You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Eugene Prokopiev <en...@itx.ru> on 2012/11/22 14:09:38 UTC
How to disable anonymous access for embedded ApacheDS
Hi,
Is it possible to disable anonymous access for embedded ApacheDS? I tried
to do this:
public class Application {
public static void main(String[] args) throws Exception {
DirectoryService directory = new DefaultDirectoryService();
directory.startup();
LdapServer ldap = new LdapServer();
ldap.setDirectoryService(directory);
ldap.setAllowAnonymousAccess(false);
ldap.setTransports(new TcpTransport(10389));
ldap.start();
}
}
But result was:
$ ldapsearch -h localhost -p 10389 -x -b "ou=system"
# extended LDIF
#
# LDAPv3
# base <ou=system> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# system
dn: ou=system
objectClass: organizationalUnit
objectClass: extensibleObject
objectClass: top
ou: system
...
I used version 1.5.5, because 2.0 is not released now and 1.5.7 requires
more verbose code. Is it possible to disable anonymous access with 1.5.7 or
2.0?
--
Regards,
Eugene Prokopiev
Re: How to disable anonymous access for embedded ApacheDS
Posted by Kiran Ayyagari <ka...@apache.org>.
looks like the lack of precedence value in user permissions is causing this
try this(note that the only addition is 'precedence 1,')
{
identificationTag "enableSearchForAllUsers",
precedence 11,
authenticationLevel simple,
itemOrUserFirst userFirst:
{
userClasses { allUsers },
userPermissions
{
{
precedence 1,
protectedItems { entry, allUserAttributeTypesAndValues },
grantsAndDenials
{
grantRead,
grantBrowse,
grantReturnDN
}
}
}
}
}
On Fri, Nov 23, 2012 at 1:04 PM, Eugene Prokopiev <en...@itx.ru> wrote:
> I tried to allow search for all users as described in
> http://directory.apache.org/apacheds/1.5/enablesearchforallusers.html:
>
> $ ldapadd -h localhost -p 10389 -D "uid=admin,ou=system" -W -f aci.ldif
> Enter LDAP Password:
> adding new entry "cn=enableSearchForAllUsers,dc=home"
> ldap_add: Invalid syntax (21)
> additional info: INVALID_ATTRIBUTE_SYNTAX: failed for Add
> Request :
> ClientEntry
> dn: cn=enableSearchForAllUsers,dc=home
> objectClass: top
> objectClass: subentry
> objectClass: accessControlSubentry
> cn: enableSearchForAllUsers
> prescriptiveACI: { identificationTag \"enableSearchForAllUsers\",
> precedence 14, authenticationLevel simple, itemOrUserFirst userFirst: {
> userClasses { allUsers }, userPermissions { { protectedItems {entry,
> allUserAttributeTypesAndValues}, grantsAndDenials { grantRead,
> grantReturnDN, grantBrowse } } } } }
> subtreeSpecification: {}
> : Attribute value '{ identificationTag \"enableSearchForAllUsers\",
> precedence 14, authenticationLevel simple, itemOrUserFirst userFirst: {
> userClasses { allUsers }, userPermissions { { protectedItems {entry,
> allUserAttributeTypesAndValues}, grantsAndDenials { grantRead,
> grantReturnDN, grantBrowse } } } } }' for attribute 'prescriptiveACI' is
> syntactically incorrect
>
> What is wrong?
>
> --
> Regards,
> Eugene Prokopiev
>
--
Kiran Ayyagari
http://keydap.com
Re: How to disable anonymous access for embedded ApacheDS
Posted by Eugene Prokopiev <en...@itx.ru>.
2012/11/23 Kiran Ayyagari <ka...@apache.org>
the branch to which you want to add the prescriptiveACI
> add the attribute administrativeRole with the value
> accessControlSpecificArea
>
Thanks!
How to write ACI to allow to read only own userPassword field?
--
Regards,
Eugene Prokopiev
Re: How to disable anonymous access for embedded ApacheDS
Posted by Kiran Ayyagari <ka...@apache.org>.
the branch to which you want to add the prescriptiveACI
add the attribute administrativeRole with the value
accessControlSpecificArea
On Fri, Nov 23, 2012 at 1:20 PM, Eugene Prokopiev <en...@itx.ru> wrote:
> The problem is \"enableSearchForAllUsers\" substring, backslashes are not
> needed.
