You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Ron Woods <rw...@vaytek.com> on 2011/05/20 18:24:37 UTC
[ApacheDS] prescriptiveACI not working
HI,
I have been going through the examples on this page in the manual http://directory.apache.org/apacheds/1.5/32-basic-authorization.html
(I am using ApacheDS 1.5.7 with Apache Directory Studio Version: 1.5.3.v20100330)
I am trying to apply the prescriptiveACI's to my own company directory partition, "o=vaytek".
Per the instructions, I enabled the "accessControlEnabled" flag in server.xml.
I have added to the top node "o=vaytek" the attribute "administrativeRole" with value "accessControlSpecificArea" to make it the administrative point.
I have added a subentry with prescriptiveACI's
1) to deny allUsers access to the userPassword,
2) to allow allUsers to search and compare other attributes, and
3) to assign a specific user as the directory manager with full access,
as follows:
dn: cn=vaytekAuthorizationRequirementsACISubentry,o=vaytek
objectClass: subentry
objectClass: accessControlSubentry
objectClass: top
cn: vaytekAuthorizationRequirementsACISubentry
subtreeSpecification: { }
prescriptiveACI: {
identificationTag "allUsersACI",
precedence 10,
authenticationLevel simple,
itemOrUserFirst userFirst:
{
userClasses { allUsers },
userPermissions
{
{
protectedItems
{
attributeType { userPassword }
}
,
grantsAndDenials
{
denyCompare,
denyFilterMatch,
denyRead
}
}
,
{
protectedItems { allUserAttributeTypesAndValues, entry },
grantsAndDenials
{
grantRead,
grantReturnDN,
grantCompare,
grantDiscloseOnError,
grantBrowse,
grantFilterMatch
}
}
}
}
}
prescriptiveACI: {
identificationTag "directoryManagerFullAccessACI",
precedence 11,
authenticationLevel simple,
itemOrUserFirst userFirst:
{
userClasses
{
name { "uid=rwoods,ou=Users,o=vaytek" }
}
,
userPermissions
{
{
protectedItems { allUserAttributeTypesAndValues, entry },
grantsAndDenials
{
grantReturnDN,
grantDiscloseOnError,
grantExport,
grantRemove,
grantFilterMatch,
grantBrowse,
grantModify,
grantImport,
grantRead,
grantRename,
grantCompare,
grantInvoke,
grantAdd
}
}
}
}
}
However, when I connect in Apache Directory Studio as user rwoods, then all I can see is RootDSE and nothing below it.
Ditto if I connect as any other user. The user entries are in "ou=users,o=vaytek", in a similar manner to the doc example "ou=people,o=sevenSeas".
I checked the mailing list archives and found this thread
http://mail-archives.apache.org/mod_mbox/directory-users/201105.mbox/%3cBANLkTimQO8SKB4Na--TSYbHR5mf1qQvaEw@mail.gmail.com%3e
but I've already set the administrativeRole attribute.
Any help to get this working would be greatly appreciated.
Ron Woods
Re: [ApacheDS] prescriptiveACI not working
Posted by Emmanuel Lécharny <el...@apache.org>.
On 5/23/11 6:24 PM, Ron Woods wrote:
> Hi, Emmanuel,
>
> Yes, I did stop and start the server after inserting the prescriptiveACI attributes, but it still didn't work.
What I meant is that if you stopped the server, as the cache isn't
correctly updated in 1.5.7, the ACI has been lost in the process...
> Sorry to hear that there is no current workaround; however, we can probably wait for the next release: Our application is still in design, at present.
Not a problem : we are currently discussing about releasing a new
version very soon, as we have quite a few problematic issues that have
been fixed since we released 1.5.7, and this could happen in the next
couple of weeks.
> While waiting for a reply to my question, I discovered that Apache Directory Studio can create servers.
Yes. We did that in order to give a tool to people who want to play with
a server without having to go through the pain of installing it beside.
It's really very handy.
> I did that and noticed the version is 1.5.6. Thinking that maybe it would work in the prior version, I imported our directory into that server. I added the prescriptiveACI, but it didn't work in that context, either. Should it be working in version 1.5.6?
No. Same problem.
We are also trying to cut a 1.5.4 release, with a more updated version
of the server. Damn, all those releases are depending on each others :/
Keep tuned, many new things will certainly occur in june.
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
RE: [ApacheDS] prescriptiveACI not working
Posted by Ron Woods <rw...@vaytek.com>.
Hi, Emmanuel,
Yes, I did stop and start the server after inserting the prescriptiveACI attributes, but it still didn't work.
Sorry to hear that there is no current workaround; however, we can probably wait for the next release: Our application is still in design, at present.
While waiting for a reply to my question, I discovered that Apache Directory Studio can create servers. I did that and noticed the version is 1.5.6. Thinking that maybe it would work in the prior version, I imported our directory into that server. I added the prescriptiveACI, but it didn't work in that context, either. Should it be working in version 1.5.6?
Ron Woods
-----Original Message-----
From: Emmanuel Lecharny [mailto:elecharny@gmail.com]
Sent: Friday, May 20, 2011 7:37 PM
To: users@directory.apache.org
Subject: Re: [ApacheDS] prescriptiveACI not working
On 5/20/11 6:24 PM, Ron Woods wrote:
> HI,
>
> I have been going through the examples on this page in the manual
> http://directory.apache.org/apacheds/1.5/32-basic-authorization.html
> (I am using ApacheDS 1.5.7 with Apache Directory Studio Version:
> 1.5.3.v20100330)
>
> I am trying to apply the prescriptiveACI's to my own company directory partition, "o=vaytek".
> Per the instructions, I enabled the "accessControlEnabled" flag in server.xml.
> I have added to the top node "o=vaytek" the attribute "administrativeRole" with value "accessControlSpecificArea" to make it the administrative point.
> I have added a subentry with prescriptiveACI's
>
> 1) to deny allUsers access to the userPassword,
>
> 2) to allow allUsers to search and compare other attributes, and
>
> 3) to assign a specific user as the directory manager with full access,
> as follows:
>
> dn: cn=vaytekAuthorizationRequirementsACISubentry,o=vaytek
> objectClass: subentry
> objectClass: accessControlSubentry
> objectClass: top
> cn: vaytekAuthorizationRequirementsACISubentry
> subtreeSpecification: { }
> prescriptiveACI: {
> identificationTag "allUsersACI",
> precedence 10,
> authenticationLevel simple,
> itemOrUserFirst userFirst:
> {
> userClasses { allUsers },
> userPermissions
> {
> {
> protectedItems
> {
> attributeType { userPassword }
> }
> ,
> grantsAndDenials
> {
> denyCompare,
> denyFilterMatch,
> denyRead
> }
> }
> ,
> {
> protectedItems { allUserAttributeTypesAndValues, entry },
> grantsAndDenials
> {
> grantRead,
> grantReturnDN,
> grantCompare,
> grantDiscloseOnError,
> grantBrowse,
> grantFilterMatch
> }
> }
> }
> }
> }
> prescriptiveACI: {
> identificationTag "directoryManagerFullAccessACI",
> precedence 11,
> authenticationLevel simple,
> itemOrUserFirst userFirst:
> {
> userClasses
> {
> name { "uid=rwoods,ou=Users,o=vaytek" }
> }
> ,
> userPermissions
> {
> {
> protectedItems { allUserAttributeTypesAndValues, entry },
> grantsAndDenials
> {
> grantReturnDN,
> grantDiscloseOnError,
> grantExport,
> grantRemove,
> grantFilterMatch,
> grantBrowse,
> grantModify,
> grantImport,
> grantRead,
> grantRename,
> grantCompare,
> grantInvoke,
> grantAdd
> }
> }
> }
> }
> }
>
> However, when I connect in Apache Directory Studio as user rwoods, then all I can see is RootDSE and nothing below it.
Just wondering : did you stopped and started the server after having injected the ACI ?
There is a bug in 1.5.7 which has been fixed in trunk that make the ACI not to be reloaded when the server is restarted, making the ACI subsystem totally useless.
I'm not saying that there is a workaround, or any solution to fix this issue in 1.5.7, sadly, but to inform you about this problem.
We hope to get a new ADS release quite fast, but I'm more or less talking in term of weeks, not days.
Truly sorry for that :/
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: [ApacheDS] prescriptiveACI not working
Posted by Emmanuel Lecharny <el...@gmail.com>.
On 5/20/11 6:24 PM, Ron Woods wrote:
> HI,
>
> I have been going through the examples on this page in the manual http://directory.apache.org/apacheds/1.5/32-basic-authorization.html
> (I am using ApacheDS 1.5.7 with Apache Directory Studio Version: 1.5.3.v20100330)
>
> I am trying to apply the prescriptiveACI's to my own company directory partition, "o=vaytek".
> Per the instructions, I enabled the "accessControlEnabled" flag in server.xml.
> I have added to the top node "o=vaytek" the attribute "administrativeRole" with value "accessControlSpecificArea" to make it the administrative point.
> I have added a subentry with prescriptiveACI's
>
> 1) to deny allUsers access to the userPassword,
>
> 2) to allow allUsers to search and compare other attributes, and
>
> 3) to assign a specific user as the directory manager with full access,
> as follows:
>
> dn: cn=vaytekAuthorizationRequirementsACISubentry,o=vaytek
> objectClass: subentry
> objectClass: accessControlSubentry
> objectClass: top
> cn: vaytekAuthorizationRequirementsACISubentry
> subtreeSpecification: { }
> prescriptiveACI: {
> identificationTag "allUsersACI",
> precedence 10,
> authenticationLevel simple,
> itemOrUserFirst userFirst:
> {
> userClasses { allUsers },
> userPermissions
> {
> {
> protectedItems
> {
> attributeType { userPassword }
> }
> ,
> grantsAndDenials
> {
> denyCompare,
> denyFilterMatch,
> denyRead
> }
> }
> ,
> {
> protectedItems { allUserAttributeTypesAndValues, entry },
> grantsAndDenials
> {
> grantRead,
> grantReturnDN,
> grantCompare,
> grantDiscloseOnError,
> grantBrowse,
> grantFilterMatch
> }
> }
> }
> }
> }
> prescriptiveACI: {
> identificationTag "directoryManagerFullAccessACI",
> precedence 11,
> authenticationLevel simple,
> itemOrUserFirst userFirst:
> {
> userClasses
> {
> name { "uid=rwoods,ou=Users,o=vaytek" }
> }
> ,
> userPermissions
> {
> {
> protectedItems { allUserAttributeTypesAndValues, entry },
> grantsAndDenials
> {
> grantReturnDN,
> grantDiscloseOnError,
> grantExport,
> grantRemove,
> grantFilterMatch,
> grantBrowse,
> grantModify,
> grantImport,
> grantRead,
> grantRename,
> grantCompare,
> grantInvoke,
> grantAdd
> }
> }
> }
> }
> }
>
> However, when I connect in Apache Directory Studio as user rwoods, then all I can see is RootDSE and nothing below it.
Just wondering : did you stopped and started the server after having
injected the ACI ?
There is a bug in 1.5.7 which has been fixed in trunk that make the ACI
not to be reloaded when the server is restarted, making the ACI
subsystem totally useless.
I'm not saying that there is a workaround, or any solution to fix this
issue in 1.5.7, sadly, but to inform you about this problem.
We hope to get a new ADS release quite fast, but I'm more or less
talking in term of weeks, not days.
Truly sorry for that :/
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com