---------- Forwarded message ----------
From: "Қαεζ ₪" <drae...@gmail.com>
Date: 30 Jan 2018 9:25 am
Subject: Re: ApacheDS ACL over custom schema
To: "Emmanuel Lécharny" <elecha...@gmail.com>
Cc:

Sure, here they are :

Only self password modify :
dn: cn=allowSelfModifications,dc=mydomain,dc=fr
objectClass: top
objectClass: subentry
objectClass: accessControlSubentry
cn: allowSelfModifications
subtreeSpecification: { }
prescriptiveACI: {
 identificationTag "allowSelfModifications", precedence 20,
authenticationLevel none,
 itemOrUserFirst userFirst: { userClasses { thisEntry  }, userPermissions {
 { protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse,
grantRead } },
 { protectedItems {allAttributeValues {userPassword}}, grantsAndDenials {
grantAdd,
 grantRemove } } } } }

Everyone can read & browse :
dn: cn=allowGlobalRead,dc=mydomain,dc=fr
objectClass: subentry
objectClass: accessControlSubentry
objectClass: top
cn: allowGlobalRead
subtreeSpecification: { }
prescriptiveACI: {
 identificationTag "allowGlobalRead", precedence 10, authenticationLevel
none,
 itemOrUserFirst userFirst: { userClasses { allUsers }, userPermissions { {
 protectedItems {entry, allUserAttributeTypesAndValues}, grantsAndDenials {
 grantRead, grantReturnDN, grantFilterMatch, grantBrowse
 } } } } }

LDAPadmin=TRUE can do everything : (NOT WORKING)
dn: cn=allowGlobalAdministration,dc=mydomain,dc=fr
objectClass: top
objectClass: subentry
objectClass: accessControlSubentry
cn: allowGlobalAdministration
subtreeSpecification: { specificationFilter (LDAPadmin=TRUE) }
prescriptiveACI: {
 identificationTag "allowGlobalAdministration", precedence 30,
authenticationLevel none,
 itemOrUserFirst userFirst: { userClasses { allUsers }, userPermissions { {
 protectedItems { entry, allUserAttributeTypes,
allUserAttributeTypesAndValues },
 grantsAndDenials { grantImport, grantDiscloseOnError, grantInvoke,
grantAdd,
 grantCompare, grantExport, grantBrowse, grantRead, grantFilterMatch,
grantRemove,
 grantReturnDN, grantRename, grantModify } } } } }

Also, it's a detail but if I do a ldapmodify with all these entry together
there is an error. I have to do one the request one acl per one acl.

On Mon, Jan 29, 2018 at 8:56 PM, Emmanuel Lécharny <elecha...@gmail.com>
wrote:

>
>
> Le 29/01/2018 à 16:47,  Қαεζ ₪ a écrit :
> > Hello,
> >
> > I'm currently deploying an ApacheDS server, version M24, and I'm trying
> to
> > set up 3 ACL :
> > - Everyone can update it's own password : Done ;
> > - Everyone can read & browse the LDAP : Done ;
> > - Only users who got LDAPadmin attributes to TRUE can do anything to
> > anyone, like creating a cn, with subentries and so on : Fail.
> >
> > Either I got an error 80 (Internal implementation specific error), either
> > the request is sent but has no effect : the specificationFilter
> > (LDAPadmin=TRUE) applied to All Users with all rights given to Entry,
> > AllUserAttributeTypesAndValues does not work.
> >
> > Anyone have experienced this ?
>
> Can you send us your ACL definitions ?
>
> --
> Emmanuel Lecharny
>
> Symas.com
> directory.apache.org
>
>

Reply via email to