Here is a more compact formatted ACI:
{
identificationTag "allowUserToChangeHisOrHerPassword_ACI",
precedence 10, authenticationLevel simple,
itemOrUserFirst userFirst:
{
userClasses { thisEntry },
userPermissions
{
{
protectedItems { entry },
grantsAndDenials { grantModify }
},
{
protectedItems { allAttributeValues { userPassword } },
grantsAndDenials { grantRemove, grantAdd }
}
}
}
}
BTW, for this ACI to work, the userPassword attribute should have an
existing value before the user tries to add a value. Because otherwise
it will mean the creation of the attribute, and the use will need a
grantAdd on the attributeType userPassword (which is still possible
with our ACI system).
On 5/1/07, Ersin Er <[EMAIL PROTECTED]> wrote:
Hi,
On 5/1/07, Martin Marcher <[EMAIL PROTECTED]> wrote:
> Hello,
>
> I'm playing around with the ACIs right now and followed the example in
> the apache 1.0.1 docs (hope they still apply i'm on apacheds 1.5.0 now
> since i need the dynamic schema after figuring out the ACI stuff)
>
> I'd like the following:
>
> cn=Manager,dc=example,dc=com can access everything in dc=example,dc=com (DONE)
>
> all posixAccount or inetOrgPerson objects in
> ou=people,dc=example,dc=com should be allowed to change the password
> of the "self" entry (sorry lacking better terms don't know if that's
> appropriate) but noone else (except for Manager of course)
First of all you can use such a subtreeSpecification:
{ specificationFilter or:{ item:posixAccount, item:inetOrgPerson } }
And you may have such a prescriptiveACI:
{
identificationTag "allowUserToChangeHisOrHerPassword_ACI",
precedence 10, authenticationLevel simple,
itemOrUserFirst userFirst: {
userClasses {
thisEntry
},
userPermissions {
{
protectedItems {
entry
},
grantsAndDenials {
grantModify
}
},
{
protectedItems {
allAttributeValues { userPassword }
},
grantsAndDenials {
grantRemove, grantAdd
}
}
}
}
}
If you want to allow the use to be able to read his/her password value
you need to grantRead in the second UserPermission.
> This is where I'm not sure how to tell apacheds that this self entry
> can access/change the password but noone else.
>
> And a few other restrictions like not changing the address or similiar
> stuff which i was able to figure out.
>
>
> The second thing is that LDAPStudio won't show a posixAccount or
> posixGroup objectClass, was it dropped in 1.5 or am I doing something
> wrong? I'll be happy to provide details but I'm not too proficient
> with ldap right now.
>
> thanks
> --
> Martin Marcher
> [EMAIL PROTECTED]
> http://www.mycorners.com
> https://www.xing.com/profile/Martin_Marcher
> http://www.linkedin.com/in/martinmarcher
> http://www.studivz.net/profile.php?ids=9f83ea8c5996b8ec
>
http://www.amazon.de/gp/registry/wishlist/3KDAGCL2NKOIM/ref=reg_hu-wl_goto-registry/302-4432803-5146435?ie=UTF8&sort=date-added
>
HTH,
--
Ersin
--
Ersin
