It seems I forgot to paste the subtreeSpecification attribute for my config.
Here it's:
{ specificExclusions { chopBefore: "ou=notBrowsable" } }
On 9/13/07, Ersin Er <[EMAIL PROTECTED]> wrote:
>
> Hi again,
>
> I do not see any problem with your configuration. I tried almost the same
> configuration and it works fine here. Here is mine:
>
> dn: dc=example,dc=com
> changetype: modify
> add: administrativeRole
> administrativeRole: accessControlSpecificArea
>
> dn: cn=authzSubentry,dc=example,dc=com
> objectClass: subentry
> objectClass: accessControlSubentry
> objectClass: top
> cn: authzSubentry
> prescriptiveACI: {
> identificationTag "testACI",
> precedence 10,
> authenticationLevel none,
> itemOrUserFirst userFirst:
> {
> userClasses { allUsers },
> userPermissions
> {
> {
> precedence 10,
> protectedItems { allUserAttributeTypesAndValues, entry },
> grantsAndDenials
> {
> grantRead,
> grantReturnDN,
> grantBrowse
> }
> }
> ,
> {
> precedence 10,
> protectedItems
> {
> attributeType { userPassword }
> }
> ,
> grantsAndDenials
> {
> denyCompare,
> denyFilterMatch,
> denyRead
> }
> }
> }
> }
> }
>
> dn: ou=notBrowsable,dc=example,dc=com
> objectClass: organizationalUnit
> objectClass: top
> ou: notBrowsable
>
> dn: ou=browsable,dc=example,dc=com
> objectClass: organizationalUnit
> objectClass: top
> ou: browsable
>
> dn: ou=child1,ou=browsable,dc=example,dc=com
> objectClass: organizationalUnit
> objectClass: top
> ou: child1
>
> dn: ou=child2,ou=browsable,dc=example,dc=com
> objectClass: organizationalUnit
> objectClass: top
> ou: child2
>
> dn: ou=child3,ou=notBrowsable,dc=example,dc=com
> objectClass: organizationalUnit
> objectClass: top
> ou: child3
>
> dn: ou=child4,ou=notBrowsable,dc=example,dc=com
> objectClass: organizationalUnit
> objectClass: top
> ou: child4
>
>
> And I also attached a screenshot from Apache Directory Studio for showing
> the case.
>
> HTH,
>
>
> On 9/13/07, Robb Penoyer <[EMAIL PROTECTED]> wrote:
> >
> >
> > Hey guys, turns out I wasn't subscribed to the users list... sorry for
> > the
> > delay getting back with you.
> >
> > The ldif I am importing is pretty simple, the intent is a tree like
> > this,
> > with two regions, one enabled to browse, the other not.
> >
> > dc=wyatt,dc=com (accessControlSpecificArea)
> > |
> > / \
> > ou=wyattbrowse ou=wyattnobrowse
> > / \ / \
> > ou=child1 ou=child2 ou=child1 ou=child2
> >
> >
> > Here is the ldif (the ACI I applied is below from original post):
> >
> > dn: uid=wyatt,ou=users,ou=system
> > displayName: Wyatt Directory User
> > uid: wyatt
> > userPassword: wyatt
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: inetOrgPerson
> > sn: wyatt
> > cn: wyatt
> >
> > dn: ou=wyattnobrowse,dc=example,dc=com
> > ou: wyattnobrowse
> > objectclass: top
> > objectclass: organizationalunit
> > description: Wyatt cannot browse here
> >
> > dn: ou=child1,ou=wyattnobrowse,dc=example,dc=com
> > ou: childone,
> > objectclass: top
> > objectclass: organizationalunit
> > description: Wyatt cannot browse here
> >
> > dn: ou=child2,dc=example,dc=com
> > ou: child2
> > objectclass: top
> > objectclass: organizationalunit
> > description: Wyatt cannot browse here
> >
> > dn: ou=wyattbrowse,dc=example,dc=com
> > ou: wyattsystem
> > objectclass: top
> > objectclass: organizationalunit
> > description: Wyatt can browse here
> >
> > dn: ou=child1,ou= wyattbrowse,dc=example,dc=com
> > ou: childone,
> > objectclass: top
> > objectclass: organizationalunit
> > description: Wyatt cannot browse here
> >
> > dn: ou=child2,ou=wyattbrowse,dc=example,dc=com
> > ou: child2
> > objectclass: top
> > objectclass: organizationalunit
> > description: Wyatt cannot browse here
> >
> >
> > On 9/12/07, Ersin Er <[EMAIL PROTECTED]> wrote:
> > >
> > > On 9/12/07, Robb Penoyer <[EMAIL PROTECTED]> wrote:
> > > >
> > > > Long time since I appeared anywhere near this project - hi all.
