Re: ACI Help

Thu, 05 Jan 2017 17:02:32 -0800 

Hi !


comments inline...


Le 05/01/2017 à 00:10, Lamar Hansford a écrit :
> Hello,
> I am having troubles with ACI.  IN all cases the default admin account works.
This is intended.

>
> I have created the following structure:
>
> * dc=domain,dc=dc (default using ApacheDS Studio)
> -- * ou=users
> ---- * uid=platform-admin (inetOrgPerson)
> ---- * uid=testUser (inetOrgPerson)
>
> -- * ou=groups 
>
> ---- * ...etc
>
> With ACL turned on....
> Whenever I login using:
> * uid=platform-admin,ou=users,dc=domain,dc=com
>
> I cannot view the list of partitions.  If I add base DN: 
> * dc=domain,dc=com 
>
>
> I see nothing.  Not even the default partition.  Only Root DSE(6)
> NOTE:  I can see/modify non-system partitions with ACL disabled.

yes, this is also expected (kind of... Considering the complexity of the
ACI system, it's kind of magic ;-)

You need to grant some access to your elements if you want to be able to
access them.

>
> I have added [ administrativeRole=accessControlSpecificArea ] to the base 
> partition (dc=domain,dc=dc)
> I have added the following subEntry:
> * objectClass=accessControlSubentry
> * objectClass=accessControlSubentry 
> * top
> prescriptiveACI=
>   { 
>     identificationTag "ACI", 
>     precedence 0, 
>     authenticationLevel simple, 
>     itemOrUserFirst userFirst: 
>     { 
>       userClasses { allUsers }, 
>       userPermissions 
>     { 
>       { 
>         protectedItems { }, 

you probably want to set Entry and allUserAttributeTypesAndValues in the
protectedItems set :

    protectedItems { entry, allUserAttributeTypesAndValues }
>         grantsAndDenials 
>       { 
>         grantReturnDN, 
>         grantRead, 
>         grantDiscloseOnError, 
>         grantRemove, 
>         grantAdd, 
>         grantInvoke, 
>         grantCompare, 
>         grantImport, 
>         grantRename, 
>         grantExport, 
>         grantModify, 
>         grantBrowse, 
>         grantFilterMatch 
>       }
>     }
>   }  
> }

Can you give it a try ?

>
> NOTE:
> When I restart the server the accessControlSubentries seem to get added as an 
> attribute to the DN:dc=domain,dc=dc. 

Actually, you should have a subentry under dc=domain,dc=dc  :

    dn: cn=mySubentry,dc=domain,dc=dc
    objectClass: top",
    objectClass: subentry",
    objectClass: accessControlSubentry",
    subtreeSpecification: <blah>
    prescriptiveACI: <blah>

is that what you have ?

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Reply via email to