On 9/14/07, Robb Penoyer <[EMAIL PROTECTED]> wrote: > > > Well that worked famously. I did modify the ldif to contain the > administrative role setup and a new non-system user. > > I do not see a difference in either of your ACI's...?
Maybe small whitespace changes. BTW, here is the screenshot of the working case for me: http://people.apache.org/~ersiner/data/ACI.Test.jpg Is it also the case for you now? Is it OK? -----Original Message----- > From: Ersin Er [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 13, 2007 10:37 PM > To: [email protected] > Subject: Re: RE - Simplist of ACI's - question > > Here is a working LDIF File for me: > > http://people.apache.org/~ersiner/data/ACI.Test.ldif > > Please give it a try. > > HTH, > > On 9/14/07, Robb Penoyer <[EMAIL PROTECTED]> wrote: > > > > OK, > > > > I have to be an idiot... but here it is, this is your ldif. Fresh new > > install of 1.5.1, XP SP2, Java 1.5.0_12, only config change was to turn > > ACI's on. Fails to import.... if you have any pointer, that would be > > great,but you're busy, I'll keep playing with it and update the thread. > > > > R- > > > > dn: cn=authzSubentry,dc=example,dc=com > > objectClass: subentry > > objectClass: accessControlSubentry > > objectClass: top > > cn: authzSubentry > > subtreeSpecification: > > { specificExclusions { chopBefore: "ou=notBrowsable" }} > > prescriptiveACI: > > { > > identificationTag "testACI", > > precedence 10, > > authenticationLevel none, > > itemOrUserFirst userFirst: > > { > > userClasses { allUsers }, > > userPermissions > > { > > { > > protectedItems { > > allUserAttributeTypesAndValues, entry }, > > grantsAndDenials { grantRead, > > grantReturnDN, > > grantBrowse } > > } > > , > > { > > protectedItems { attributeType { > > userPassword } } > > , > > grantsAndDenials {denyCompare, > > denyFilterMatch, denyRead } > > } > > } > > } > > } > > > > -----Original Message----- > > From: Ersin Er [mailto:[EMAIL PROTECTED] > > Sent: Thursday, September 13, 2007 3:01 AM > > To: [email protected] > > Subject: Re: RE - Simplist of ACI's - question > > > > It seems I forgot to paste the subtreeSpecification attribute for my > > config. > > Here it's: > > > > { specificExclusions { chopBefore: "ou=notBrowsable" } } > > > > On 9/13/07, Ersin Er <[EMAIL PROTECTED]> wrote: > > > > > > Hi again, > > > > > > I do not see any problem with your configuration. I tried almost the > > same > > > configuration and it works fine here. Here is mine: > > > > > > dn: dc=example,dc=com > > > changetype: modify > > > add: administrativeRole > > > administrativeRole: accessControlSpecificArea > > > > > > dn: cn=authzSubentry,dc=example,dc=com > > > objectClass: subentry > > > objectClass: accessControlSubentry > > > objectClass: top > > > cn: authzSubentry > > > prescriptiveACI: { > > > identificationTag "testACI", > > > precedence 10, > > > authenticationLevel none, > > > itemOrUserFirst userFirst: > > > { > > > userClasses { allUsers }, > > > userPermissions > > > { > > > { > > > precedence 10, > > > protectedItems { allUserAttributeTypesAndValues, entry > > }, > > > grantsAndDenials > > > { > > > grantRead, > > > grantReturnDN, > > > grantBrowse > > > } > > > } > > > , > > > { > > > precedence 10, > > > protectedItems > > > { > > > attributeType { userPassword } > > > } > > > , > > > grantsAndDenials > > > { > > > denyCompare, > > > denyFilterMatch, > > > denyRead > > > } > > > } > > > } > > > } > > > } > > > > > > dn: ou=notBrowsable,dc=example,dc=com > > > objectClass: organizationalUnit > > > objectClass: top > > > ou: notBrowsable > > > > > > dn: ou=browsable,dc=example,dc=com > > > objectClass: organizationalUnit > > > objectClass: top > > > ou: browsable > > > > > > dn: ou=child1,ou=browsable,dc=example,dc=com > > > objectClass: organizationalUnit > > > objectClass: top > > > ou: child1 > > > > > > dn: ou=child2,ou=browsable,dc=example,dc=com > > > objectClass: organizationalUnit > > > objectClass: top > > > ou: child2 > > > > > > dn: ou=child3,ou=notBrowsable,dc=example,dc=com > > > objectClass: organizationalUnit > > > objectClass: top > > > ou: child3 > > > > > > dn: ou=child4,ou=notBrowsable,dc=example,dc=com > > > objectClass: organizationalUnit > > > objectClass: top > > > ou: child4 > > > > > > > > > And I also attached a screenshot from Apache Directory Studio for > > showing > > > the case. > > > > > > HTH, > > > > > > > > > On 9/13/07, Robb Penoyer <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > Hey guys, turns out I wasn't subscribed to the users list... sorry > for > > > > the > > > > delay getting back with you. > > > > > > > > The ldif I am importing is pretty simple, the intent is a tree like > > > > this, > > > > with two regions, one enabled to browse, the other not. > > > > > > > > dc=wyatt,dc=com (accessControlSpecificArea) > > > > | > > > > / \ > > > > ou=wyattbrowse ou=wyattnobrowse > > > > / \ / \ > > > > ou=child1 ou=child2 ou=child1 ou=child2 > > > > > > > > > > > > Here