Sorry for the delay, I have to have a working server to test your ACIs, and I'm currently refactoring it, so it will take a bit of time...
Le 07/02/2018 à 13:50, Қαεζ ₪ a écrit : > Sure, here they are : > > Only self password modify : > dn: cn=allowSelfModifications,dc=mydomain,dc=fr > objectClass: top > objectClass: subentry > objectClass: accessControlSubentry > cn: allowSelfModifications > subtreeSpecification: { } > prescriptiveACI: { > identificationTag "allowSelfModifications", precedence 20, > authenticationLevel none, > itemOrUserFirst userFirst: { userClasses { thisEntry }, userPermissions { > { protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse, > grantRead } }, > { protectedItems {allAttributeValues {userPassword}}, grantsAndDenials { > grantAdd, > grantRemove } } } } } > > Everyone can read & browse : > dn: cn=allowGlobalRead,dc=mydomain,dc=fr > objectClass: subentry > objectClass: accessControlSubentry > objectClass: top > cn: allowGlobalRead > subtreeSpecification: { } > prescriptiveACI: { > identificationTag "allowGlobalRead", precedence 10, authenticationLevel > none, > itemOrUserFirst userFirst: { userClasses { allUsers }, userPermissions { { > protectedItems {entry, allUserAttributeTypesAndValues}, grantsAndDenials { > grantRead, grantReturnDN, grantFilterMatch, grantBrowse > } } } } } > > LDAPadmin=TRUE can do everything : (NOT WORKING) > dn: cn=allowGlobalAdministration,dc=mydomain,dc=fr > objectClass: top > objectClass: subentry > objectClass: accessControlSubentry > cn: allowGlobalAdministration > subtreeSpecification: { specificationFilter (LDAPadmin=TRUE) } > prescriptiveACI: { > identificationTag "allowGlobalAdministration", precedence 30, > authenticationLevel none, > itemOrUserFirst userFirst: { userClasses { allUsers }, userPermissions { { > protectedItems { entry, allUserAttributeTypes, > allUserAttributeTypesAndValues }, > grantsAndDenials { grantImport, grantDiscloseOnError, grantInvoke, > grantAdd, > grantCompare, grantExport, grantBrowse, grantRead, grantFilterMatch, > grantRemove, > grantReturnDN, grantRename, grantModify } } } } } > > Also, it's a detail but if I do a ldapmodify with all these entry together > there is an error. I have to do one the request one acl per one acl. > > On Mon, Jan 29, 2018 at 8:56 PM, Emmanuel Lécharny <elecha...@gmail.com> > wrote: > >> >> >> Le 29/01/2018 à 16:47, Қαεζ ₪ a écrit : >>> Hello, >>> >>> I'm currently deploying an ApacheDS server, version M24, and I'm trying >> to >>> set up 3 ACL : >>> - Everyone can update it's own password : Done ; >>> - Everyone can read & browse the LDAP : Done ; >>> - Only users who got LDAPadmin attributes to TRUE can do anything to >>> anyone, like creating a cn, with subentries and so on : Fail. >>> >>> Either I got an error 80 (Internal implementation specific error), either >>> the request is sent but has no effect : the specificationFilter >>> (LDAPadmin=TRUE) applied to All Users with all rights given to Entry, >>> AllUserAttributeTypesAndValues does not work. >>> >>> Anyone have experienced this ? >> >> Can you send us your ACL definitions ? >> >> -- >> Emmanuel Lecharny >> >> Symas.com >> directory.apache.org >> >> > -- Emmanuel Lecharny Symas.com directory.apache.org