Hi Kevin,
sorry for the confusion. administrativeRole has to be added to the entry
under which the protected items are. E.g. ou=people,ou=example.com
The subentry has also to be stored there. You should re-apply the
userPassword in order to do at least simle authentication.
A little background:
A subentry is a kind of selector for all elements under its parent
element. E.g. You can create a subentry under, let's say ou=people,...
which selects all people with the attribute value memberOf=mygroup. Then
you can add attributes to the subentry and those attributes automatically
apply to all elements selected by the subentry. This way, you can
automatically add attributes which are common to a specific group of
elements. Even to elements which do not yet exist in your DIT.
--
Kind regards / freundliche Grüße
Oliver Schmidt
Sent via HP Veer
Am 04.11.2011, 17:33 Uhr, schrieb Kevin Hamilton <[email protected]>:
Ok, so if I remove the userPassword, sn, and mail attributes from the
entry (the new accessControlSubentry) then it lets me create it. The
record exists as a subentry of the uid=admin2 object. When I bind to
ApacheDS as admin2, I still cannot see anything but the tree root.
Any more advice on this and why it would say my userPassword, sn, and
mail attributes were invalid for the accessControlSubentry, subentry,
and top objectclasses?
Thanks,
Kevin
On Fri, Nov 4, 2011 at 9:48 AM, Kevin Hamilton <[email protected]>
wrote:
I am using ADS 2.0.0-M2.
Thanks,
Kevin
On Fri, Nov 4, 2011 at 9:39 AM, Emmanuel Lécharny
<[email protected]> wrote:
On 11/4/11 2:29 PM, Kevin Hamilton wrote:
The cn=admin2Test,uid=admin2,ou=system was never created because the
error occurred while I was trying to create it.
I was following Oliver's instructions by doing the following:
2) Add a new entry below the entry where you have added the
"administrativeRole" attribute. Use the object classes
"accessControlSubentry", "subentry" and "top". As RDN attribute name,
use
"cn" and choose a name of your preference.
2a) You will be asked to specify the subentry. Leave it empty.
2b) You will be asked to specify the ACI element:
* Identificator:<your choice>
* Priority: 0
* Authentication level: simple=non-SASL / strong=SASL (I would
choose
simple first)
* User or element first: User
* User classes: Choose "name" and specify your admin2
* User permissions:
* Protected elements: "entry", "all user attribute types and
values"
* Grants and denials: Here, you can grant everything
When he says add a new entry below the entry where I added
administrativeRole, he means I should right click on the
uid=admin,ou=system and add an entry to that, right? That is what I
have been doing. Is this incorrect?
No, this is the way it should be done.
The error message is a bit suprising...
What version of ADS are you using ?
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
--
Thanks,
Kevin
--
Erstellt mit Operas revolutionärem E-Mail-Modul: http://www.opera.com/mail/
