Well that worked famously. I did modify the ldif to contain the administrative role setup and a new non-system user.
I do not see a difference in either of your ACI's...? -----Original Message----- From: Ersin Er [mailto:[EMAIL PROTECTED] Sent: Thursday, September 13, 2007 10:37 PM To: [email protected] Subject: Re: RE - Simplist of ACI's - question Here is a working LDIF File for me: http://people.apache.org/~ersiner/data/ACI.Test.ldif Please give it a try. HTH, On 9/14/07, Robb Penoyer <[EMAIL PROTECTED]> wrote: > > OK, > > I have to be an idiot... but here it is, this is your ldif. Fresh new > install of 1.5.1, XP SP2, Java 1.5.0_12, only config change was to turn > ACI's on. Fails to import.... if you have any pointer, that would be > great,but you're busy, I'll keep playing with it and update the thread. > > R- > > dn: cn=authzSubentry,dc=example,dc=com > objectClass: subentry > objectClass: accessControlSubentry > objectClass: top > cn: authzSubentry > subtreeSpecification: > { specificExclusions { chopBefore: "ou=notBrowsable" }} > prescriptiveACI: > { > identificationTag "testACI", > precedence 10, > authenticationLevel none, > itemOrUserFirst userFirst: > { > userClasses { allUsers }, > userPermissions > { > { > protectedItems { > allUserAttributeTypesAndValues, entry }, > grantsAndDenials { grantRead, > grantReturnDN, > grantBrowse } > } > , > { > protectedItems { attributeType { > userPassword } } > , > grantsAndDenials {denyCompare, > denyFilterMatch, denyRead } > } > } > } > } > > -----Original Message----- > From: Ersin Er [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 13, 2007 3:01 AM > To: [email protected] > Subject: Re: RE - Simplist of ACI's - question > > It seems I forgot to paste the subtreeSpecification attribute for my > config. > Here it's: > > { specificExclusions { chopBefore: "ou=notBrowsable" } } > > On 9/13/07, Ersin Er <[EMAIL PROTECTED]> wrote: > > > > Hi again, > > > > I do not see any problem with your configuration. I tried almost the > same > > configuration and it works fine here. Here is mine: > > > > dn: dc=example,dc=com > > changetype: modify > > add: administrativeRole > > administrativeRole: accessControlSpecificArea > > > > dn: cn=authzSubentry,dc=example,dc=com > > objectClass: subentry > > objectClass: accessControlSubentry > > objectClass: top > > cn: authzSubentry > > prescriptiveACI: { > > identificationTag "testACI", > > precedence 10, > > authenticationLevel none, > > itemOrUserFirst userFirst: > > { > > userClasses { allUsers }, > > userPermissions > > { > > { > > precedence 10, > > protectedItems { allUserAttributeTypesAndValues, entry > }, > > grantsAndDenials > > { > > grantRead, > > grantReturnDN, > > grantBrowse > > } > > } > > , > > { > > precedence 10, > > protectedItems > > { > > attributeType { userPassword } > > } > > , > > grantsAndDenials > > { > > denyCompare, > > denyFilterMatch, > > denyRead > > } > > } > > } > > } > > } > > > > dn: ou=notBrowsable,dc=example,dc=com > > objectClass: organizationalUnit > > objectClass: top > > ou: notBrowsable > > > > dn: ou=browsable,dc=example,dc=com > > objectClass: organizationalUnit > > objectClass: top > > ou: browsable > > > > dn: ou=child1,ou=browsable,dc=example,dc=com > > objectClass: organizationalUnit > > objectClass: top > > ou: child1 > > > > dn: ou=child2,ou=browsable,dc=example,dc=com > > objectClass: organizationalUnit > > objectClass: top > > ou: child2 > > > > dn: ou=child3,ou=notBrowsable,dc=example,dc=com > > objectClass: organizationalUnit > > objectClass: top > > ou: child3 > > > > dn: ou=child4,ou=notBrowsable,dc=example,dc=com > > objectClass: organizationalUnit > > objectClass: top > > ou: child4 > > > > > > And I also attached a screenshot from Apache Directory Studio for > showing > > the case. > > > > HTH, > > > > > > On 9/13/07, Robb Penoyer <[EMAIL PROTECTED]> wrote: > > > > > > > > > Hey guys, turns out I wasn't subscribed to the users list... sorry for > > > the > > > delay getting back with you. > > > > > > The ldif I am importing is pretty simple, the intent is a tree like > > > this, > > > with two regions, one enabled to browse, the other not. > > > > > > dc=wyatt,dc=com (accessControlSpecificArea) > > > | > > > / \ > > > ou=wyattbrowse ou=wyattnobrowse > > > / \ / \ > > > ou=child1 ou=child2 ou=child1 ou=child2 > > > > > > > > > Here is the ldif (the ACI I applied is below from original post): > > > > > > dn: uid=wyatt,ou=users,ou=system > > > displayName: Wyatt Directory User > > > uid: wyatt > > > userPassword: wyatt > > > objectClass: top > > > objectClass: person > > > objectClass: organizationalPerson > > > objectClass: inetOrgPerson > > > sn: wyatt > > > cn: wyatt > > > > > > dn: ou=wyattnobrowse,dc=example,dc=com > > > ou: wyattnobrowse > > > objectclass: top > > > objectclass: organizationalunit > > > description: Wyatt cannot browse here > > > > > > dn: ou=child1,ou=wyattnobrowse,dc=example,dc=com > > > ou: childone, > > > objectclass: top > > > objectclass: organizationalunit > > > description: Wyatt cannot browse here > > > > > > dn: ou=child2,dc=example,dc=com > > > ou: child2 > > > objectclass: top > > > objectclass: organizationalunit > > > description: Wyatt cannot browse here > > > > > > dn: ou=wyattbrowse,dc=example,dc=com > > > ou: wyattsystem > > > objectclass: top > > > objectclass: organizationalunit > > > description: Wyatt can browse here > > > > > > dn: ou=child1,ou= wyattbrowse,dc=example,dc=com > > > ou: childone, > > > objectclass: top > > > objectclass: organizationalunit > > > description: Wyatt cannot browse here > > > > > > dn: ou=child2,ou=wyattbrowse,dc=example,dc=com > > > ou: child2 > > > objectclass: top > > > objectclass: organizationalunit > > > description: Wyatt cannot browse here > > > > > > > > > On 9/12/07, Ersin Er <[EMAIL PROTECTED]> wrote: > > > > > > > > On 9/12/07, Robb Penoyer <[EMAIL PROTECTED]> wrote: > > > > > > > > > > Long time since I appeared anywhere near this project - hi all. > > > > > > > > > > > > > > > > > > > > Started playing with AAA's and such, read all the docs. Now I have > a > > > > > question/problem. > > > > > > > > > > > > > > > > > > > > Using the standard ApacheDs 1.5.1 install, I modified the > server.xmlto > > > > > enable access > > > > > > > > > > controls. I also added the administrativeRole: > > > accessControlSpecificArea > > > > > > > > > > attribute to the base dn for dc=example,dc=com in server.xml. > > > > > > > > > > (Verified the OA was there with studio). > > > > > > > > > > > > > > > > > > > > Added a new uid=wyatt via ldif, verified he couldn't see anything. > > > > > > > > > > > > > > > > > > > > Added a bunch of entries under dc=example,dc=com > > > > > > > > > > > > > > > > > > > > Added the following ACI ldif: > > > > > > > > > > dn: cn=authorizationsACISubentry,dc=example,dc=com > > > > > > > > > > changetype: add > > > > > > > > > > objectclass: top > > > > > > > > > > objectclass: subentry > > > > > > > > > > objectclass: accessControlSubentry > > > > > > > > > > cn: authorizationsACISubentry > > > > > > > > > > subtreeSpecification: { specificExclusions { chopBefore: > > > > > "ou=wyattnobrowse" > > > > > } } > > > > > > > > > > prescriptiveACI: { > > > > > > > > > > identificationTag "allUsersACI", > > > > > > > > > > precedence 10, > > > > > > > > > > authenticationLevel none, > > > > > > > > > > itemOrUserFirst userFirst: > > > > > > > > > > { > > > > > > > > > > userClasses > > > > > > > > > > { > > > > > > > > > > allUsers > > > > > > > > > > }, > > > > > > > > > > userPermissions > > > > > > > > > > { > > > > > > > > > > { > > > > > > > > > > protectedItems { entry, allUserAttributeTypesAndValues }, > > > > > > > > > > grantsAndDenials { grantRead, grantReturnDN, grantBrowse > } > > > > > > > > > > }, > > > > > > > > > > { > > > > > > > > > > protectedItems { attributeType { userPassword } }, > > > > > > > > > > grantsAndDenials { denyRead, denyCompare, > denyFilterMatch > > > } > > > > > > > > > > } > > > > > > > > > > } > > > > > > > > > > } > > > > > > > > > > } > > > > > > > > > > > > > > > > > > > > The result, the wyatt user still cannot see anything. whatup? If > > > this > > > > > should > > > > > > > > > > be on dev list, please let me know. > > > > > > > > > > > > It's fine to have this on users list. > > > > > > > > Can you please provide complete the complete ldif export? It's hard > to > > > say > > > > what's wrong with the information you gave. I especially would like > to > > > > know > > > > where are the entries you're trying to access with respect to > > > > "ou=wyattnobrowse". > > > > > > > > > > > > Thx. > > > > > > > > > > > > > -- > > > > Ersin Er > > > > http://www.ersin-er.name > > > > > > > > > > > > > > > > -- > > Ersin Er > > http://www.ersin-er.name > > > > > > > -- > Ersin Er > http://www.ersin-er.name > > -- Ersin Er http://www.ersin-er.name
