Hey Oliver,
Thanks so much for your response. I followed your instructions and
still had trouble.
I checked the source of the prescriptive ACI in my new entry. The
source is below.
{
identificationTag "admin2Tag",
precedence 0,
authenticationLevel simple,
itemOrUserFirst userFirst:
{
userClasses
{
name { "uid=admin2,ou=system" }
}
,
userPermissions
{
{
protectedItems { allUserAttributeTypesAndValues, entry },
grantsAndDenials
{
grantBrowse,
grantCompare,
grantRename,
grantExport,
grantRead,
grantModify,
grantDiscloseOnError,
grantFilterMatch,
grantImport,
grantAdd,
grantInvoke,
grantRemove,
grantReturnDN
}
}
}
}
}
When I try to add this, I get a constraint violation that says ERR_277
Attribute userPassword not declared in objectClasses of entry
cn=admin2Test,uid=admin2,ou=system
So the main admin2 user is of objectclasses inetOrgPerson,
organizationalPerson, person, and top. He has attributes cn, sn, mail,
uid, userPassword. The DN is uid=admin2,ou=system.
I use the PasswordHashingInterceptor and I use a SSHA512. I am not
sure how to go about fixing it.
Any help would be greatly appreciated.
Thanks so much in advance,
Kevin
On Fri, Nov 4, 2011 at 7:37 AM, Oliver Schmidt
<[email protected]> wrote:
> Hi Kevin,
>
> you'll have to do the following steps now:
>
> 1) Go to the entry for which you want to enable access control. Add the
> attribute "administrativeRole" with the value "accessControlSpecificArea".
> AD-Studio will mention that this attribute does not belong to the schema
> you use. You can ignore this.
> 2) Add a new entry below the entry where you have added the
> "administrativeRole" attribute. Use the object classes
> "accessControlSubentry", "subentry" and "top". As RDN attribute name, use
> "cn" and choose a name of your preference.
> 2a) You will be asked to specify the subentry. Leave it empty.
> 2b) You will be asked to specify the ACI element:
> * Identificator: <your choice>
> * Priority: 0
> * Authentication level: simple=non-SASL / strong=SASL (I would choose
> simple first)
> * User or element first: User
> * User classes: Choose "name" and specify your admin2
> * User permissions:
> * Protected elements: "entry", "all user attribute types and values"
> * Grants and denials: Here, you can grant everything
>
> Once you have set this up, you can play around with your ACI a little bit
> more and maybe grant users to see their own entries and so on. There
> should be some learning trails about access control in the user guides
> which might also help you.
>
> --
> Kind regards
>
> Oliver
>
> Am 03.11.2011, 19:13 Uhr, schrieb Kevin Hamilton <[email protected]>:
>
>> Hello Oliver and Company,
>>
>> I had successfully enabled the accessControl. My issue now is that I
>> am using another superuser I created (I called it admin2) to modify my
>> users. Now, I am no longer to modify my users because he does not have
>> access.
>>
>> I read about Prescriptive ACIs, but the lack of examples left me kind
>> of stumped. How can I grant all access to admin2 only, or something
>> with the dn=uid=admin,ou=system?
>>
>> Thanks,
>> Kevin
>>
>> On Wed, Nov 2, 2011 at 2:04 PM, Oliver Schmidt
>> <[email protected]> wrote:
>>>
>>> On Wed, 02 Nov 2011 13:59:25 +0100, Kevin Hamilton <[email protected]>
>>> wrote:
>>>
>>>> Hello everyone,
>>>>
>>>> My name is Kevin and I am writing to ask a question about access to
>>>> ApacheDS 2.0.0-M2. Currently I have a bunch of users set up and the
>>>> apacheds is used to authenticate the users on my website. My question
>>>> is about accessing the apacheds. On my Apache Directory Studio, I can
>>>> login as admin and see everything. The problem is that I can also log
>>>> in as any other user in the database and I can see other user's
>>>> information. Not sure if I am being clear.
>>>>
>>>> If someone has their own username and password and also the port and
>>>> address of my server, they can login (using Apache Directory Studio or
>>>> any other client) and see all of the records. Obviously the passwords
>>>> are hashed, but it is still a liability for the users to be able to
>>>> see e-mails/etc of other users.
>>>>
>>>> Is there any way to limit the information that certain users can see
>>>> (ie, they could login, but not see any records)?
>>>>
>>>> Please let me know soon.
>>>>
>>>> Thanks,
>>>> Kevin
>>>
>>>
>>> Hi Kevin,
>>>
>>> I'm moving this topic to the users list...
>>>
>>> There's a chapter about this topic in the doco. Please see the User
>>> Guides
>>> on the topic "authorization".
>>>
>>> Depending on what you intend to allow/disallow your users to see in your
>>> directory, you might also need to write some ACIs. If you want, I can
>>> assist
>>> you setting this up.
>>>
>>> Please note that ehe documentation still mentions the server.xml file.
>>> This
>>> file is however obsolete in version 2.0. Instead, config is done directly
>>> in
>>> the server. You can alter the configuration using ehe Directory Studio.
>>> Just
>>> look under the ou=config node.
>>>
>>> Kind regards
>>> Oliver
>>>
>>
>>
>>
>
>
> --
> Erstellt mit Operas revolutionärem E-Mail-Modul: http://www.opera.com/mail/
>
--
Thanks,
Kevin
