You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@directory.apache.org by Lamar Hansford <la...@yahoo.com.INVALID> on 2017/01/04 23:10:10 UTC

ACI Help

Hello,
I am having troubles with ACI.  IN all cases the default admin account works.

I have created the following structure:

* dc=domain,dc=dc (default using ApacheDS Studio)
-- * ou=users
---- * uid=platform-admin (inetOrgPerson)
---- * uid=testUser (inetOrgPerson)

-- * ou=groups 

---- * ...etc

With ACL turned on....
Whenever I login using:
* uid=platform-admin,ou=users,dc=domain,dc=com

I cannot view the list of partitions.  If I add base DN: 
* dc=domain,dc=com 


I see nothing.  Not even the default partition.  Only Root DSE(6)
NOTE:  I can see/modify non-system partitions with ACL disabled.

I have added [ administrativeRole=accessControlSpecificArea ] to the base partition (dc=domain,dc=dc)
I have added the following subEntry:
* objectClass=accessControlSubentry
* objectClass=accessControlSubentry 
* top
prescriptiveACI=
  { 
    identificationTag "ACI", 
    precedence 0, 
    authenticationLevel simple, 
    itemOrUserFirst userFirst: 
    { 
      userClasses { allUsers }, 
      userPermissions 
    { 
      { 
        protectedItems { }, 
        grantsAndDenials 
      { 
        grantReturnDN, 
        grantRead, 
        grantDiscloseOnError, 
        grantRemove, 
        grantAdd, 
        grantInvoke, 
        grantCompare, 
        grantImport, 
        grantRename, 
        grantExport, 
        grantModify, 
        grantBrowse, 
        grantFilterMatch 
      }
    }
  }  
}

NOTE:
When I restart the server the accessControlSubentries seem to get added as an attribute to the DN:dc=domain,dc=dc.  I can no longer delete them.  As a result I now have multiple accumulated entries.  However, I created a new partition and see the same issue.

Summary of the Issue:
with ACL enabled I cannot get a regular user to see any partitions or DN.  With/without administrativeRole enabled.

Any ideas?

Re: ACI Help

Posted by Emmanuel Lécharny <el...@gmail.com>.


Le 06/01/2017 à 06:38, Lamar Hansford a écrit :
> Ok,
>
> I understand mostly what is going on now.  protectedItems is an unfortunate name as this field actually indicates the view-able items. All items seem to be protected by default.

Blame X.500 for the naming convention :-)

OTOH, it's all about the way data are considered : at risk of being
exposed, so they need to be protected.
>
> It appears that the policy is restrictive 

Indeed.

> and you must explicitly indicate each attribute which is to be exposed (unless you indicate all). 

yes.

>  This can be done by add attributeType and allAttributeValues.  
>
> example:
> protectedItems 
> { 
>     entry, 
>     attributeType { uid, publicKey }, 
>     allAttributeValues { uid, publicKey } 
> }

using allUserAttributeTypesAndValues { uid, publicKey } should work, too.
>
>
> Also, two points of interest in ApacheDS Studio:
>
> Point 1:
> *  To view ACI subEntries you must select an entry, right-click, fetch->sub-entries.

> Point 2:
> There is a bug in the User Permission Editor where you cannot edit an ACI Attribute which contains an existing ProtectedItems->All Attribute values.  The source for this element becomes corrupted and must be re-entered.

Can you fill a JIRA for this bug ?

Many thanks for your patience. This is not exactly the area where
ApacheDS is good, nor documented... That needs to be improved, and
explained !

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: ACI Help

Posted by Lamar Hansford <la...@yahoo.com.INVALID>.

Ok,

I understand mostly what is going on now.  protectedItems is an unfortunate name as this field actually indicates the view-able items. All items seem to be protected by default.

It appears that the policy is restrictive and you must explicitly indicate each attribute which is to be exposed (unless you indicate all).  This can be done by add attributeType and allAttributeValues.  

example:
protectedItems 
{ 
    entry, 
    attributeType { uid, publicKey }, 
    allAttributeValues { uid, publicKey } 
}


Also, two points of interest in ApacheDS Studio:

Point 1:
*  To view ACI subEntries you must select an entry, right-click, fetch->sub-entries.
Point 2:
There is a bug in the User Permission Editor where you cannot edit an ACI Attribute which contains an existing ProtectedItems->All Attribute values.  The source for this element becomes corrupted and must be re-entered.

Thanks for the help!
-Lamar



----- Original Message -----
From: Emmanuel Lécharny <el...@gmail.com>
To: users@directory.apache.org
Sent: Thursday, January 5, 2017 7:01 PM
Subject: Re: ACI Help

Hi !


comments inline...


Le 05/01/2017 à 00:10, Lamar Hansford a écrit :
> Hello,
> I am having troubles with ACI.  IN all cases the default admin account works.
This is intended.

