Hey guys, turns out I wasn't subscribed to the users list... sorry for the
delay getting back with you.
The ldif I am importing is pretty simple, the intent is a tree like this,
with two regions, one enabled to browse, the other not.
dc=wyatt,dc=com (accessControlSpecificArea)
|
/ \
ou=wyattbrowse ou=wyattnobrowse
/ \ / \
ou=child1 ou=child2 ou=child1 ou=child2
Here is the ldif (the ACI I applied is below from original post):
dn: uid=wyatt,ou=users,ou=system
displayName: Wyatt Directory User
uid: wyatt
userPassword: wyatt
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
sn: wyatt
cn: wyatt
dn: ou=wyattnobrowse,dc=example,dc=com
ou: wyattnobrowse
objectclass: top
objectclass: organizationalunit
description: Wyatt cannot browse here
dn: ou=child1,ou=wyattnobrowse,dc=example,dc=com
ou: childone,
objectclass: top
objectclass: organizationalunit
description: Wyatt cannot browse here
dn: ou=child2,dc=example,dc=com
ou: child2
objectclass: top
objectclass: organizationalunit
description: Wyatt cannot browse here
dn: ou=wyattbrowse,dc=example,dc=com
ou: wyattsystem
objectclass: top
objectclass: organizationalunit
description: Wyatt can browse here
dn: ou=child1,ou= wyattbrowse,dc=example,dc=com
ou: childone,
objectclass: top
objectclass: organizationalunit
description: Wyatt cannot browse here
dn: ou=child2,ou=wyattbrowse,dc=example,dc=com
ou: child2
objectclass: top
objectclass: organizationalunit
description: Wyatt cannot browse here
On 9/12/07, Ersin Er <[EMAIL PROTECTED]> wrote:
>
> On 9/12/07, Robb Penoyer <[EMAIL PROTECTED]> wrote:
> >
> > Long time since I appeared anywhere near this project - hi all.
> >
> >
> >
> > Started playing with AAA's and such, read all the docs. Now I have a
> > question/problem.
> >
> >
> >
> > Using the standard ApacheDs 1.5.1 install, I modified the server.xml to
> > enable access
> >
> > controls. I also added the administrativeRole: accessControlSpecificArea
> >
> > attribute to the base dn for dc=example,dc=com in server.xml.
> >
> > (Verified the OA was there with studio).
> >
> >
> >
> > Added a new uid=wyatt via ldif, verified he couldn't see anything.
> >
> >
> >
> > Added a bunch of entries under dc=example,dc=com
> >
> >
> >
> > Added the following ACI ldif:
> >
> > dn: cn=authorizationsACISubentry,dc=example,dc=com
> >
> > changetype: add
> >
> > objectclass: top
> >
> > objectclass: subentry
> >
> > objectclass: accessControlSubentry
> >
> > cn: authorizationsACISubentry
> >
> > subtreeSpecification: { specificExclusions { chopBefore:
> > "ou=wyattnobrowse"
> > } }
> >
> > prescriptiveACI: {
> >
> > identificationTag "allUsersACI",
> >
> > precedence 10,
> >
> > authenticationLevel none,
> >
> > itemOrUserFirst userFirst:
> >
> > {
> >
> > userClasses
> >
> > {
> >
> > allUsers
> >
> > },
> >
> > userPermissions
> >
> > {
> >
> > {
> >
> > protectedItems { entry, allUserAttributeTypesAndValues },
> >
> > grantsAndDenials { grantRead, grantReturnDN, grantBrowse }
> >
> > },
> >
> > {
> >
> > protectedItems { attributeType { userPassword } },
> >
> > grantsAndDenials { denyRead, denyCompare, denyFilterMatch }
> >
> > }
> >
> > }
> >
> > }
> >
> > }
> >
> >
> >
> > The result, the wyatt user still cannot see anything. whatup? If this
> > should
> >
> > be on dev list, please let me know.
>
>
> It's fine to have this on users list.
>
> Can you please provide complete the complete ldif export? It's hard to say
> what's wrong with the information you gave. I especially would like to
> know
> where are the entries you're trying to access with respect to
> "ou=wyattnobrowse".
>
>
> Thx.
> >
>
> --
> Ersin Er
> http://www.ersin-er.name
>
