I just tried this with the same data and am able to connect as "Horatio Nelson" and browse/modify all data
On Thu, Jul 18, 2013 at 10:47 AM, Tayler M. Albitz <albi...@rcn.com> wrote: > Hi, > > I'm running apacheds 2.0M11 and Studio 2.0.0v20130308. > > I'm looking at the example in the documentation here: > > http://directory.apache.org/apacheds/basic-ug/3.2-basic-authorization.html > > I have access control enabled and created the operational attribute > administrativeRole with value "accessControlSpecificArea" in the entry > "o=sevenSeas". > > I have created created a subentry subordinate to "o=sevenSeas" to grant > all operations' permissions to "cn=Horatio Nelson,ou=people,o=sevenSeas", > who acts as directory manager > > I have created a new attribute value should added to the previously > created Subentry's prescriptiveACI attribute to grant search and compare > permissions to all users. > > cn: sevenseasAuthorizationRequirementsACISubentry > createTimestamp: 20130718045513.434Z > creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system > entryCSN: 20130718050528.059000Z#000000#001#000000 > entryDN: cn=sevenseasAuthorizationRequirementsACISubentry,o=sevenseas > entryParentId: b38b8ff5-1ea8-4a05-a4b5-a3c6aa1d5063 > entryUUID:: NTk2ZGEwMjUtYmIzMy00NDgzLWE1YmEtYmY0YmJhM2Y3NGMx > modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system > modifyTimestamp: 20130718050528.059Z > objectClass: subentry > objectClass: top > prescriptiveACI: { identificationTag "allUsersSearchAndCompareACI", > preceden > ce 10, authenticationLevel simple, itemOrUserFirst userFirst: { userClasses > { allUsers }, userPermissions { { protectedItems { entry, allUserAttribute > TypesAndValues }, grantsAndDenials { grantFilterMatch, grantRead, grantComp > are, grantReturnDN, grantBrowse, grantDiscloseOnError } } } } } > prescriptiveACI: { identificationTag "directoryManagerFullAccessACI", > preced > ence 11, authenticationLevel simple, itemOrUserFirst userFirst: { userClass > es { name { "cn=Horatio Nelson,ou=people,o=sevenseas" } }, userPermissions > { { protectedItems { entry, allUserAttributeTypesAndValues }, grantsAndDeni > als { grantFilterMatch, grantInvoke, grantRemove, grantBrowse, grantDisclos > eOnError, grantModify, grantRename, grantExport, grantRead, grantImport, gr > antCompare, grantReturnDN, grantAdd } } } } } > subtreeSpecification: { } > > I can get connected as user "Horatio Nelson" and set my base to > ou=people,o=sevenseas, but I don't see any data. I suspect I'm missing > something. Just not sure what. > > Thanks in advance, > -Tayler > > -- Kiran Ayyagari http://keydap.com
