You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Қαεζ ₪ <dr...@gmail.com> on 2018/01/29 15:47:15 UTC
ApacheDS ACL over custom schema
Hello,
I'm currently deploying an ApacheDS server, version M24, and I'm trying to
set up 3 ACL :
- Everyone can update it's own password : Done ;
- Everyone can read & browse the LDAP : Done ;
- Only users who got LDAPadmin attributes to TRUE can do anything to
anyone, like creating a cn, with subentries and so on : Fail.
Either I got an error 80 (Internal implementation specific error), either
the request is sent but has no effect : the specificationFilter
(LDAPadmin=TRUE) applied to All Users with all rights given to Entry,
AllUserAttributeTypesAndValues does not work.
Anyone have experienced this ?
Regards.
Fwd: Re: ApacheDS ACL over custom schema
Posted by Қαεζ ₪ <dr...@gmail.com>.
---------- Forwarded message ----------
From: "Қαεζ ₪" <dr...@gmail.com>
Date: 30 Jan 2018 9:25 am
Subject: Re: ApacheDS ACL over custom schema
To: "Emmanuel Lécharny" <el...@gmail.com>
Cc:
Sure, here they are :
Only self password modify :
dn: cn=allowSelfModifications,dc=mydomain,dc=fr
objectClass: top
objectClass: subentry
objectClass: accessControlSubentry
cn: allowSelfModifications
subtreeSpecification: { }
prescriptiveACI: {
identificationTag "allowSelfModifications", precedence 20,
authenticationLevel none,
itemOrUserFirst userFirst: { userClasses { thisEntry }, userPermissions {
{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse,
grantRead } },
{ protectedItems {allAttributeValues {userPassword}}, grantsAndDenials {
grantAdd,
grantRemove } } } } }
Everyone can read & browse :
dn: cn=allowGlobalRead,dc=mydomain,dc=fr
objectClass: subentry
objectClass: accessControlSubentry
objectClass: top
cn: allowGlobalRead
subtreeSpecification: { }
prescriptiveACI: {
identificationTag "allowGlobalRead", precedence 10, authenticationLevel
none,
itemOrUserFirst userFirst: { userClasses { allUsers }, userPermissions { {
protectedItems {entry, allUserAttributeTypesAndValues}, grantsAndDenials {
grantRead, grantReturnDN, grantFilterMatch, grantBrowse
} } } } }
LDAPadmin=TRUE can do everything : (NOT WORKING)
dn: cn=allowGlobalAdministration,dc=mydomain,dc=fr
objectClass: top
objectClass: subentry
objectClass: accessControlSubentry
cn: allowGlobalAdministration
subtreeSpecification: { specificationFilter (LDAPadmin=TRUE) }
prescriptiveACI: {
identificationTag "allowGlobalAdministration", precedence 30,
authenticationLevel none,
itemOrUserFirst userFirst: { userClasses { allUsers }, userPermissions { {
protectedItems { entry, allUserAttributeTypes,
allUserAttributeTypesAndValues },
grantsAndDenials { grantImport, grantDiscloseOnError, grantInvoke,
grantAdd,
grantCompare, grantExport, grantBrowse, grantRead, grantFilterMatch,
grantRemove,
grantReturnDN, grantRename, grantModify } } } } }
Also, it's a detail but if I do a ldapmodify with all these entry together
there is an error. I have to do one the request one acl per one acl.
On Mon, Jan 29, 2018 at 8:56 PM, Emmanuel Lécharny <el...@gmail.com>
wrote:
>
>
> Le 29/01/2018 à 16:47, Қαεζ ₪ a écrit :
> > Hello,
> >
> > I'm currently deploying an ApacheDS server, version M24, and I'm trying
> to
> > set up 3 ACL :
> > - Everyone can update it's own password : Done ;
> > - Everyone can read & browse the LDAP : Done ;
> > - Only users who got LDAPadmin attributes to TRUE can do anything to
> > anyone, like creating a cn, with subentries and so on : Fail.
> >
> > Either I got an error 80 (Internal implementation specific error), either
> > the request is sent but has no effect : the specificationFilter
> > (LDAPadmin=TRUE) applied to All Users with all rights given to Entry,
> > AllUserAttributeTypesAndValues does not work.
> >
> > Anyone have experienced this ?
>
> Can you send us your ACL definitions ?
>
> --
> Emmanuel Lecharny
>
> Symas.com
> directory.apache.org
>
>
Re: Fwd: Re: ApacheDS ACL over custom schema
Posted by Қαεζ ₪ <dr...@gmail.com>.
No problem, wasn't sure if my message were sent or not.
Regards.
On 7 Feb 2018 2:50 pm, "Emmanuel Lécharny" <el...@gmail.com> wrote:
> Sorry for the delay, I have to have a working server to test your ACIs,
> and I'm currently refactoring it, so it will take a bit of time...
