You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Kiran Ayyagari (JIRA)" <ji...@apache.org> on 2013/09/14 12:16:52 UTC

[jira] [Commented] (DIRSERVER-1895) ACLs have no effect

    [ https://issues.apache.org/jira/browse/DIRSERVER-1895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13767435#comment-13767435 ] 

Kiran Ayyagari commented on DIRSERVER-1895:
-------------------------------------------

This is due to missing protected item - 

     allAttributeValues 
     {
        tsnetDomainName,
        tsnetMailHost,
        uid
     }

and make sure you have added this ACI in a subentry e.x

dn: cn=mtaAclElement,dc=example,dc=com
changetype: add
objectClass: subentry
objectClass: top
objectClass: accessControlSubentry
prescriptiveACI: { identificationTag "mtaAclElement", precedence 0, authentica
 tionLevel simple, itemOrUserFirst userFirst: { userClasses { name { "cn=mta,d
 c=example,dc=com" } }, userPermissions { { protectedItems { entry, allAttribu
 teValues { cn, ou }, attributeType { cn, ou } }, grantsAndDenials { grantBrow
 se, grantReturnDN, grantCompare, grantRead } } } } }
subtreeSpecification: { }
cn: mtaAclElement


                
> ACLs have no effect
> -------------------
>
>                 Key: DIRSERVER-1895
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-1895
>             Project: Directory ApacheDS
>          Issue Type: Bug
>          Components: ldap
>    Affects Versions: 2.0.0-M15
>         Environment: FreeBSD 9.1-RELEASE-p6
>            Reporter: Christian Felsing
>              Labels: acl
>
> Following ACL does not what I expected:
> {
>     identificationTag "mtaAclElement",
>     precedence 0,
>     authenticationLevel simple,
>     itemOrUserFirst userFirst:
>     {
>         userClasses
>         {
>             name { "cn=mta,dc=ip6,dc=li" }
>         }
>         ,
>         userPermissions
>         {
>             {
>                 protectedItems
>                 {
>                     entry,
>                     attributeType
>                     {
>                         tsnetDomainName,
>                         tsnetMailHost,
>                         uid
>                     }
>                 }
>                 ,
>                 grantsAndDenials
>                 {
>                     grantBrowse,
>                     grantRead,
>                     grantReturnDN,
>                     grantCompare
>                 }
>             }
>         }
>     }
> }
> This ACL should allow DN cn=mta,dc=ip6,dc=li access to attributes
> uid
> tsnetDomainName
> tsnetMailHost
> and to list all DN entries. A test (temporary allow to list all
> attributes) proved that this ACL matches.
> but
> ldapsearch -H ldap://192.168.116.29:10389 -x -D "cn=mta,dc=ip6,dc=li" -w
> VerySecretPassword -b "dc=ip6,dc=li"
> lists DN entries only:
> # pug@felsing.net, freemail, ip6.li
> dn: uid=pug@felsing.net,ou=freemail,dc=ip6,dc=li
> ...
> Attributes listed on attributeType are not shown.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira