You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Darko Hojnik <ho...@virtualizing.org> on 2011/04/17 06:16:07 UTC
Error with impimeting acl
Hi there,
I've tried a few hours along to get an working acl on the partition
example.com. I've read and tried the sample on the apacheds wiki with the
sevenSeas sample also at last do it all self with ApacheDS Studio.
By restarting ApacheDS I always get an error massage such like
[05:49:06] WARN [org.apache.directory.server.core.authz.TupleCache] -
Found accessControlSubentry
'cn=domainfullAuthorizationRequirementsACISubentry,dc=example,dc=com'
without any prescriptiveACI
I got it with ApacheDS 1.5.7 and I've compiled 1.5.8-snapshot just to
verify. After restarting ApacheDS users in dc=example,dc=com stands
without proper permissions there. So at last can anyone tell me whats
going wrong and will do the trick?
Sorry I'm little bit in panic. For a new job my customer has asked me for
an good solution about LDAP and Kerberos for Samba and NFSv4. I thought
ApacheDS will do it perfectly
here my export as an XML. It's stored as an attachment too
<?xml version="1.0" encoding="UTF-8"?>
<batchResponse xmlns:xsd="http://www.w3c.org/2001/XMLSchema"
xmlns:xsi="http://www.w3c.org/2001/XMLSchema-instance">
<searchResponse>
<searchResultEntry
dn="cn=domainfullAuthorizationRequirementsACISubentry,dc=example,dc=com">
<attr name="createtimestamp">
<value>20110417034445Z</value>
</attr>
<attr name="cn">
<value>domainfullAuthorizationRequirementsACISubentry</value>
</attr>
<attr name="entryuuid">
<value
xsi:type="xsd:base64Binary">Y2I2Njk0MTgtMjg2OC00NTIwLWIzY2QtMDg3MWZhNWExY2E2</value>
</attr>
<attr name="prescriptiveaci">
<value>{ identificationTag "domainManagerFullAccessACI",
precedence 0, authenticationLevel simple, itemOrUserFirst userFirst: {
userClasses { name { "uid=domainadmin,dc=example,dc=com" } },
userPermissions { { protectedItems { allUserAttributeTypesAndValues, entry
}, grantsAndDenials { grantDiscloseOnError, grantReturnDN,
grantFilterMatch, grantAdd, grantBrowse, grantImport, grantModify,
grantRename, grantRemove, grantCompare, grantExport, grantRead,
grantInvoke } } } } }</value>
<value>{ identificationTag "", precedence 0,
authenticationLevel simple, itemOrUserFirst userFirst: { userClasses {
allUsers }, userPermissions { { protectedItems {
allUserAttributeTypesAndValues, entry }, grantsAndDenials { grantCompare,
grantReturnDN, grantDiscloseOnError, grantFilterMatch, grantRead,
grantBrowse } }, { protectedItems { attributeType { userPassword } },
grantsAndDenials { denyRead, denyCompare, denyFilterMatch } } } } }</value>
</attr>
<attr name="modifiersname">
<value>0.9.2342.19200300.100.1.1=admin,2.5.4.11=system</value>
</attr>
<attr name="modifytimestamp">
<value>20110417034826Z</value>
</attr>
<attr name="entrycsn">
<value>20110417054826.064000Z#000000#000#000000</value>
</attr>
<attr name="objectclass">
<value>subentry</value>
<value>accessControlSubentry</value>
<value>top</value>
</attr>
<attr name="subtreespecification">
<value>{ }</value>
</attr>
<attr name="accesscontrolsubentries">
<value>2.5.4.3=domainfullauthorizationrequirementsacisubentry,0.9.2342.19200300.100.1.25=example,0.9.2342.19200300.100.1.25=com</value>
</attr>
<attr name="creatorsname">
<value>0.9.2342.19200300.100.1.1=admin,2.5.4.11=system</value>
</attr>
</searchResultEntry>
<searchResultDone>
<resultCode code="0" descr="success"/>
</searchResultDone>
</searchResponse>
</batchResponse>
kind regards
Darko Hojnik
Re: Error with impimeting acl
Posted by Darko Hojnik <ho...@virtualizing.org>.
Hello Emmanuel,
I don't know why but ApacheDS Studio doesn't export the full three of
example.com. So I've pasted it all in the mail in the hope that will help
you. I got the same with an Subentry. In the mailinglist I've read that
could be an old bug they several months is still not fixed. If it's the
bug, ApacheDS never don't will be usable in every environment. I still
prefer ApacheDS but I'm working alternative with 389 directory Server.
