On Mon, Jan 6, 2014 at 4:29 AM, Mike Przybylski <mi...@gimmethebrain.net>wrote:
> Hello, > > Lately, I’ve been teaching myself how to use Apache Directory Server’s > access control subsystem. > > Before getting too cute, I figured I’d try out the recipes here: > > > http://directory.apache.org/apacheds/advanced-ug/4.2.7-using-acis-trail.html > > Both work as advertised, but as I’ve been reading more, some have > suggested refining… > > > http://directory.apache.org/apacheds/advanced-ug/4.2.7.2-allow-self-password-modify.html > > …to use maxValueCount to prevent (someone claiming to be) the user from > inserting multiple userPassword values. However, as soon as I put > maxValueCount in any protectedItems clause of my prescriptiveACI, all of my > unprivileged user’s attributes become invisible to him. > > If I weren’t such a n00b, I’d think this was a bug. > > yes, I think so, am able to reproduce this, can you file a bug here https://issues.apache.org/jira/browse/DIRSERVER thank you > Here is the prescriptiveACI that I think should work: > > { > identificationTag "userSelfModifyPassword", > precedence 0, > authenticationLevel none, > itemOrUserFirst userFirst: > { > userClasses { thisEntry }, > userPermissions > { > { > protectedItems > { > maxValueCount > { > { type userPassword, maxCount 1 } > } > , > allAttributeValues { userPassword } > } > , > grantsAndDenials { grantAdd, grantRemove } > } > , > { > protectedItems { entry }, > grantsAndDenials > { > grantRead, > grantBrowse, > grantModify > } > } > } > } > } > > Server environment: > Oracle JDK 1.7u45 > ApacheDS 2.0.0-M15 > Debian 7.3, AMD64 > > Client environment: > Apache Directory Studio > Oracle JDK 1.7u45 > OS X 10.9.1 > > Any pointers on what I’m doing wrong and/or how to do it better would be > greatly appreciated. > > Best regards, > Mike Przybylski -- Kiran Ayyagari http://keydap.com
