Re: Error with impimeting acl

Sun, 17 Apr 2011 12:15:23 -0700 

Hello Emmanuel,
I don't know why but ApacheDS Studio doesn't export the full three of example.com. So I've pasted it all in the mail in the hope that will help you. I got the same with an Subentry. In the mailinglist I've read that could be an old bug they several months is still not fixed. If it's the bug, ApacheDS never don't will be usable in every environment. I still prefer ApacheDS but I'm working alternative with 389 directory Server. Tomorrow I've to present a working solution to my customer for showcase. 


dn: dc=example,dc=com
objectClass: domain
objectClass: top
dc: example

accessControlSubentries:  
2.5.4.3=domainaclauthorizationrequirementsacisubent

 ry,0.9.2342.19200300.100.1.25=example,0.9.2342.19200300.100.1.25=com
administrativeRole: accessControlSpecificArea
createTimestamp: 20110417193045Z
creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
entryCSN: 20110417213045.184000Z#000000#000#000000
entryUUID:: YjQzZmU0ZTEtYTIyOS00ZTc1LWI4NmUtNGMyMmE4MWVmMDJl
modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
modifyTimestamp: 20110417203043Z

dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: people

accessControlSubentries:  
2.5.4.3=domainaclauthorizationrequirementsacisubent

 ry,0.9.2342.19200300.100.1.25=example,0.9.2342.19200300.100.1.25=com
createTimestamp: 20110417193324Z
creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
entryCSN: 20110417213324.006000Z#000000#000#000000
entryUUID:: Y2RlMDIzMzktZTkxNi00MDc2LWE2Y2EtMzhiY2M1YjNlYWRl

dn: uid=domainadmin,ou=people,dc=example,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: krb5Principal
objectClass: inetOrgPerson
objectClass: krb5KDCEntry
objectClass: top
cn: Domain Administrator
krb5KeyVersionNumber: 1
krb5PrincipalName: [email protected]
sn: Domain Administrator
krb5Key:: MBmgAwIBEaESBBBse6p1boUg9NNd/97pPWgQ
krb5Key:: MBGgAwIBA6EKBAh/+DFiyCCFEw==
krb5Key:: MCGgAwIBEKEaBBiuzuXmSc6nDVRFZ8FMT4lP09Crsy9zXgE=
krb5Key:: MCmgAwIBEqEiBCDIcp4KczHRss9lQcBdX7OlRpoh70jcRfzUU8Lnm+lOmg==
krb5Key:: MBmgAwIBF6ESBBAYelAhhW5cfPy8Z3Xty4OH
uid: domainadmin
userPassword:: e01ENX1PRmoySWpDc1BKRmZNQXhtUXhMR1B3PT0=

accessControlSubentries:  
2.5.4.3=domainaclauthorizationrequirementsacisubent

 ry,0.9.2342.19200300.100.1.25=example,0.9.2342.19200300.100.1.25=com
createTimestamp: 20110417193544Z
creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
entryCSN: 20110417213544.185000Z#000000#000#000000
entryUUID:: NTM2Yzg5M2EtZmM3YS00YjAxLWJjYTgtMjE1NWFhMjc5NzA3
modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
modifyTimestamp: 20110417201959Z

dn: dc=example,dc=com
changetype: modify
add: administrativeRole
administrativeRole: accessControlSpecificArea


dn: cn=DomainACLAuthorizationRequirementsACISubentry,dc=example,dc=com
changetype: add
objectclass: top
objectclass: subentry
objectclass: accessControlSubentry
cn: DomainACLAuthorizationRequirementsACISubentry
subtreeSpecification: {}
prescriptiveACI: {
    identificationTag "directoryManagerFullAccessACI",
    precedence 11,
    authenticationLevel simple,
    itemOrUserFirst userFirst:
    {
      userClasses
      {
        name { "uid=domainadmin,ou=people,dc=example,dc=com" }
      },
      userPermissions
      {
        {
          protectedItems
          {
            entry, allUserAttributeTypesAndValues
          },
          grantsAndDenials
          {
            grantAdd, grantDiscloseOnError, grantRead,
            grantRemove, grantBrowse, grantExport, grantImport,
            grantModify, grantRename, grantReturnDN,
            grantCompare, grantFilterMatch, grantInvoke
          }
        }
      }
    }
  }
prescriptiveACI: {
    identificationTag "allUsersACI",
    precedence 10,
    authenticationLevel none,
    itemOrUserFirst userFirst:
    {
      userClasses
      {
        allUsers
      },
      userPermissions
      {
        {
          protectedItems { entry, allUserAttributeTypesAndValues },
          grantsAndDenials { grantRead, grantBrowse, grantReturnDN,

                             grantCompare, grantFilterMatch,  
grantDiscloseOnError }

        },
        {
          protectedItems { attributeType { userPassword } },
          grantsAndDenials { denyRead, denyCompare, denyFilterMatch }
      }
   }




Am 17.04.2011, 11:06 Uhr, schrieb Emmanuel Lecharny <[email protected]>:


On 4/17/11 6:16 AM, Darko Hojnik wrote:

Hi there,


I've tried a few hours along to get an working acl on the partition  
example.com. I've read and tried the sample on the apacheds wiki with  
the sevenSeas sample also at last do it all self with ApacheDS Studio.

By restarting ApacheDS I always get an error massage such like


[05:49:06] WARN [org.apache.directory.server.core.authz.TupleCache] -  
Found accessControlSubentry  
'cn=domainfullAuthorizationRequirementsACISubentry,dc=example,dc=com'  
without any prescriptiveACI


Have you added a subentry ? If so, can you provide it ?

Can you also provide AdministrativePoint entry?
























					Reply via email to