You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Alex Karasulu (JIRA)" <ji...@apache.org> on 2006/05/09 22:07:04 UTC
[jira] Created: (DIRSERVER-617) Add ACI for Administrators group if
not already present
Add ACI for Administrators group if not already present
-------------------------------------------------------
Key: DIRSERVER-617
URL: http://issues.apache.org/jira/browse/DIRSERVER-617
Project: Directory ApacheDS
Type: Task
Components: ldap
Versions: 1.0-RC1, 1.0-RC2, pre-1.0, 1.0-RC3
Reporter: Alex Karasulu
Fix For: 1.0-RC4
Add ACI to enable Administrators group to have admin user like access to configure the server via the ou=system partition. This will only work when using the AuthorizationService for the X.500 basic authorization scheme as opposed to the DefaultAuthorizationService .
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Closed: (DIRSERVER-617) Add ACI for Administrators group if
not already present
Posted by "Alex Karasulu (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/DIRSERVER-617?page=all ]
Alex Karasulu closed DIRSERVER-617.
-----------------------------------
Fix Version/s: 1.0-RC4
(was: 1.0)
Resolution: Fixed
Fixed in 1.0 branch:
http://svn.apache.org/viewvc?view=rev&revision=439118
Fixed in 1.1 branch:
http://svn.apache.org/viewvc?view=rev&revision=439119
Things were done a little differently here. I did not add an ACI but rather hardwired the Administrators group so this works with both the default authz service and the one that uses ACI. Basically all access control checks are bypassed for anyone in this very special admin group.
> Add ACI for Administrators group if not already present
> -------------------------------------------------------
>
> Key: DIRSERVER-617
> URL: http://issues.apache.org/jira/browse/DIRSERVER-617
> Project: Directory ApacheDS
> Issue Type: Task
> Components: ldap
> Affects Versions: 1.0-RC1, 1.0-RC2, pre-1.0, 1.0-RC3
> Reporter: Alex Karasulu
> Assigned To: Alex Karasulu
> Fix For: 1.1.0, 1.0-RC4
>
>
> Add ACI to enable Administrators group to have admin user like access to configure the server via the ou=system partition. This will only work when using the AuthorizationService for the X.500 basic authorization scheme as opposed to the DefaultAuthorizationService .
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (DIRSERVER-617) Add ACI for Administrators group
if not already present
Posted by "Ersin Er (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/DIRSERVER-617?page=comments#action_12429683 ]
Ersin Er commented on DIRSERVER-617:
------------------------------------
I think we should have Administrators group for each partition and also for the whole system.
To have administrators for each partition we can create a container, ou=Administrators, with each partition created and we can arrange ACI accordingly that group for that partition.
To have system wide administrators there are two choices:
1. We will add some ACI to each creaed partition for ou=Administrators,ou=system group.
2. We will implement mutable RootDSE or hierarchical partitions in other words.
> Add ACI for Administrators group if not already present
> -------------------------------------------------------
>
> Key: DIRSERVER-617
> URL: http://issues.apache.org/jira/browse/DIRSERVER-617
> Project: Directory ApacheDS
> Issue Type: Task
> Components: ldap
> Affects Versions: 1.0-RC1, 1.0-RC2, pre-1.0, 1.0-RC3
> Reporter: Alex Karasulu
> Fix For: 1.1.0, 1.0-RC4
>
>
> Add ACI to enable Administrators group to have admin user like access to configure the server via the ou=system partition. This will only work when using the AuthorizationService for the X.500 basic authorization scheme as opposed to the DefaultAuthorizationService .
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (DIRSERVER-617) Add ACI for Administrators group if
not already present
Posted by "Ersin Er (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/DIRSERVER-617?page=all ]
Ersin Er updated DIRSERVER-617:
-------------------------------
Fix Version/s: 1.0
(was: 1.0-RC4)
> Add ACI for Administrators group if not already present
> -------------------------------------------------------
>
> Key: DIRSERVER-617
> URL: http://issues.apache.org/jira/browse/DIRSERVER-617
> Project: Directory ApacheDS
> Issue Type: Task
> Components: ldap
> Affects Versions: 1.0-RC1, 1.0-RC2, pre-1.0, 1.0-RC3
> Reporter: Alex Karasulu
> Assigned To: Alex Karasulu
> Fix For: 1.1.0, 1.0
>
>
> Add ACI to enable Administrators group to have admin user like access to configure the server via the ou=system partition. This will only work when using the AuthorizationService for the X.500 basic authorization scheme as opposed to the DefaultAuthorizationService .
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Assigned: (DIRSERVER-617) Add ACI for Administrators group
if not already present
Posted by "Alex Karasulu (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/DIRSERVER-617?page=all ]
Alex Karasulu reassigned DIRSERVER-617:
---------------------------------------
Assignee: Alex Karasulu
> Add ACI for Administrators group if not already present
> -------------------------------------------------------
>
> Key: DIRSERVER-617
> URL: http://issues.apache.org/jira/browse/DIRSERVER-617
> Project: Directory ApacheDS
> Issue Type: Task
> Components: ldap
> Affects Versions: 1.0-RC1, 1.0-RC2, pre-1.0, 1.0-RC3
> Reporter: Alex Karasulu
> Assigned To: Alex Karasulu
> Fix For: 1.1.0, 1.0-RC4
>
>
> Add ACI to enable Administrators group to have admin user like access to configure the server via the ou=system partition. This will only work when using the AuthorizationService for the X.500 basic authorization scheme as opposed to the DefaultAuthorizationService .
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (DIRSERVER-617) Add ACI for Administrators group if
not already present
Posted by "Alex Karasulu (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/DIRSERVER-617?page=all ]
Alex Karasulu updated DIRSERVER-617:
------------------------------------
Fix Version: 1.1.0
Making sure this is also available on the 1.1 branch.
We might also want to hardcode into the DefaultAuthorizationService a lookup to check this group specifically to see if the user is in it. If so then they should have superuser access (full access).
> Add ACI for Administrators group if not already present
> -------------------------------------------------------
>
> Key: DIRSERVER-617
> URL: http://issues.apache.org/jira/browse/DIRSERVER-617
> Project: Directory ApacheDS
> Type: Task
> Components: ldap
> Versions: 1.0-RC1, 1.0-RC2, pre-1.0, 1.0-RC3
> Reporter: Alex Karasulu
> Fix For: 1.0-RC4, 1.1.0
>
> Add ACI to enable Administrators group to have admin user like access to configure the server via the ou=system partition. This will only work when using the AuthorizationService for the X.500 basic authorization scheme as opposed to the DefaultAuthorizationService .
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (DIRSERVER-617) Add ACI for Administrators group
if not already present
Posted by "Ersin Er (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/DIRSERVER-617?page=comments#action_12426076 ]
Ersin Er commented on DIRSERVER-617:
------------------------------------
Note that a DACD can span a naming context at most. So an access control subentry subordinate to ou=system naming context cannot control access to other naming contexts.
> Add ACI for Administrators group if not already present
> -------------------------------------------------------
>
> Key: DIRSERVER-617
> URL: http://issues.apache.org/jira/browse/DIRSERVER-617
> Project: Directory ApacheDS
> Issue Type: Task
> Components: ldap
> Affects Versions: 1.0-RC1, 1.0-RC2, pre-1.0, 1.0-RC3
> Reporter: Alex Karasulu
> Fix For: 1.1.0, 1.0-RC4
>
>
> Add ACI to enable Administrators group to have admin user like access to configure the server via the ou=system partition. This will only work when using the AuthorizationService for the X.500 basic authorization scheme as opposed to the DefaultAuthorizationService .
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira