You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Steven Altsman <st...@gmail.com> on 2011/05/11 19:33:56 UTC
[ApacheDS] ACLS - Set a user in a partition to be an admin
Hi All,
Pretty straightforward question, methinks: I have
o=US,DC=mydomain,DC=org and in there I have
uid=adminguy,ou=people(,o=US...,DC=org). I want him to admin over
o=US,DC=mydomain,DC=org. I've got ApacheDS and Eclipse with Directory
Studio extensions.
Ibis redibis nunquam per bella peribis
Re: [ApacheDS] ACLS - Set a user in a partition to be an admin
Posted by Steven Altsman <st...@gmail.com>.
Ah HA! Adding the subentry opened up a tonne of possibilities! Thank
you very much for your assistance.
Ibis redibis nunquam per bella peribis
On Thu, May 12, 2011 at 7:33 AM, Mike Adamson <mi...@gmail.com> wrote:
> Hi,
>
> You need to give the o=US,DC=mydomain,DC=org node an administrativeRole
> attribute with a value of accessControlSpecificArea and then create a sub
> entry for it like:
>
> dn: cn=adminSubentry,o=US,dc=mydomain,dc=org
> changetype: add
> objectclass: top
> objectclass: subentry
> objectclass: accessControlSubentry
> cn: adminSubentry
> subtreeSpecification: {}
> prescriptiveACI: {
> identificationTag "administratorFullAccessACI",
> precedence 100,
> authenticationLevel simple,
> itemOrUserFirst userFirst: {
> userClasses {
> name { "uid=adminguy,ou=people(,o=US...,DC=org)." }
> },
> userPermissions {
> {
> protectedItems {
> entry, allUserAttributeTypesAndValues
> },
> grantsAndDenials {
> grantAdd, grantDiscloseOnError, grantRead,
> grantRemove, grantBrowse, grantExport, grantImport,
> grantModify, grantRename, grantReturnDN,
> grantCompare, grantFilterMatch, grantInvoke
> }
> }
> }
> }
> }
>
> I haven't had much joy applying these things with directory studio, it's
> easier to put it all in an ldif file and import it.
>
> Cheers,
>
> MikeA
>
> On 11 May 2011 18:33, Steven Altsman <st...@gmail.com> wrote:
>
>> Hi All,
>>
>> Pretty straightforward question, methinks: I have
>> o=US,DC=mydomain,DC=org and in there I have
>> uid=adminguy,ou=people(,o=US...,DC=org). I want him to admin over
>> o=US,DC=mydomain,DC=org. I've got ApacheDS and Eclipse with Directory
>> Studio extensions.
>>
>> Ibis redibis nunquam per bella peribis
>>
>
Re: [ApacheDS] ACLS - Set a user in a partition to be an admin
Posted by Mike Adamson <mi...@gmail.com>.
Hi,
You need to give the o=US,DC=mydomain,DC=org node an administrativeRole
attribute with a value of accessControlSpecificArea and then create a sub
entry for it like:
dn: cn=adminSubentry,o=US,dc=mydomain,dc=org
changetype: add
objectclass: top
objectclass: subentry
objectclass: accessControlSubentry
cn: adminSubentry
subtreeSpecification: {}
prescriptiveACI: {
identificationTag "administratorFullAccessACI",
precedence 100,
authenticationLevel simple,
itemOrUserFirst userFirst: {
userClasses {
name { "uid=adminguy,ou=people(,o=US...,DC=org)." }
},
userPermissions {
{
protectedItems {
entry, allUserAttributeTypesAndValues
},
grantsAndDenials {
grantAdd, grantDiscloseOnError, grantRead,
grantRemove, grantBrowse, grantExport, grantImport,
grantModify, grantRename, grantReturnDN,
grantCompare, grantFilterMatch, grantInvoke
}
}
}
}
}
I haven't had much joy applying these things with directory studio, it's
easier to put it all in an ldif file and import it.
Cheers,
MikeA
On 11 May 2011 18:33, Steven Altsman <st...@gmail.com> wrote:
> Hi All,
>
> Pretty straightforward question, methinks: I have
> o=US,DC=mydomain,DC=org and in there I have
> uid=adminguy,ou=people(,o=US...,DC=org). I want him to admin over
> o=US,DC=mydomain,DC=org. I've got ApacheDS and Eclipse with Directory
> Studio extensions.
>
> Ibis redibis nunquam per bella peribis
>