Hi again,
I do not see any problem with your configuration. I tried almost the same
configuration and it works fine here. Here is mine:
dn: dc=example,dc=com
changetype: modify
add: administrativeRole
administrativeRole: accessControlSpecificArea
dn: cn=authzSubentry,dc=example,dc=com
objectClass: subentry
objectClass: accessControlSubentry
objectClass: top
cn: authzSubentry
prescriptiveACI: {
identificationTag "testACI",
precedence 10,
authenticationLevel none,
itemOrUserFirst userFirst:
{
userClasses { allUsers },
userPermissions
{
{
precedence 10,
protectedItems { allUserAttributeTypesAndValues, entry },
grantsAndDenials
{
grantRead,
grantReturnDN,
grantBrowse
}
}
,
{
precedence 10,
protectedItems
{
attributeType { userPassword }
}
,
grantsAndDenials
{
denyCompare,
denyFilterMatch,
denyRead
}
}
}
}
}
dn: ou=notBrowsable,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: notBrowsable
dn: ou=browsable,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: browsable
dn: ou=child1,ou=browsable,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: child1
dn: ou=child2,ou=browsable,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: child2
dn: ou=child3,ou=notBrowsable,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: child3
dn: ou=child4,ou=notBrowsable,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: child4
And I also attached a screenshot from Apache Directory Studio for showing
the case.
HTH,
On 9/13/07, Robb Penoyer <[EMAIL PROTECTED]> wrote:
>
>
> Hey guys, turns out I wasn't subscribed to the users list... sorry for the
> delay getting back with you.
>
> The ldif I am importing is pretty simple, the intent is a tree like this,
> with two regions, one enabled to browse, the other not.
>
> dc=wyatt,dc=com (accessControlSpecificArea)
> |
> / \
> ou=wyattbrowse ou=wyattnobrowse
> / \ / \
> ou=child1 ou=child2 ou=child1 ou=child2
>
>
> Here is the ldif (the ACI I applied is below from original post):
>
> dn: uid=wyatt,ou=users,ou=system
> displayName: Wyatt Directory User
> uid: wyatt
> userPassword: wyatt
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> sn: wyatt
> cn: wyatt
>
> dn: ou=wyattnobrowse,dc=example,dc=com
> ou: wyattnobrowse
> objectclass: top
> objectclass: organizationalunit
> description: Wyatt cannot browse here
>
> dn: ou=child1,ou=wyattnobrowse,dc=example,dc=com
> ou: childone,
> objectclass: top
> objectclass: organizationalunit
> description: Wyatt cannot browse here
>
> dn: ou=child2,dc=example,dc=com
> ou: child2
> objectclass: top
> objectclass: organizationalunit
> description: Wyatt cannot browse here
>
> dn: ou=wyattbrowse,dc=example,dc=com
> ou: wyattsystem
> objectclass: top
> objectclass: organizationalunit
> description: Wyatt can browse here
>
> dn: ou=child1,ou= wyattbrowse,dc=example,dc=com
> ou: childone,
> objectclass: top
> objectclass: organizationalunit
> description: Wyatt cannot browse here
>
> dn: ou=child2,ou=wyattbrowse,dc=example,dc=com
> ou: child2
> objectclass: top
> objectclass: organizationalunit
> description: Wyatt cannot browse here
>
>
> On 9/12/07, Ersin Er <[EMAIL PROTECTED]> wrote:
> >
> > On 9/12/07, Robb Penoyer <[EMAIL PROTECTED]> wrote:
> > >
> > > Long time since I appeared anywhere near this project - hi all.
> > >
> > >
> > >
> > > Started playing with AAA's and such, read all the docs. Now I have a
> > > question/problem.
> > >
> > >
> > >
> > > Using the standard ApacheDs 1.5.1 install, I modified the server.xmlto
> > > enable access
> > >
> > > controls. I also added the administrativeRole:
> accessControlSpecificArea
> > >
> > > attribute to the base dn for dc=example,dc=com in server.xml.
> > >
> > > (Verified the OA was there with studio).
> > >
> > >
> > >
> > > Added a new uid=wyatt via ldif, verified he couldn't see anything.
> > >
> > >
> > >
> > > Added a bunch of entries under dc=example,dc=com
> > >
> > >
> > >
> > > Added the following ACI ldif:
> > >
> > > dn: cn=authorizationsACISubentry,dc=example,dc=com
> > >
> > > changetype: add
> > >
> > > objectclass: top
> > >
> > > objectclass: subentry
> > >
> > > objectclass: accessControlSubentry
> > >
> > > cn: authorizationsACISubentry
> > >
> > > subtreeSpecification: { specificExclusions { chopBefore:
> > > "ou=wyattnobrowse"
> > > } }
> > >
> > > prescriptiveACI: {
> > >
> > > identificationTag "allUsersACI",
> > >
> > > precedence 10,
> > >
> > > authenticationLevel none,
> > >
> > > itemOrUserFirst userFirst:
> > >
> > > {
> > >
> > > userClasses
> > >
> > > {
> > >
> > > allUsers
> > >
> > > },
> > >
> > > userPermissions
> > >
> > > {
> > >
> > > {
> > >
> > > protectedItems { entry, allUserAttributeTypesAndValues },
> > >
> > > grantsAndDenials { grantRead, grantReturnDN, grantBrowse }
> > >
> > > },
> > >
> > > {
> > >
> > > protectedItems { attributeType { userPassword } },
> > >
> > > grantsAndDenials { denyRead, denyCompare, denyFilterMatch }
> > >
> > > }
> > >
> > > }
> > >
> > > }
> > >
> > > }
> > >
> > >
> > >
> > > The result, the wyatt user still cannot see anything. whatup? If this
> > > should
> > >
> > > be on dev list, please let me know.
> >
> >
> > It's fine to have this on users list.
> >
> > Can you please provide complete the complete ldif export? It's hard to
> say
> > what's wrong with the information you gave. I especially would like to
> > know
> > where are the entries you're trying to access with respect to
> > "ou=wyattnobrowse".
> >
> >
> > Thx.
> > >
> >
> > --
> > Ersin Er
> > http://www.ersin-er.name
> >
>
>
--
Ersin Er
http://www.ersin-er.name