>
> Now I have another problem:
>
> $ ldapadd -h localhost -p 10389 -D "uid=admin,ou=system" -W -f aci.ldif
> Enter LDAP Password:
> adding new entry "cn=enableSearchForAllUsers,dc=home"
> ldap_add: No such attribute (16)
> additional info: NO_SUCH_ATTRIBUTE: failed for Add Request :
> ClientEntry
> dn: cn=enableSearchForAllUsers,dc=home
> objectClass: top
> objectClass: subentry
> objectClass: accessControlSubentry
> cn: enableSearchForAllUsers
> prescriptiveACI: { identificationTag "enableSearchForAllUsers",
> precedence 14, authenticationLevel simple, itemOrUserFirst userFirst: {
> userClasses { allUsers }, userPermissions { { protectedItems {entry,
> allUserAttributeTypesAndValues}, grantsAndDenials { grantRead,
> grantReturnDN, grantBrowse } } } } }
> administrativeRole: accessControlSpecificArea
> subtreeSpecification: {}
> : Administration point 0.9.2342.19200300.100.1.25=home does not contain an
> administrativeRole attribute! An administrativeRole attribute in the
> administrative point is required to add a subordinate subentry.
>
> Which entry must contain administrativeRole attribute? Which objectClass
> defines this attribute?
>
> --
> Regards,
> Eugene Prokopiev
>
--
Kiran Ayyagari
http://keydap.com
Re: How to disable anonymous access for embedded ApacheDS
Posted by Eugene Prokopiev <en...@itx.ru>.
The problem is \"enableSearchForAllUsers\" substring, backslashes are not
needed.
Now I have another problem:
$ ldapadd -h localhost -p 10389 -D "uid=admin,ou=system" -W -f aci.ldif
Enter LDAP Password:
adding new entry "cn=enableSearchForAllUsers,dc=home"
ldap_add: No such attribute (16)
additional info: NO_SUCH_ATTRIBUTE: failed for Add Request :
ClientEntry
dn: cn=enableSearchForAllUsers,dc=home
objectClass: top
objectClass: subentry
objectClass: accessControlSubentry
cn: enableSearchForAllUsers
prescriptiveACI: { identificationTag "enableSearchForAllUsers",
precedence 14, authenticationLevel simple, itemOrUserFirst userFirst: {
userClasses { allUsers }, userPermissions { { protectedItems {entry,
allUserAttributeTypesAndValues}, grantsAndDenials { grantRead,
grantReturnDN, grantBrowse } } } } }
administrativeRole: accessControlSpecificArea
subtreeSpecification: {}
: Administration point 0.9.2342.19200300.100.1.25=home does not contain an
administrativeRole attribute! An administrativeRole attribute in the
administrative point is required to add a subordinate subentry.
Which entry must contain administrativeRole attribute? Which objectClass
defines this attribute?
--
Regards,
Eugene Prokopiev
Re: How to disable anonymous access for embedded ApacheDS
Posted by Eugene Prokopiev <en...@itx.ru>.
I tried to allow search for all users as described in
http://directory.apache.org/apacheds/1.5/enablesearchforallusers.html:
$ ldapadd -h localhost -p 10389 -D "uid=admin,ou=system" -W -f aci.ldif
Enter LDAP Password:
adding new entry "cn=enableSearchForAllUsers,dc=home"
ldap_add: Invalid syntax (21)
additional info: INVALID_ATTRIBUTE_SYNTAX: failed for Add
Request :
ClientEntry
dn: cn=enableSearchForAllUsers,dc=home
objectClass: top
objectClass: subentry
objectClass: accessControlSubentry
cn: enableSearchForAllUsers
prescriptiveACI: { identificationTag \"enableSearchForAllUsers\",
precedence 14, authenticationLevel simple, itemOrUserFirst userFirst: {
userClasses { allUsers }, userPermissions { { protectedItems {entry,
allUserAttributeTypesAndValues}, grantsAndDenials { grantRead,
grantReturnDN, grantBrowse } } } } }
subtreeSpecification: {}
: Attribute value '{ identificationTag \"enableSearchForAllUsers\",
precedence 14, authenticationLevel simple, itemOrUserFirst userFirst: {
userClasses { allUsers }, userPermissions { { protectedItems {entry,
allUserAttributeTypesAndValues}, grantsAndDenials { grantRead,
grantReturnDN, grantBrowse } } } } }' for attribute 'prescriptiveACI' is
syntactically incorrect
What is wrong?
--
Regards,
Eugene Prokopiev
Re: How to disable anonymous access for embedded ApacheDS
Posted by Eugene Prokopiev <en...@itx.ru>.
2012/11/22 Kiran Ayyagari <ka...@apache.org>
> try after calling
>
> directory.setAccessControlEnabled(true);
>
Thanks, it helps.
How I have new tasks:
1) how to change default admin password?
2) how to define ACLs which looks like:
access to attrs=userPassword
by self write
by anonymous auth
by * none
access to *
by * read
in OpenLDAP?