Tomorrow I've to present a working solution to my customer for showcase.
dn: dc=example,dc=com
objectClass: domain
objectClass: top
dc: example
accessControlSubentries:
2.5.4.3=domainaclauthorizationrequirementsacisubent
ry,0.9.2342.19200300.100.1.25=example,0.9.2342.19200300.100.1.25=com
administrativeRole: accessControlSpecificArea
createTimestamp: 20110417193045Z
creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
entryCSN: 20110417213045.184000Z#000000#000#000000
entryUUID:: YjQzZmU0ZTEtYTIyOS00ZTc1LWI4NmUtNGMyMmE4MWVmMDJl
modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
modifyTimestamp: 20110417203043Z
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: people
accessControlSubentries:
2.5.4.3=domainaclauthorizationrequirementsacisubent
ry,0.9.2342.19200300.100.1.25=example,0.9.2342.19200300.100.1.25=com
createTimestamp: 20110417193324Z
creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
entryCSN: 20110417213324.006000Z#000000#000#000000
entryUUID:: Y2RlMDIzMzktZTkxNi00MDc2LWE2Y2EtMzhiY2M1YjNlYWRl
dn: uid=domainadmin,ou=people,dc=example,dc=com
objectClass: organizationalPerson
objectClass: person
objectClass: krb5Principal
objectClass: inetOrgPerson
objectClass: krb5KDCEntry
objectClass: top
cn: Domain Administrator
krb5KeyVersionNumber: 1
krb5PrincipalName: domainadmin@EXAMPLE.COM
sn: Domain Administrator
krb5Key:: MBmgAwIBEaESBBBse6p1boUg9NNd/97pPWgQ
krb5Key:: MBGgAwIBA6EKBAh/+DFiyCCFEw==
krb5Key:: MCGgAwIBEKEaBBiuzuXmSc6nDVRFZ8FMT4lP09Crsy9zXgE=
krb5Key:: MCmgAwIBEqEiBCDIcp4KczHRss9lQcBdX7OlRpoh70jcRfzUU8Lnm+lOmg==
krb5Key:: MBmgAwIBF6ESBBAYelAhhW5cfPy8Z3Xty4OH
uid: domainadmin
userPassword:: e01ENX1PRmoySWpDc1BKRmZNQXhtUXhMR1B3PT0=
accessControlSubentries:
2.5.4.3=domainaclauthorizationrequirementsacisubent
ry,0.9.2342.19200300.100.1.25=example,0.9.2342.19200300.100.1.25=com
createTimestamp: 20110417193544Z
creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
entryCSN: 20110417213544.185000Z#000000#000#000000
entryUUID:: NTM2Yzg5M2EtZmM3YS00YjAxLWJjYTgtMjE1NWFhMjc5NzA3
modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
modifyTimestamp: 20110417201959Z
dn: dc=example,dc=com
changetype: modify
add: administrativeRole
administrativeRole: accessControlSpecificArea
dn: cn=DomainACLAuthorizationRequirementsACISubentry,dc=example,dc=com
changetype: add
objectclass: top
objectclass: subentry
objectclass: accessControlSubentry
cn: DomainACLAuthorizationRequirementsACISubentry
subtreeSpecification: {}
prescriptiveACI: {
identificationTag "directoryManagerFullAccessACI",
precedence 11,
authenticationLevel simple,
itemOrUserFirst userFirst:
{
userClasses
{
name { "uid=domainadmin,ou=people,dc=example,dc=com" }
},
userPermissions
{
{
protectedItems
{
entry, allUserAttributeTypesAndValues
},
grantsAndDenials
{
grantAdd, grantDiscloseOnError, grantRead,
grantRemove, grantBrowse, grantExport, grantImport,
grantModify, grantRename, grantReturnDN,
grantCompare, grantFilterMatch, grantInvoke
}
}
}
}
}
prescriptiveACI: {
identificationTag "allUsersACI",
precedence 10,
authenticationLevel none,
itemOrUserFirst userFirst:
{
userClasses
{
allUsers
},
userPermissions
{
{
protectedItems { entry, allUserAttributeTypesAndValues },
grantsAndDenials { grantRead, grantBrowse, grantReturnDN,
grantCompare, grantFilterMatch,
grantDiscloseOnError }
},
{
protectedItems { attributeType { userPassword } },
grantsAndDenials { denyRead, denyCompare, denyFilterMatch }
}
}
Am 17.04.2011, 11:06 Uhr, schrieb Emmanuel Lecharny <el...@gmail.com>:
> On 4/17/11 6:16 AM, Darko Hojnik wrote:
>> Hi there,
>>
>> I've tried a few hours along to get an working acl on the partition
>> example.com. I've read and tried the sample on the apacheds wiki with
>> the sevenSeas sample also at last do it all self with ApacheDS Studio.
>> By restarting ApacheDS I always get an error massage such like
>>
>> [05:49:06] WARN [org.apache.directory.server.core.authz.TupleCache] -
>> Found accessControlSubentry
>> 'cn=domainfullAuthorizationRequirementsACISubentry,dc=example,dc=com'
>> without any prescriptiveACI
>
> Have you added a subentry ? If so, can you provide it ?
>
> Can you also provide AdministrativePoint entry?
>
>
Re: Error with impimeting acl
Posted by Emmanuel Lecharny <el...@gmail.com>.
On 4/17/11 6:16 AM, Darko Hojnik wrote:
> Hi there,
>
> I've tried a few hours along to get an working acl on the partition
> example.com. I've read and tried the sample on the apacheds wiki with
> the sevenSeas sample also at last do it all self with ApacheDS Studio.
> By restarting ApacheDS I always get an error massage such like
>
> [05:49:06] WARN [org.apache.directory.server.core.authz.TupleCache] -
> Found accessControlSubentry
> 'cn=domainfullAuthorizationRequirementsACISubentry,dc=example,dc=com'
> without any prescriptiveACI
Have you added a subentry ? If so, can you provide it ?
Can you also provide AdministrativePoint entry?
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com