OK, so now I think I know what I'm doing, except...
I'm trying to set up ACI so that a user can see other users exist, can see
everything about themselves, and modify their password. It all appears to work
except the modify password stuff. Are the multiple ACI entries conflisting
with each other?
Here's my ACI entries:
# This ACI allows an User to see the DN of all users.
dn: cn=UserBrowsePermissions,ou=users,dc=mqsoftware,dc=com
objectClass: top
objectClass: subentry
objectClass: accessControlSubentry
cn: UserBrowsePermissions
subtreeSpecification: { }
prescriptiveACI: {
identificationTag "UserBrowsePermissions",
precedence 14,
authenticationLevel simple,
itemOrUserFirst userFirst:
{
userClasses
{
allUsers
},
userPermissions
{
{
protectedItems { entry, allUserAttributeTypesAndValues },
grantsAndDenials { grantBrowse, grantReturnDN }
}
}
}
}
# This ACI allows an User to read everything about themselves
# and change their password.
dn: cn=UserWritePermissions,ou=users,dc=mqsoftware,dc=com
objectClass: top
objectClass: subentry
objectClass: accessControlSubentry
cn: UserWritePermissions
subtreeSpecification: { }
prescriptiveACI: {
identificationTag "UserWritePermissions",
precedence 14,
authenticationLevel simple,
itemOrUserFirst userFirst:
{
userClasses
{
thisEntry
},
userPermissions
{
{
protectedItems { entry, allUserAttributeTypesAndValues },
grantsAndDenials { grantRead, grantBrowse, grantReturnDN, grantCompare,
grantFilterMatch, grantInvoke }
},
{
protectedItems { entry, attributeType { userPassword } },
grantsAndDenials { grantRead, grantBrowse, grantReturnDN, grantModify }
}
}
}
}
Wayne Johnson
Senior Software Engineer
MQSoftware, Inc.
1660 S Highway 100
Minneapolis, MN 55416
(952) 345-8628
