You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Kiran Ayyagari (JIRA)" <ji...@apache.org> on 2013/09/14 12:16:52 UTC
[jira] [Commented] (DIRSERVER-1895) ACLs have no effect
[ https://issues.apache.org/jira/browse/DIRSERVER-1895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13767435#comment-13767435 ]
Kiran Ayyagari commented on DIRSERVER-1895:
-------------------------------------------
This is due to missing protected item -
allAttributeValues
{
tsnetDomainName,
tsnetMailHost,
uid
}
and make sure you have added this ACI in a subentry e.x
dn: cn=mtaAclElement,dc=example,dc=com
changetype: add
objectClass: subentry
objectClass: top
objectClass: accessControlSubentry
prescriptiveACI: { identificationTag "mtaAclElement", precedence 0, authentica
tionLevel simple, itemOrUserFirst userFirst: { userClasses { name { "cn=mta,d
c=example,dc=com" } }, userPermissions { { protectedItems { entry, allAttribu
teValues { cn, ou }, attributeType { cn, ou } }, grantsAndDenials { grantBrow
se, grantReturnDN, grantCompare, grantRead } } } } }
subtreeSpecification: { }
cn: mtaAclElement
> ACLs have no effect
> -------------------
>
> Key: DIRSERVER-1895
> URL: https://issues.apache.org/jira/browse/DIRSERVER-1895
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: ldap
> Affects Versions: 2.0.0-M15
> Environment: FreeBSD 9.1-RELEASE-p6
> Reporter: Christian Felsing
> Labels: acl
>
> Following ACL does not what I expected:
> {
> identificationTag "mtaAclElement",
> precedence 0,
> authenticationLevel simple,
> itemOrUserFirst userFirst:
> {
> userClasses
> {
> name { "cn=mta,dc=ip6,dc=li" }
> }
> ,
> userPermissions
> {
> {
> protectedItems
> {
> entry,
> attributeType
> {
> tsnetDomainName,
> tsnetMailHost,
> uid
> }
> }
> ,
> grantsAndDenials
> {
> grantBrowse,
> grantRead,
> grantReturnDN,
> grantCompare
> }
> }
> }
> }
> }
> This ACL should allow DN cn=mta,dc=ip6,dc=li access to attributes
> uid
> tsnetDomainName
> tsnetMailHost
> and to list all DN entries. A test (temporary allow to list all
> attributes) proved that this ACL matches.
> but
> ldapsearch -H ldap://192.168.116.29:10389 -x -D "cn=mta,dc=ip6,dc=li" -w
> VerySecretPassword -b "dc=ip6,dc=li"
> lists DN entries only:
> # pug@felsing.net, freemail, ip6.li
> dn: uid=pug@felsing.net,ou=freemail,dc=ip6,dc=li
> ...
> Attributes listed on attributeType are not shown.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira