Long time since I appeared anywhere near this project - hi all.
Started playing with AAA's and such, read all the docs. Now I have a
question/problem.
Using the standard ApacheDs 1.5.1 install, I modified the server.xml to
enable access
controls. I also added the administrativeRole: accessControlSpecificArea
attribute to the base dn for dc=example,dc=com in server.xml.
(Verified the OA was there with studio).
Added a new uid=wyatt via ldif, verified he couldn't see anything.
Added a bunch of entries under dc=example,dc=com
Added the following ACI ldif:
dn: cn=authorizationsACISubentry,dc=example,dc=com
changetype: add
objectclass: top
objectclass: subentry
objectclass: accessControlSubentry
cn: authorizationsACISubentry
subtreeSpecification: { specificExclusions { chopBefore: "ou=wyattnobrowse"
} }
prescriptiveACI: {
identificationTag "allUsersACI",
precedence 10,
authenticationLevel none,
itemOrUserFirst userFirst:
{
userClasses
{
allUsers
},
userPermissions
{
{
protectedItems { entry, allUserAttributeTypesAndValues },
grantsAndDenials { grantRead, grantReturnDN, grantBrowse }
},
{
protectedItems { attributeType { userPassword } },
grantsAndDenials { denyRead, denyCompare, denyFilterMatch }
}
}
}
}
The result, the wyatt user still cannot see anything. whatup? If this
should
be on dev list, please let me know.
Thx.