> > > >
> > > >
> > > >
> > > > Started playing with AAA's and such, read all the docs. Now I have a
> > > > question/problem.
> > > >
> > > >
> > > >
> > > > Using the standard ApacheDs 1.5.1 install, I modified the server.xmlto
> > > > enable access
> > > >
> > > > controls. I also added the administrativeRole:
> > accessControlSpecificArea
> > > >
> > > > attribute to the base dn for dc=example,dc=com in server.xml.
> > > >
> > > > (Verified the OA was there with studio).
> > > >
> > > >
> > > >
> > > > Added a new uid=wyatt via ldif, verified he couldn't see anything.
> > > >
> > > >
> > > >
> > > > Added a bunch of entries under dc=example,dc=com
> > > >
> > > >
> > > >
> > > > Added the following ACI ldif:
> > > >
> > > > dn: cn=authorizationsACISubentry,dc=example,dc=com
> > > >
> > > > changetype: add
> > > >
> > > > objectclass: top
> > > >
> > > > objectclass: subentry
> > > >
> > > > objectclass: accessControlSubentry
> > > >
> > > > cn: authorizationsACISubentry
> > > >
> > > > subtreeSpecification: { specificExclusions { chopBefore:
> > > > "ou=wyattnobrowse"
> > > > } }
> > > >
> > > > prescriptiveACI: {
> > > >
> > > > identificationTag "allUsersACI",
> > > >
> > > > precedence 10,
> > > >
> > > > authenticationLevel none,
> > > >
> > > > itemOrUserFirst userFirst:
> > > >
> > > > {
> > > >
> > > > userClasses
> > > >
> > > > {
> > > >
> > > > allUsers
> > > >
> > > > },
> > > >
> > > > userPermissions
> > > >
> > > > {
> > > >
> > > > {
> > > >
> > > > protectedItems { entry, allUserAttributeTypesAndValues },
> > > >
> > > > grantsAndDenials { grantRead, grantReturnDN, grantBrowse }
> > > >
> > > > },
> > > >
> > > > {
> > > >
> > > > protectedItems { attributeType { userPassword } },
> > > >
> > > > grantsAndDenials { denyRead, denyCompare, denyFilterMatch
> > }
> > > >
> > > > }
> > > >
> > > > }
> > > >
> > > > }
> > > >
> > > > }
> > > >
> > > >
> > > >
> > > > The result, the wyatt user still cannot see anything. whatup? If
> > this
> > > > should
> > > >
> > > > be on dev list, please let me know.
> > >
> > >
> > > It's fine to have this on users list.
> > >
> > > Can you please provide complete the complete ldif export? It's hard to
> > say
> > > what's wrong with the information you gave. I especially would like to
> > > know
> > > where are the entries you're trying to access with respect to
> > > "ou=wyattnobrowse".
> > >
> > >
> > > Thx.
> > > >
> > >
> > > --
> > > Ersin Er
> > > http://www.ersin-er.name
> > >
> >
> >
>
>
> --
> Ersin Er
> http://www.ersin-er.name
>
>
--
Ersin Er
http://www.ersin-er.name
