Nsb3NlT25FcnJvciwgZ3JhbnRSZWFkLCAgICAgICAg
ICAgICAgICAgICBncmFudFJlbW92ZSwgZ3JhbnRCcm93c2UsIGdyYW50RXhwb3J0LCBncmFudEltc
G9ydCwgICAgICAgICAgICAgICAgICAgZ3JhbnRNb2RpZnksIGdyYW50UmVuYW1lLCBncmFudFJldH
VybkROLCAgICAgICAgICAgICAgICAgICBncmFudENvbXBhcmUsIGdyYW50RmlsdGVyTWF0Y2gsIGd
yYW50SW52b2tlICAgICAgICAgICAgICAgfSAgICAgICAgICAgIH0gICAgICAgfSAgIH0g
prescriptiveACI: { identificationTag "allUsersACI", precedence 10, authe
nticationLevel none, itemOrUserFirst userFirst: { userClasses
{ allUsers }, userPermissions { {
protectedItems { entry, allUserAttributeTypesAndValues },
grantsAndDenials { grantRead, grantBrowse, grantReturnDN,
grantCompare, grantFilterMatch, grantDiscloseOnError } }
, { protectedItems { attributeType { userPassword } }
, grantsAndDenials { denyRead, denyCompare, denyFilterMatch }
} } } }
subtreeSpecification: {}
cn: sevenSeasAuthorizationRequirementsACISubentry
objectclass: top
objectclass: subentry
objectclass: accessControlSubentry
}: UNKNOWN
