I got it working! Thank you all so much for your help. You guys are life savers!
-Kevin On Fri, Nov 4, 2011 at 1:41 PM, Oliver Schmidt <[email protected]> wrote: > Hi Kevin, > > sorry for the confusion. administrativeRole has to be added to the entry > under which the protected items are. E.g. ou=people,ou=example.com > > The subentry has also to be stored there. You should re-apply the > userPassword in order to do at least simle authentication. > > A little background: > A subentry is a kind of selector for all elements under its parent element. > E.g. You can create a subentry under, let's say ou=people,... which selects > all people with the attribute value memberOf=mygroup. Then you can add > attributes to the subentry and those attributes automatically apply to all > elements selected by the subentry. This way, you can automatically add > attributes which are common to a specific group of elements. Even to > elements which do not yet exist in your DIT. > > -- > Kind regards / freundliche Grüße > Oliver Schmidt > > Sent via HP Veer > > Am 04.11.2011, 17:33 Uhr, schrieb Kevin Hamilton <[email protected]>: > >> Ok, so if I remove the userPassword, sn, and mail attributes from the >> entry (the new accessControlSubentry) then it lets me create it. The >> record exists as a subentry of the uid=admin2 object. When I bind to >> ApacheDS as admin2, I still cannot see anything but the tree root. >> >> Any more advice on this and why it would say my userPassword, sn, and >> mail attributes were invalid for the accessControlSubentry, subentry, >> and top objectclasses? >> >> Thanks, >> Kevin >> >> On Fri, Nov 4, 2011 at 9:48 AM, Kevin Hamilton <[email protected]> wrote: >>> >>> I am using ADS 2.0.0-M2. >>> >>> Thanks, >>> Kevin >>> >>> On Fri, Nov 4, 2011 at 9:39 AM, Emmanuel Lécharny <[email protected]> >>> wrote: >>>> >>>> On 11/4/11 2:29 PM, Kevin Hamilton wrote: >>>>> >>>>> The cn=admin2Test,uid=admin2,ou=system was never created because the >>>>> error occurred while I was trying to create it. >>>>> >>>>> I was following Oliver's instructions by doing the following: >>>>> 2) Add a new entry below the entry where you have added the >>>>> "administrativeRole" attribute. Use the object classes >>>>> "accessControlSubentry", "subentry" and "top". As RDN attribute name, >>>>> use >>>>> "cn" and choose a name of your preference. >>>>> 2a) You will be asked to specify the subentry. Leave it empty. >>>>> 2b) You will be asked to specify the ACI element: >>>>> * Identificator:<your choice> >>>>> * Priority: 0 >>>>> * Authentication level: simple=non-SASL / strong=SASL (I would >>>>> choose >>>>> simple first) >>>>> * User or element first: User >>>>> * User classes: Choose "name" and specify your admin2 >>>>> * User permissions: >>>>> * Protected elements: "entry", "all user attribute types and >>>>> values" >>>>> * Grants and denials: Here, you can grant everything >>>>> >>>>> >>>>> When he says add a new entry below the entry where I added >>>>> administrativeRole, he means I should right click on the >>>>> uid=admin,ou=system and add an entry to that, right? That is what I >>>>> have been doing. Is this incorrect? >>>> >>>> No, this is the way it should be done. >>>> >>>> The error message is a bit suprising... >>>> >>>> What version of ADS are you using ? >>>> >>>> >>>> -- >>>> Regards, >>>> Cordialement, >>>> Emmanuel Lécharny >>>> www.iktek.com >>>> >>>> >>> >>> >>> >>> -- >>> Thanks, >>> Kevin >>> >> >> >> > > > -- > Erstellt mit Operas revolutionärem E-Mail-Modul: http://www.opera.com/mail/ > -- Thanks, Kevin
