Ok,
I understand mostly what is going on now. protectedItems is an unfortunate
name as this field actually indicates the view-able items. All items seem to be
protected by default.
It appears that the policy is restrictive and you must explicitly indicate each
attribute which is to be exposed (unless you indicate all). This can be done
by add attributeType and allAttributeValues.
example:
protectedItems
{
entry,
attributeType { uid, publicKey },
allAttributeValues { uid, publicKey }
}
Also, two points of interest in ApacheDS Studio:
Point 1:
* To view ACI subEntries you must select an entry, right-click,
fetch->sub-entries.
Point 2:
There is a bug in the User Permission Editor where you cannot edit an ACI
Attribute which contains an existing ProtectedItems->All Attribute values. The
source for this element becomes corrupted and must be re-entered.
Thanks for the help!
-Lamar
----- Original Message -----
From: Emmanuel Lécharny <[email protected]>
To: [email protected]
Sent: Thursday, January 5, 2017 7:01 PM
Subject: Re: ACI Help
Hi !
comments inline...
Le 05/01/2017 à 00:10, Lamar Hansford a écrit :
> Hello,
> I am having troubles with ACI. IN all cases the default admin account works.
This is intended.
>
> I have created the following structure:
>
> * dc=domain,dc=dc (default using ApacheDS Studio)
> -- * ou=users
> ---- * uid=platform-admin (inetOrgPerson)
> ---- * uid=testUser (inetOrgPerson)
>
> -- * ou=groups
>
> ---- * ...etc
>
> With ACL turned on....
> Whenever I login using:
> * uid=platform-admin,ou=users,dc=domain,dc=com
>
> I cannot view the list of partitions. If I add base DN:
> * dc=domain,dc=com
>
>
> I see nothing. Not even the default partition. Only Root DSE(6)
> NOTE: I can see/modify non-system partitions with ACL disabled.
yes, this is also expected (kind of... Considering the complexity of the
ACI system, it's kind of magic ;-)
You need to grant some access to your elements if you want to be able to
access them.
>
> I have added [ administrativeRole=accessControlSpecificArea ] to the base
> partition (dc=domain,dc=dc)
> I have added the following subEntry:
> * objectClass=accessControlSubentry
> * objectClass=accessControlSubentry
> * top
> prescriptiveACI=
> {
> identificationTag "ACI",
> precedence 0,
> authenticationLevel simple,
> itemOrUserFirst userFirst:
> {
> userClasses { allUsers },
> userPermissions
> {
> {
> protectedItems { },
you probably want to set Entry and allUserAttributeTypesAndValues in the
protectedItems set :
protectedItems { entry, allUserAttributeTypesAndValues }
> grantsAndDenials
> {
> grantReturnDN,
> grantRead,
> grantDiscloseOnError,
> grantRemove,
> grantAdd,
> grantInvoke,
> grantCompare,
> grantImport,
> grantRename,
> grantExport,
> grantModify,
> grantBrowse,
> grantFilterMatch
> }
> }
> }
> }
Can you give it a try ?
>
> NOTE:
> When I restart the server the accessControlSubentries seem to get added as an
> attribute to the DN:dc=domain,dc=dc.
Actually, you should have a subentry under dc=domain,dc=dc :
dn: cn=mySubentry,dc=domain,dc=dc
objectClass: top",
objectClass: subentry",
objectClass: accessControlSubentry",
subtreeSpecification: <blah>
prescriptiveACI: <blah>
is that what you have ?
--
Emmanuel Lecharny
Symas.com
directory.apache.org
