Hi, Emmanuel, Yes, I did stop and start the server after inserting the prescriptiveACI attributes, but it still didn't work.
Sorry to hear that there is no current workaround; however, we can probably wait for the next release: Our application is still in design, at present. While waiting for a reply to my question, I discovered that Apache Directory Studio can create servers. I did that and noticed the version is 1.5.6. Thinking that maybe it would work in the prior version, I imported our directory into that server. I added the prescriptiveACI, but it didn't work in that context, either. Should it be working in version 1.5.6? Ron Woods -----Original Message----- From: Emmanuel Lecharny [mailto:[email protected]] Sent: Friday, May 20, 2011 7:37 PM To: [email protected] Subject: Re: [ApacheDS] prescriptiveACI not working On 5/20/11 6:24 PM, Ron Woods wrote: > HI, > > I have been going through the examples on this page in the manual > http://directory.apache.org/apacheds/1.5/32-basic-authorization.html > (I am using ApacheDS 1.5.7 with Apache Directory Studio Version: > 1.5.3.v20100330) > > I am trying to apply the prescriptiveACI's to my own company directory > partition, "o=vaytek". > Per the instructions, I enabled the "accessControlEnabled" flag in server.xml. > I have added to the top node "o=vaytek" the attribute "administrativeRole" > with value "accessControlSpecificArea" to make it the administrative point. > I have added a subentry with prescriptiveACI's > > 1) to deny allUsers access to the userPassword, > > 2) to allow allUsers to search and compare other attributes, and > > 3) to assign a specific user as the directory manager with full access, > as follows: > > dn: cn=vaytekAuthorizationRequirementsACISubentry,o=vaytek > objectClass: subentry > objectClass: accessControlSubentry > objectClass: top > cn: vaytekAuthorizationRequirementsACISubentry > subtreeSpecification: { } > prescriptiveACI: { > identificationTag "allUsersACI", > precedence 10, > authenticationLevel simple, > itemOrUserFirst userFirst: > { > userClasses { allUsers }, > userPermissions > { > { > protectedItems > { > attributeType { userPassword } > } > , > grantsAndDenials > { > denyCompare, > denyFilterMatch, > denyRead > } > } > , > { > protectedItems { allUserAttributeTypesAndValues, entry }, > grantsAndDenials > { > grantRead, > grantReturnDN, > grantCompare, > grantDiscloseOnError, > grantBrowse, > grantFilterMatch > } > } > } > } > } > prescriptiveACI: { > identificationTag "directoryManagerFullAccessACI", > precedence 11, > authenticationLevel simple, > itemOrUserFirst userFirst: > { > userClasses > { > name { "uid=rwoods,ou=Users,o=vaytek" } > } > , > userPermissions > { > { > protectedItems { allUserAttributeTypesAndValues, entry }, > grantsAndDenials > { > grantReturnDN, > grantDiscloseOnError, > grantExport, > grantRemove, > grantFilterMatch, > grantBrowse, > grantModify, > grantImport, > grantRead, > grantRename, > grantCompare, > grantInvoke, > grantAdd > } > } > } > } > } > > However, when I connect in Apache Directory Studio as user rwoods, then all I > can see is RootDSE and nothing below it. Just wondering : did you stopped and started the server after having injected the ACI ? There is a bug in 1.5.7 which has been fixed in trunk that make the ACI not to be reloaded when the server is restarted, making the ACI subsystem totally useless. I'm not saying that there is a workaround, or any solution to fix this issue in 1.5.7, sadly, but to inform you about this problem. We hope to get a new ADS release quite fast, but I'm more or less talking in term of weeks, not days. Truly sorry for that :/ -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
