Hi Kevin,
you'll have to do the following steps now:
1) Go to the entry for which you want to enable access control. Add the
attribute "administrativeRole" with the value "accessControlSpecificArea".
AD-Studio will mention that this attribute does not belong to the schema
you use. You can ignore this.
2) Add a new entry below the entry where you have added the
"administrativeRole" attribute. Use the object classes
"accessControlSubentry", "subentry" and "top". As RDN attribute name, use
"cn" and choose a name of your preference.
2a) You will be asked to specify the subentry. Leave it empty.
2b) You will be asked to specify the ACI element:
* Identificator: <your choice>
* Priority: 0
* Authentication level: simple=non-SASL / strong=SASL (I would choose
simple first)
* User or element first: User
* User classes: Choose "name" and specify your admin2
* User permissions:
* Protected elements: "entry", "all user attribute types and
values"
* Grants and denials: Here, you can grant everything
Once you have set this up, you can play around with your ACI a little bit
more and maybe grant users to see their own entries and so on. There
should be some learning trails about access control in the user guides
which might also help you.
--
Kind regards
Oliver
Am 03.11.2011, 19:13 Uhr, schrieb Kevin Hamilton <[email protected]>:
Hello Oliver and Company,
I had successfully enabled the accessControl. My issue now is that I
am using another superuser I created (I called it admin2) to modify my
users. Now, I am no longer to modify my users because he does not have
access.
I read about Prescriptive ACIs, but the lack of examples left me kind
of stumped. How can I grant all access to admin2 only, or something
with the dn=uid=admin,ou=system?
Thanks,
Kevin
On Wed, Nov 2, 2011 at 2:04 PM, Oliver Schmidt
<[email protected]> wrote:
On Wed, 02 Nov 2011 13:59:25 +0100, Kevin Hamilton <[email protected]>
wrote:
Hello everyone,
My name is Kevin and I am writing to ask a question about access to
ApacheDS 2.0.0-M2. Currently I have a bunch of users set up and the
apacheds is used to authenticate the users on my website. My question
is about accessing the apacheds. On my Apache Directory Studio, I can
login as admin and see everything. The problem is that I can also log
in as any other user in the database and I can see other user's
information. Not sure if I am being clear.
If someone has their own username and password and also the port and
address of my server, they can login (using Apache Directory Studio or
any other client) and see all of the records. Obviously the passwords
are hashed, but it is still a liability for the users to be able to
see e-mails/etc of other users.
Is there any way to limit the information that certain users can see
(ie, they could login, but not see any records)?
Please let me know soon.
Thanks,
Kevin
Hi Kevin,
I'm moving this topic to the users list...
There's a chapter about this topic in the doco. Please see the User
Guides
on the topic "authorization".
Depending on what you intend to allow/disallow your users to see in your
directory, you might also need to write some ACIs. If you want, I can
assist
you setting this up.
Please note that ehe documentation still mentions the server.xml file.
This
file is however obsolete in version 2.0. Instead, config is done
directly in
the server. You can alter the configuration using ehe Directory Studio.
Just
look under the ou=config node.
Kind regards
Oliver
--
Erstellt mit Operas revolutionärem E-Mail-Modul: http://www.opera.com/mail/
