Hi there,
I've tried a few hours along to get an working acl on the partition
example.com. I've read and tried the sample on the apacheds wiki with the
sevenSeas sample also at last do it all self with ApacheDS Studio.
By restarting ApacheDS I always get an error massage such like
[05:49:06] WARN [org.apache.directory.server.core.authz.TupleCache] -
Found accessControlSubentry
'cn=domainfullAuthorizationRequirementsACISubentry,dc=example,dc=com'
without any prescriptiveACI
I got it with ApacheDS 1.5.7 and I've compiled 1.5.8-snapshot just to
verify. After restarting ApacheDS users in dc=example,dc=com stands
without proper permissions there. So at last can anyone tell me whats
going wrong and will do the trick?
Sorry I'm little bit in panic. For a new job my customer has asked me for
an good solution about LDAP and Kerberos for Samba and NFSv4. I thought
ApacheDS will do it perfectly
here my export as an XML. It's stored as an attachment too
<?xml version="1.0" encoding="UTF-8"?>
<batchResponse xmlns:xsd="http://www.w3c.org/2001/XMLSchema";
xmlns:xsi="http://www.w3c.org/2001/XMLSchema-instance";>
<searchResponse>
<searchResultEntry
dn="cn=domainfullAuthorizationRequirementsACISubentry,dc=example,dc=com">
<attr name="createtimestamp">
<value>20110417034445Z</value>
</attr>
<attr name="cn">
<value>domainfullAuthorizationRequirementsACISubentry</value>
</attr>
<attr name="entryuuid">
<value
xsi:type="xsd:base64Binary">Y2I2Njk0MTgtMjg2OC00NTIwLWIzY2QtMDg3MWZhNWExY2E2</value>
</attr>
<attr name="prescriptiveaci">
<value>{ identificationTag "domainManagerFullAccessACI",
precedence 0, authenticationLevel simple, itemOrUserFirst userFirst: {
userClasses { name { "uid=domainadmin,dc=example,dc=com" } },
userPermissions { { protectedItems { allUserAttributeTypesAndValues, entry
}, grantsAndDenials { grantDiscloseOnError, grantReturnDN,
grantFilterMatch, grantAdd, grantBrowse, grantImport, grantModify,
grantRename, grantRemove, grantCompare, grantExport, grantRead,
grantInvoke } } } } }</value>
<value>{ identificationTag "", precedence 0,
authenticationLevel simple, itemOrUserFirst userFirst: { userClasses {
allUsers }, userPermissions { { protectedItems {
allUserAttributeTypesAndValues, entry }, grantsAndDenials { grantCompare,
grantReturnDN, grantDiscloseOnError, grantFilterMatch, grantRead,
grantBrowse } }, { protectedItems { attributeType { userPassword } },
grantsAndDenials { denyRead, denyCompare, denyFilterMatch } } } } }</value>
</attr>
<attr name="modifiersname">
<value>0.9.2342.19200300.100.1.1=admin,2.5.4.11=system</value>
</attr>
<attr name="modifytimestamp">
<value>20110417034826Z</value>
</attr>
<attr name="entrycsn">
<value>20110417054826.064000Z#000000#000#000000</value>
</attr>
<attr name="objectclass">
<value>subentry</value>
<value>accessControlSubentry</value>
<value>top</value>
</attr>
<attr name="subtreespecification">
<value>{ }</value>
</attr>
<attr name="accesscontrolsubentries">
<value>2.5.4.3=domainfullauthorizationrequirementsacisubentry,0.9.2342.19200300.100.1.25=example,0.9.2342.19200300.100.1.25=com</value>
</attr>
<attr name="creatorsname">
<value>0.9.2342.19200300.100.1.1=admin,2.5.4.11=system</value>
</attr>
</searchResultEntry>
<searchResultDone>
<resultCode code="0" descr="success"/>
</searchResultDone>
</searchResponse>
</batchResponse>
kind regards
Darko Hojnik<?xml version="1.0" encoding="UTF-8"?>
<batchResponse xmlns:xsd="http://www.w3c.org/2001/XMLSchema"; xmlns:xsi="http://www.w3c.org/2001/XMLSchema-instance";>
<searchResponse>
<searchResultEntry dn="cn=domainfullAuthorizationRequirementsACISubentry,dc=example,dc=com">
<attr name="createtimestamp">
<value>20110417034445Z</value>
</attr>
<attr name="cn">
<value>domainfullAuthorizationRequirementsACISubentry</value>
</attr>
<attr name="entryuuid">
<value xsi:type="xsd:base64Binary">Y2I2Njk0MTgtMjg2OC00NTIwLWIzY2QtMDg3MWZhNWExY2E2</value>
</attr>
<attr name="prescriptiveaci">
<value>{ identificationTag "domainManagerFullAccessACI", precedence 0, authenticationLevel simple, itemOrUserFirst userFirst: { userClasses { name { "uid=domainadmin,dc=example,dc=com" } }, userPermissions { { protectedItems { allUserAttributeTypesAndValues, entry }, grantsAndDenials { grantDiscloseOnError, grantReturnDN, grantFilterMatch, grantAdd, grantBrowse, grantImport, grantModify, grantRename, grantRemove, grantCompare, grantExport, grantRead, grantInvoke } } } } }</value>
<value>{ identificationTag "", precedence 0, authenticationLevel simple, itemOrUserFirst userFirst: { userClasses { allUsers }, userPermissions { { protectedItems { allUserAttributeTypesAndValues, entry }, grantsAndDenials { grantCompare, grantReturnDN, grantDiscloseOnError, grantFilterMatch, grantRead, grantBrowse } }, { protectedItems { attributeType { userPassword } }, grantsAndDenials { denyRead, denyCompare, denyFilterMatch } } } } }</value>
</attr>
<attr name="modifiersname">
<value>0.9.2342.19200300.100.1.1=admin,2.5.4.11=system</value>
</attr>
<attr name="modifytimestamp">
<value>20110417034826Z</value>
</attr>
<attr name="entrycsn">
<value>20110417054826.064000Z#000000#000#000000</value>
</attr>
<attr name="objectclass">
<value>subentry</value>
<value>accessControlSubentry</value>
<value>top</value>
</attr>
<attr name="subtreespecification">
<value>{ }</value>
</attr>
<attr name="accesscontrolsubentries">
<value>2.5.4.3=domainfullauthorizationrequirementsacisubentry,0.9.2342.19200300.100.1.25=example,0.9.2342.19200300.100.1.25=com</value>
</attr>
<attr name="creatorsname">
<value>0.9.2342.19200300.100.1.1=admin,2.5.4.11=system</value>
</attr>
</searchResultEntry>
<searchResultDone>
<resultCode code="0" descr="success"/>
</searchResultDone>
</searchResponse>
</batchResponse>
