You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Mike Przybylski <mi...@gimmethebrain.net> on 2014/01/05 23:59:20 UTC
[ApacheDS] proper usage of protectedItems { maxValueCount ?
Hello,
Lately, I’ve been teaching myself how to use Apache Directory Server’s access control subsystem.
Before getting too cute, I figured I’d try out the recipes here:
http://directory.apache.org/apacheds/advanced-ug/4.2.7-using-acis-trail.html
Both work as advertised, but as I’ve been reading more, some have suggested refining…
http://directory.apache.org/apacheds/advanced-ug/4.2.7.2-allow-self-password-modify.html
…to use maxValueCount to prevent (someone claiming to be) the user from inserting multiple userPassword values. However, as soon as I put maxValueCount in any protectedItems clause of my prescriptiveACI, all of my unprivileged user’s attributes become invisible to him.
If I weren’t such a n00b, I’d think this was a bug.
Here is the prescriptiveACI that I think should work:
{
identificationTag "userSelfModifyPassword",
precedence 0,
authenticationLevel none,
itemOrUserFirst userFirst:
{
userClasses { thisEntry },
userPermissions
{
{
protectedItems
{
maxValueCount
{
{ type userPassword, maxCount 1 }
}
,
allAttributeValues { userPassword }
}
,
grantsAndDenials { grantAdd, grantRemove }
}
,
{
protectedItems { entry },
grantsAndDenials
{
grantRead,
grantBrowse,
grantModify
}
}
}
}
}
Server environment:
Oracle JDK 1.7u45
ApacheDS 2.0.0-M15
Debian 7.3, AMD64
Client environment:
Apache Directory Studio
Oracle JDK 1.7u45
OS X 10.9.1
Any pointers on what I’m doing wrong and/or how to do it better would be greatly appreciated.
Best regards,
Mike Przybylski
Re: [ApacheDS] proper usage of protectedItems { maxValueCount ?
Posted by Kiran Ayyagari <ka...@apache.org>.
On Mon, Jan 6, 2014 at 4:29 AM, Mike Przybylski <mi...@gimmethebrain.net>wrote:
> Hello,
>
> Lately, I’ve been teaching myself how to use Apache Directory Server’s
> access control subsystem.
>
> Before getting too cute, I figured I’d try out the recipes here:
>
>
> http://directory.apache.org/apacheds/advanced-ug/4.2.7-using-acis-trail.html
>
> Both work as advertised, but as I’ve been reading more, some have
> suggested refining…
>
>
> http://directory.apache.org/apacheds/advanced-ug/4.2.7.2-allow-self-password-modify.html
>
> …to use maxValueCount to prevent (someone claiming to be) the user from
> inserting multiple userPassword values. However, as soon as I put
> maxValueCount in any protectedItems clause of my prescriptiveACI, all of my
> unprivileged user’s attributes become invisible to him.
>
> If I weren’t such a n00b, I’d think this was a bug.
>
> yes, I think so, am able to reproduce this, can you file a bug here
https://issues.apache.org/jira/browse/DIRSERVER
thank you
> Here is the prescriptiveACI that I think should work:
>
> {
> identificationTag "userSelfModifyPassword",
> precedence 0,
> authenticationLevel none,
> itemOrUserFirst userFirst:
> {
> userClasses { thisEntry },
> userPermissions
> {
> {
> protectedItems
> {
> maxValueCount
> {
> { type userPassword, maxCount 1 }
> }
> ,
> allAttributeValues { userPassword }
> }
> ,
> grantsAndDenials { grantAdd, grantRemove }
> }
> ,
> {
> protectedItems { entry },
> grantsAndDenials
> {
> grantRead,
> grantBrowse,
> grantModify
> }
> }
> }
> }
> }
>
> Server environment:
> Oracle JDK 1.7u45
> ApacheDS 2.0.0-M15
> Debian 7.3, AMD64
>
> Client environment:
> Apache Directory Studio
> Oracle JDK 1.7u45
> OS X 10.9.1
>
> Any pointers on what I’m doing wrong and/or how to do it better would be
> greatly appreciated.
>
> Best regards,
> Mike Przybylski
--
Kiran Ayyagari
http://keydap.com