I'm running a 1.5.8 snapshot freshly built from trunk-with-dependencies. I'm
set up access controls and am trying to define the 'enable search for all
users' ACI entry as explained in the online docs.
I've setup config.ldif to define a test partition 'neptune.com'. After
starting the server I ldapadd this LDIF:
version: 1
# Neptune root context entry
dn: dc=neptune,dc=com
objectClass: top
objectClass: domain
objectClass: extensibleObject
o: neptune.com
dc: neptune
description: The context entry for suffix neptune.com
administrativeRole: accessControlSpecificArea
# Enable search by all users
dn: cn=enableSearchForAllUsers,dc=neptune,dc=com
objectClass: subentry
objectClass: accessControlSubentry
cn: enableSearchForAllUsers
subtreeSpecification: {}
prescriptiveACI: {
identificationTag "enableSearchForAllUsers",
precedence 14,
authenticationLevel simple,
itemOrUserFirst userFirst:
{
userClasses { allUsers },
userPermissions
{
{
protectedItems {entry, allUserAttributeTypesAndValues},
grantsAndDenials { grantRead, grantReturnDN, grantBrowse }
}
}
}
}
...
At this point I can search as a test user. If I restart the server I see this:
[16:39:28] DEBUG
[org.apache.directory.server.core.authz.AciAuthorizationInterceptor] -
Initializing the AciAuthorizationInterceptor
[16:39:28] WARN [org.apache.directory.server.core.authz.TupleCache] - Found
accessControlSubentry 'cn=enableSearchForAllUsers,dc=neptune,dc=com' without
any prescriptiveACI
[16:39:28] DEBUG [org.apache.directory.server.core.authz.GroupCache] - group
cache contents on startup:
...
(I turned up logging for the Aci package).
This looks a bit like DIRSERVER-1524. Have I created the Aci entry correctly
for trunk code?
A couple of other related queries:
1. With access controls enabled, I can't connect anonymously to the RootDSE -
do I need another Aci entry for this?
2. Attempting a search as a test user, I would expect searches to fail with an
error, instead I just get no results. Is this intentional?
Richard