is the ldif (the ACI I applied is below from original post): > > > > > > > > dn: uid=wyatt,ou=users,ou=system > > > > displayName: Wyatt Directory User > > > > uid: wyatt > > > > userPassword: wyatt > > > > objectClass: top > > > > objectClass: person > > > > objectClass: organizationalPerson > > > > objectClass: inetOrgPerson > > > > sn: wyatt > > > > cn: wyatt > > > > > > > > dn: ou=wyattnobrowse,dc=example,dc=com > > > > ou: wyattnobrowse > > > > objectclass: top > > > > objectclass: organizationalunit > > > > description: Wyatt cannot browse here > > > > > > > > dn: ou=child1,ou=wyattnobrowse,dc=example,dc=com > > > > ou: childone, > > > > objectclass: top > > > > objectclass: organizationalunit > > > > description: Wyatt cannot browse here > > > > > > > > dn: ou=child2,dc=example,dc=com > > > > ou: child2 > > > > objectclass: top > > > > objectclass: organizationalunit > > > > description: Wyatt cannot browse here > > > > > > > > dn: ou=wyattbrowse,dc=example,dc=com > > > > ou: wyattsystem > > > > objectclass: top > > > > objectclass: organizationalunit > > > > description: Wyatt can browse here > > > > > > > > dn: ou=child1,ou= wyattbrowse,dc=example,dc=com > > > > ou: childone, > > > > objectclass: top > > > > objectclass: organizationalunit > > > > description: Wyatt cannot browse here > > > > > > > > dn: ou=child2,ou=wyattbrowse,dc=example,dc=com > > > > ou: child2 > > > > objectclass: top > > > > objectclass: organizationalunit > > > > description: Wyatt cannot browse here > > > > > > > > > > > > On 9/12/07, Ersin Er <[EMAIL PROTECTED]> wrote: > > > > > > > > > > On 9/12/07, Robb Penoyer <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > Long time since I appeared anywhere near this project - hi all. > > > > > > > > > > > > > > > > > > > > > > > > Started playing with AAA's and such, read all the docs. Now I > have > > a > > > > > > question/problem. > > > > > > > > > > > > > > > > > > > > > > > > Using the standard ApacheDs 1.5.1 install, I modified the > > server.xmlto > > > > > > enable access > > > > > > > > > > > > controls. I also added the administrativeRole: > > > > accessControlSpecificArea > > > > > > > > > > > > attribute to the base dn for dc=example,dc=com in server.xml. > > > > > > > > > > > > (Verified the OA was there with studio). > > > > > > > > > > > > > > > > > > > > > > > > Added a new uid=wyatt via ldif, verified he couldn't see > anything. > > > > > > > > > > > > > > > > > > > > > > > > Added a bunch of entries under dc=example,dc=com > > > > > > > > > > > > > > > > > > > > > > > > Added the following ACI ldif: > > > > > > > > > > > > dn: cn=authorizationsACISubentry,dc=example,dc=com > > > > > > > > > > > > changetype: add > > > > > > > > > > > > objectclass: top > > > > > > > > > > > > objectclass: subentry > > > > > > > > > > > > objectclass: accessControlSubentry > > > > > > > > > > > > cn: authorizationsACISubentry > > > > > > > > > > > > subtreeSpecification: { specificExclusions { chopBefore: > > > > > > "ou=wyattnobrowse" > > > > > > } } > > > > > > > > > > > > prescriptiveACI: { > > > > > > > > > > > > identificationTag "allUsersACI", > > > > > > > > > > > > precedence 10, > > > > > > > > > > > > authenticationLevel none, > > > > > > > > > > > > itemOrUserFirst userFirst: > > > > > > > > > > > > { > > > > > > > > > > > > userClasses > > > > > > > > > > > > { > > > > > > > > > > > > allUsers > > > > > > > > > > > > }, > > > > > > > > > > > > userPermissions > > > > > > > > > > > > { > > > > > > > > > > > > { > > > > > > > > > > > > protectedItems { entry, allUserAttributeTypesAndValues > }, > > > > > > > > > > > > grantsAndDenials { grantRead, grantReturnDN, > grantBrowse > > } > > > > > > > > > > > > }, > > > > > > > > > > > > { > > > > > > > > > > > > protectedItems { attributeType { userPassword } }, > > > > > > > > > > > > grantsAndDenials { denyRead, denyCompare, > > denyFilterMatch > > > > } > > > > > > > > > > > > } > > > > > > > > > > > > } > > > > > > > > > > > > } > > > > > > > > > > > > } > > > > > > > > > > > > > > > > > > > > > > > > The result, the wyatt user still cannot see anything. whatup? > If > > > > this > > > > > > should > > > > > > > > > > > > be on dev list, please let me know. > > > > > > > > > > > > > > > It's fine to have this on users list. > > > > > > > > > > Can you please provide complete the complete ldif export? It's > hard > > to > > > > say > > > > > what's wrong with the information you gave. I especially would > like > > to > > > > > know > > > > > where are the entries you're trying to access with respect to > > > > > "ou=wyattnobrowse". > > > > > > > > > > > > > > > Thx. > > > > > > > > > > > > > > > > -- > > > > > Ersin Er > > > > > http://www.ersin-er.name > > > > > > > > > > > > > > > > > > > > > > -- > > > Ersin Er > > > http://www.ersin-er.name > > > > > > > > > > > > -- > > Ersin Er > > http://www.ersin-er.name > > > > > > > -- > Ersin Er > http://www.ersin-er.name > > -- Ersin Er http://www.ersin-er.name