--
Regards,
Eugene Prokopiev
Re: How to disable anonymous access for embedded ApacheDS
Posted by Kiran Ayyagari <ka...@apache.org>.
try after calling
directory.setAccessControlEnabled(true);
On Thu, Nov 22, 2012 at 6:39 PM, Eugene Prokopiev <en...@itx.ru> wrote:
> Hi,
>
> Is it possible to disable anonymous access for embedded ApacheDS? I tried
> to do this:
>
> public class Application {
> public static void main(String[] args) throws Exception {
> DirectoryService directory = new DefaultDirectoryService();
> directory.startup();
> LdapServer ldap = new LdapServer();
> ldap.setDirectoryService(directory);
> ldap.setAllowAnonymousAccess(false);
> ldap.setTransports(new TcpTransport(10389));
> ldap.start();
> }
> }
>
> But result was:
>
> $ ldapsearch -h localhost -p 10389 -x -b "ou=system"
> # extended LDIF
> #
> # LDAPv3
> # base <ou=system> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # system
> dn: ou=system
> objectClass: organizationalUnit
> objectClass: extensibleObject
> objectClass: top
> ou: system
>
> ...
>
> I used version 1.5.5, because 2.0 is not released now and 1.5.7 requires
> more verbose code. Is it possible to disable anonymous access with 1.5.7 or
> 2.0?
>
> --
> Regards,
> Eugene Prokopiev
>
--
Kiran Ayyagari
http://keydap.com
Re: How to disable anonymous access for embedded ApacheDS
Posted by Eugene Prokopiev <en...@itx.ru>.
2012/11/22 Pierre-Arnaud Marcelot <pa...@marcelot.net>
>
> It should be complicated to disable anonymous access on 2.0.
>
Is possible to restrict anonymous read access only to userPassword field
and write access for anybody except admin account?
How can I implement with ApacheDS something like:
access to attrs=userPassword
by self write
by anonymous auth
by * none
access to *
by * read
in OpenLDAP?
--
Regards,
Eugene Prokopiev
>
> Regards,
> Pierre-Arnaud
>
>
> On 22 nov. 2012, at 14:09, Eugene Prokopiev <en...@itx.ru> wrote:
>
> > Hi,
> >
> > Is it possible to disable anonymous access for embedded ApacheDS? I tried
> > to do this:
> >
> > public class Application {
> > public static void main(String[] args) throws Exception {
> > DirectoryService directory = new DefaultDirectoryService();
> > directory.startup();
> > LdapServer ldap = new LdapServer();
> > ldap.setDirectoryService(directory);
> > ldap.setAllowAnonymousAccess(false);
> > ldap.setTransports(new TcpTransport(10389));
> > ldap.start();
> > }
> > }
> >
> > But result was:
> >
> > $ ldapsearch -h localhost -p 10389 -x -b "ou=system"
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <ou=system> with scope subtree
> > # filter: (objectclass=*)
> > # requesting: ALL
> > #
> >
> > # system
> > dn: ou=system
> > objectClass: organizationalUnit
> > objectClass: extensibleObject
> > objectClass: top
> > ou: system
> >
> > ...
> >
> > I used version 1.5.5, because 2.0 is not released now and 1.5.7 requires
> > more verbose code. Is it possible to disable anonymous access with 1.5.7
> or
> > 2.0?
> >
> > --
> > Regards,
> > Eugene Prokopiev
>
>
--
С уважением,
Прокопьев Евгений
Re: How to disable anonymous access for embedded ApacheDS
Posted by Pierre-Arnaud Marcelot <pa...@marcelot.net>.
Hi Eugene,
You'd rather use ApacheDS 2.0.
Even if we're still only releasing milestone versions (and the documentation is mostly lacking), it's way better than using any other older version.
It should be complicated to disable anonymous access on 2.0.
Regards,
Pierre-Arnaud
On 22 nov. 2012, at 14:09, Eugene Prokopiev <en...@itx.ru> wrote:
> Hi,
>
> Is it possible to disable anonymous access for embedded ApacheDS? I tried
> to do this:
>
> public class Application {
> public static void main(String[] args) throws Exception {
> DirectoryService directory = new DefaultDirectoryService();
> directory.startup();
> LdapServer ldap = new LdapServer();
> ldap.setDirectoryService(directory);
> ldap.setAllowAnonymousAccess(false);
> ldap.setTransports(new TcpTransport(10389));
> ldap.start();
> }
> }
>
> But result was:
>
> $ ldapsearch -h localhost -p 10389 -x -b "ou=system"
> # extended LDIF
> #
> # LDAPv3
> # base <ou=system> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # system
> dn: ou=system
> objectClass: organizationalUnit
> objectClass: extensibleObject
> objectClass: top
> ou: system
>
> ...
>
> I used version 1.5.5, because 2.0 is not released now and 1.5.7 requires
> more verbose code. Is it possible to disable anonymous access with 1.5.7 or
> 2.0?
>
> --
> Regards,
> Eugene Prokopiev