You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Christian Felsing <pu...@felsing.net> on 2013/09/03 15:50:41 UTC
Apache DS ACLs
Hello,
now I got DS partially running with ACLs, but following ACL does not
what I expected:
{
identificationTag "mtaAclElement",
precedence 0,
authenticationLevel simple,
itemOrUserFirst userFirst:
{
userClasses
{
name { "cn=mta,dc=ip6,dc=li" }
}
,
userPermissions
{
{
protectedItems
{
entry,
attributeType
{
tsnetDomainName,
tsnetMailHost,
uid
}
}
,
grantsAndDenials
{
grantBrowse,
grantRead,
grantReturnDN,
grantCompare
}
}
}
}
}
This ACL should allow DN cn=mta,dc=ip6,dc=li access to attributes
uid
tsnetDomainName
tsnetMailHost
and to list all DN entries. A test (temporary allow to list all
attributes) proved that this ACL matches.
but
ldapsearch -H ldap://192.168.116.29:10389 -x -D "cn=mta,dc=ip6,dc=li" -w
VerySecretPassword -b "dc=ip6,dc=li"
lists DN entries only:
# pug@felsing.net, freemail, ip6.li
dn: uid=pug@felsing.net,ou=freemail,dc=ip6,dc=li
...
Attributes listed on attributeType are not shown.
Is attributeType the right discriminator?
best regards
Christian
Re: Apache DS ACLs
Posted by Kiran Ayyagari <ka...@apache.org>.
Christian,
please check the comment I have added in the bug report
the above ACI is missing 'allAttributeValues { }' in the protected items.
On Tue, Sep 3, 2013 at 9:26 PM, Christian Felsing <pu...@felsing.net> wrote:
> bug report DIRSERVER-1895 created
>
> Christian
>
>
> Am 03.09.13 17:10, schrieb Kiran Ayyagari:
> > this looks like a bug, I am able to reproduce this locally using the same
> > version
> > can you file a bug report here[1], am debugging this issue right now.
> >
> > thank you
>
>
--
Kiran Ayyagari
http://keydap.com
Re: Apache DS ACLs
Posted by Christian Felsing <pu...@felsing.net>.
bug report DIRSERVER-1895 created
Christian
Am 03.09.13 17:10, schrieb Kiran Ayyagari:
> this looks like a bug, I am able to reproduce this locally using the same
> version
> can you file a bug report here[1], am debugging this issue right now.
>
> thank you
Re: Apache DS ACLs
Posted by Kiran Ayyagari <ka...@apache.org>.
this looks like a bug, I am able to reproduce this locally using the same
version
can you file a bug report here[1], am debugging this issue right now.
thank you
[1] https://issues.apache.org/jira/browse/DIRSERVER
On Tue, Sep 3, 2013 at 7:58 PM, Christian Felsing <pu...@felsing.net> wrote:
> 2.0.0-M15 and Apache Directory Studio 2.0.0.v20130628
>
> Christian
>
> Am 03.09.2013 16:13, schrieb Kiran Ayyagari:
> > which version are you using?
>
>
--
Kiran Ayyagari
http://keydap.com
Re: Apache DS ACLs
Posted by Christian Felsing <pu...@felsing.net>.
2.0.0-M15 and Apache Directory Studio 2.0.0.v20130628
Christian
Am 03.09.2013 16:13, schrieb Kiran Ayyagari:
> which version are you using?
Re: Apache DS ACLs
Posted by Kiran Ayyagari <ka...@apache.org>.
which version are you using?
On Tue, Sep 3, 2013 at 7:20 PM, Christian Felsing <pu...@felsing.net> wrote:
> Hello,
>
> now I got DS partially running with ACLs, but following ACL does not
> what I expected:
>
> {
> identificationTag "mtaAclElement",
> precedence 0,
> authenticationLevel simple,
> itemOrUserFirst userFirst:
> {
> userClasses
> {
> name { "cn=mta,dc=ip6,dc=li" }
> }
> ,
> userPermissions
> {
> {
> protectedItems
> {
> entry,
> attributeType
> {
> tsnetDomainName,
> tsnetMailHost,
> uid
> }
> }
> ,
> grantsAndDenials
> {
> grantBrowse,
> grantRead,
> grantReturnDN,
> grantCompare
> }
> }
> }
> }
> }
>
> This ACL should allow DN cn=mta,dc=ip6,dc=li access to attributes
> uid
> tsnetDomainName
> tsnetMailHost
> and to list all DN entries. A test (temporary allow to list all
> attributes) proved that this ACL matches.
>
> but
> ldapsearch -H ldap://192.168.116.29:10389 -x -D "cn=mta,dc=ip6,dc=li" -w
> VerySecretPassword -b "dc=ip6,dc=li"
>
> lists DN entries only:
>
> # pug@felsing.net, freemail, ip6.li
> dn: uid=pug@felsing.net,ou=freemail,dc=ip6,dc=li
> ...
>
> Attributes listed on attributeType are not shown.
>
> Is attributeType the right discriminator?
>
> best regards
> Christian
>
--
Kiran Ayyagari
http://keydap.com