>
> I have created the following structure:
>
> * dc=domain,dc=dc (default using ApacheDS Studio)
> -- * ou=users
> ---- * uid=platform-admin (inetOrgPerson)
> ---- * uid=testUser (inetOrgPerson)
>
> -- * ou=groups 
>
> ---- * ...etc
>
> With ACL turned on....
> Whenever I login using:
> * uid=platform-admin,ou=users,dc=domain,dc=com
>
> I cannot view the list of partitions.  If I add base DN: 
> * dc=domain,dc=com 
>
>
> I see nothing.  Not even the default partition.  Only Root DSE(6)
> NOTE:  I can see/modify non-system partitions with ACL disabled.

yes, this is also expected (kind of... Considering the complexity of the
ACI system, it's kind of magic ;-)

You need to grant some access to your elements if you want to be able to
access them.

>
> I have added [ administrativeRole=accessControlSpecificArea ] to the base partition (dc=domain,dc=dc)
> I have added the following subEntry:
> * objectClass=accessControlSubentry
> * objectClass=accessControlSubentry 
> * top
> prescriptiveACI=
>   { 
>     identificationTag "ACI", 
>     precedence 0, 
>     authenticationLevel simple, 
>     itemOrUserFirst userFirst: 
>     { 
>       userClasses { allUsers }, 
>       userPermissions 
>     { 
>       { 
>         protectedItems { }, 

you probably want to set Entry and allUserAttributeTypesAndValues in the
protectedItems set :

    protectedItems { entry, allUserAttributeTypesAndValues }
>         grantsAndDenials 
>       { 
>         grantReturnDN, 
>         grantRead, 
>         grantDiscloseOnError, 
>         grantRemove, 
>         grantAdd, 
>         grantInvoke, 
>         grantCompare, 
>         grantImport, 
>         grantRename, 
>         grantExport, 
>         grantModify, 
>         grantBrowse, 
>         grantFilterMatch 
>       }
>     }
>   }  
> }

Can you give it a try ?

>
> NOTE:
> When I restart the server the accessControlSubentries seem to get added as an attribute to the DN:dc=domain,dc=dc. 

Actually, you should have a subentry under dc=domain,dc=dc  :

    dn: cn=mySubentry,dc=domain,dc=dc
    objectClass: top",
    objectClass: subentry",

    objectClass: accessControlSubentry",
    subtreeSpecification: <blah>
    prescriptiveACI: <blah>

is that what you have ?

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: ACI Help

Posted by Emmanuel Lécharny <el...@gmail.com>.

Hi !


comments inline...


Le 05/01/2017 à 00:10, Lamar Hansford a écrit :
> Hello,
> I am having troubles with ACI.  IN all cases the default admin account works.
This is intended.

>
> I have created the following structure:
>
> * dc=domain,dc=dc (default using ApacheDS Studio)
> -- * ou=users
> ---- * uid=platform-admin (inetOrgPerson)
> ---- * uid=testUser (inetOrgPerson)
>
> -- * ou=groups 
>
> ---- * ...etc
>
> With ACL turned on....
> Whenever I login using:
> * uid=platform-admin,ou=users,dc=domain,dc=com
>
> I cannot view the list of partitions.  If I add base DN: 
> * dc=domain,dc=com 
>
>
> I see nothing.  Not even the default partition.  Only Root DSE(6)
> NOTE:  I can see/modify non-system partitions with ACL disabled.

yes, this is also expected (kind of... Considering the complexity of the
ACI system, it's kind of magic ;-)

You need to grant some access to your elements if you want to be able to
access them.

>
> I have added [ administrativeRole=accessControlSpecificArea ] to the base partition (dc=domain,dc=dc)
> I have added the following subEntry:
> * objectClass=accessControlSubentry
> * objectClass=accessControlSubentry 
> * top
> prescriptiveACI=
>   { 
>     identificationTag "ACI", 
>     precedence 0, 
>     authenticationLevel simple, 
>     itemOrUserFirst userFirst: 
>     { 
>       userClasses { allUsers }, 
>       userPermissions 
>     { 
>       { 
>         protectedItems { }, 

you probably want to set Entry and allUserAttributeTypesAndValues in the
protectedItems set :

    protectedItems { entry, allUserAttributeTypesAndValues }
>         grantsAndDenials 
>       { 
>         grantReturnDN, 
>         grantRead, 
>         grantDiscloseOnError, 
>         grantRemove, 
>         grantAdd, 
>         grantInvoke, 
>         grantCompare, 
>         grantImport, 
>         grantRename, 
>         grantExport, 
>         grantModify, 
>         grantBrowse, 
>         grantFilterMatch 
>       }
>     }
>   }  
> }

Can you give it a try ?

>
> NOTE:
> When I restart the server the accessControlSubentries seem to get added as an attribute to the DN:dc=domain,dc=dc. 

Actually, you should have a subentry under dc=domain,dc=dc  :

    dn: cn=mySubentry,dc=domain,dc=dc
    objectClass: top",
    objectClass: subentry",
    objectClass: accessControlSubentry",
    subtreeSpecification: <blah>
    prescriptiveACI: <blah>

is that what you have ?

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org