Unable to make ACI to work

Sun, 15 Jun 2008 10:36:19 -0700 

Hello,
I am trying to setup the ACI authorization system. Unfortunately, I haven't been able to. 

I am using version 1.0.2 on a windowsXP machine.

The partition is defined as follows:


<bean id="testparPartitionConfiguration" 
class="org.apache.directory.server.core.partition.impl.btree.MutableBTreePartitionConfiguration">

   <property name="name" value="testpar" />
   <property name="cacheSize" value="10"/>
   <property name="suffix" value="o=testpar" />
   <property name="optimizerEnabled" value="true" />
   <property name="synchOnWrite" value="true" />
   <property name="indexedAttributes">
     <set>

       <bean 
class="org.apache.directory.server.core.partition.impl.btree.MutableIndexConfiguration">

         <property name="attributeId" value="cn" />
         <property name="cacheSize" value="10" />
       </bean>

       <bean 
class="org.apache.directory.server.core.partition.impl.btree.MutableIndexConfiguration">

         <property name="attributeId" value="uid" />
         <property name="cacheSize" value="10" />
       </bean>

       <bean 
class="org.apache.directory.server.core.partition.impl.btree.MutableIndexConfiguration">

         <property name="attributeId" value="objectClass" />
         <property name="cacheSize" value="10" />
       </bean>
     </set>
   </property>
   <property name="contextEntry">
     <value>
       objectClass: top
       objectClass: organization
       objectClass: extensibleObject
       o: testpar
     </value>
   </property>
</bean>


The partition dump is:

# ========================================================================
# ApacheDS Tools Version: 1.0.2

# Partition Directory: c:\program 
files\apacheds-1.0.2\var\partitions\testpar

# ========================================================================


#---------------------
# Entry: 1
#---------------------

dn: o=testpar
o: testpar
administrativerole: accessControlSpecificArea
objectclass: top
objectclass: organization
objectclass: extensibleObject

accessControlSubentries: 
2.5.4.3=testparauthorizationrequirementsacisubentry,2.5

.4.10=testpar
modifyTimestamp: 20080615160255Z
modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system


#---------------------
# Entry: 2
#---------------------

dn: ou=people,o=testpar
createTimestamp: 20080615160255Z
ou: people
objectclass: organizationalunit
objectclass: top

accessControlSubentries: 
2.5.4.3=testparauthorizationrequirementsacisubentry,2.5

.4.10=testpar
description: Contains entries which describe persons (employees)
creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system


#---------------------
# Entry: 3
#---------------------

dn: uid=testme,ou=people,o=testpar
uid: testme
userpassword:: e1NIQX1Pcjd4b1V6T3pTRFd6b2tzdmdRcTV0ZEpSc2c9
sn: testme
createTimestamp: 20080615160255Z
ou: people
cn: testme testme
givenname: testme
o: testpar
objectclass: person
objectclass: inetorgperson
objectclass: organizationalperson
objectclass: top

accessControlSubentries: 
2.5.4.3=testparauthorizationrequirementsacisubentry,2.5

.4.10=testpar
creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system


#---------------------
# Entry: 4
#---------------------

dn: cn=testparauthorizationrequirementsacisubentry,o=testpar
createTimestamp: 20080615160255Z
cn: testparauthorizationrequirementsacisubentry
prescriptiveaci:: base64encoded entry here
prescriptiveaci:: base64encoded entry here

accessControlSubentries: 
2.5.4.3=testparauthorizationrequirementsacisubentry,2.5

.4.10=testpar
objectclass: subentry
objectclass: accesscontrolsubentry
objectclass: top
subtreespecification: {}
creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system

The decoded first prescriptiveaci entry is:

{
 identificationTag "directoryManagerFullAccessACI",
 precedence 11,
 authenticationLevel simple,
 itemOrUserFirst userFirst:
 {
   userClasses{name{"uid=testme,ou=people,o=testpar"}},
   userPermissions
   {
     {
       protectedItems{entry},

       
grantsAndDenials{grantAdd,grantDiscloseOnError,grantRead,grantRemove,grantBrowse,grantExport,grantImport,grantModify,grantRename,grantReturnDN}

     },
     {
       protectedItems{allUserAttributeTypesAndValues},

       
grantsAndDenials{grantAdd,grantDiscloseOnError,grantRead,grantRemove,grantCompare,grantFilterMatch,grantInvoke}

     }
   }
 }
}

The decoded second prescriptiveaci entry is:

{
 identificationTag "allUsersACI",
 precedence 10,
 authenticationLevel none,
 itemOrUserFirst userFirst:
 {
   userClasses{allUsers},
   userPermissions
   {
     {
       protectedItems{entry},

       
grantsAndDenials{grantDiscloseOnError,grantRead,grantBrowse,grantReturnDN}

     },
     {
       protectedItems{allUserAttributeTypesAndValues},

       
grantsAndDenials{grantDiscloseOnError,grantRead,grantCompare,grantFilterMatch}

     },
     {
       protectedItems{attributeType{userPassword}},
       grantsAndDenials{denyRead,denyCompare,denyFilterMatch}
     },
     {
       protectedItems{attributeValue{superUser}},
       grantsAndDenials{denyRead,denyCompare,denyFilterMatch}
     }
   }
 }
}

Anonymous access is disabled and the ACI system is enabled in server.xml
Both prescripriveaci entries seems to be ignored. Any ideas?

Andreas






















					Reply via email to