>
>
>
> Le 07/02/2018 à 13:50, Қαεζ ₪ a écrit :
> > Sure, here they are :
> >
> > Only self password modify :
> > dn: cn=allowSelfModifications,dc=mydomain,dc=fr
> > objectClass: top
> > objectClass: subentry
> > objectClass: accessControlSubentry
> > cn: allowSelfModifications
> > subtreeSpecification: { }
> > prescriptiveACI: {
> > identificationTag "allowSelfModifications", precedence 20,
> > authenticationLevel none,
> > itemOrUserFirst userFirst: { userClasses { thisEntry },
> userPermissions {
> > { protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse,
> > grantRead } },
> > { protectedItems {allAttributeValues {userPassword}}, grantsAndDenials {
> > grantAdd,
> > grantRemove } } } } }
> >
> > Everyone can read & browse :
> > dn: cn=allowGlobalRead,dc=mydomain,dc=fr
> > objectClass: subentry
> > objectClass: accessControlSubentry
> > objectClass: top
> > cn: allowGlobalRead
> > subtreeSpecification: { }
> > prescriptiveACI: {
> > identificationTag "allowGlobalRead", precedence 10, authenticationLevel
> > none,
> > itemOrUserFirst userFirst: { userClasses { allUsers }, userPermissions
> { {
> > protectedItems {entry, allUserAttributeTypesAndValues},
> grantsAndDenials {
> > grantRead, grantReturnDN, grantFilterMatch, grantBrowse
> > } } } } }
> >
> > LDAPadmin=TRUE can do everything : (NOT WORKING)
> > dn: cn=allowGlobalAdministration,dc=mydomain,dc=fr
> > objectClass: top
> > objectClass: subentry
> > objectClass: accessControlSubentry
> > cn: allowGlobalAdministration
> > subtreeSpecification: { specificationFilter (LDAPadmin=TRUE) }
> > prescriptiveACI: {
> > identificationTag "allowGlobalAdministration", precedence 30,
> > authenticationLevel none,
> > itemOrUserFirst userFirst: { userClasses { allUsers }, userPermissions
> { {
> > protectedItems { entry, allUserAttributeTypes,
> > allUserAttributeTypesAndValues },
> > grantsAndDenials { grantImport, grantDiscloseOnError, grantInvoke,
> > grantAdd,
> > grantCompare, grantExport, grantBrowse, grantRead, grantFilterMatch,
> > grantRemove,
> > grantReturnDN, grantRename, grantModify } } } } }
> >
> > Also, it's a detail but if I do a ldapmodify with all these entry
> together
> > there is an error. I have to do one the request one acl per one acl.
> >
> > On Mon, Jan 29, 2018 at 8:56 PM, Emmanuel Lécharny <el...@gmail.com>
> > wrote:
> >
> >>
> >>
> >> Le 29/01/2018 à 16:47, Қαεζ ₪ a écrit :
> >>> Hello,
> >>>
> >>> I'm currently deploying an ApacheDS server, version M24, and I'm trying
> >> to
> >>> set up 3 ACL :
> >>> - Everyone can update it's own password : Done ;
> >>> - Everyone can read & browse the LDAP : Done ;
> >>> - Only users who got LDAPadmin attributes to TRUE can do anything to
> >>> anyone, like creating a cn, with subentries and so on : Fail.
> >>>
> >>> Either I got an error 80 (Internal implementation specific error),
> either
> >>> the request is sent but has no effect : the specificationFilter
> >>> (LDAPadmin=TRUE) applied to All Users with all rights given to Entry,
> >>> AllUserAttributeTypesAndValues does not work.
> >>>
> >>> Anyone have experienced this ?
> >>
> >> Can you send us your ACL definitions ?
> >>
> >> --
> >> Emmanuel Lecharny
> >>
> >> Symas.com
> >> directory.apache.org
> >>
> >>
> >
>
> --
> Emmanuel Lecharny
>
> Symas.com
> directory.apache.org
>
>
Re: Fwd: Re: ApacheDS ACL over custom schema
Posted by Emmanuel Lécharny <el...@gmail.com>.
Sorry for the delay, I have to have a working server to test your ACIs,
and I'm currently refactoring it, so it will take a bit of time...
Le 07/02/2018 à 13:50, Қαεζ ₪ a écrit :
> Sure, here they are :
>
> Only self password modify :
> dn: cn=allowSelfModifications,dc=mydomain,dc=fr
> objectClass: top
> objectClass: subentry
> objectClass: accessControlSubentry
> cn: allowSelfModifications
> subtreeSpecification: { }
> prescriptiveACI: {
> identificationTag "allowSelfModifications", precedence 20,
> authenticationLevel none,
> itemOrUserFirst userFirst: { userClasses { thisEntry }, userPermissions {
> { protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse,
> grantRead } },
> { protectedItems {allAttributeValues {userPassword}}, grantsAndDenials {
> grantAdd,
> grantRemove } } } } }
>
> Everyone can read & browse :
> dn: cn=allowGlobalRead,dc=mydomain,dc=fr
> objectClass: subentry
> objectClass: accessControlSubentry
> objectClass: top
> cn: allowGlobalRead
> subtreeSpecification: { }
> prescriptiveACI: {
> identificationTag "allowGlobalRead", precedence 10, authenticationLevel
> none,
> itemOrUserFirst userFirst: { userClasses { allUsers }, userPermissions { {
> protectedItems {entry, allUserAttributeTypesAndValues}, grantsAndDenials {
> grantRead, grantReturnDN, grantFilterMatch, grantBrowse
> } } } } }
>
> LDAPadmin=TRUE can do everything : (NOT WORKING)
> dn: cn=allowGlobalAdministration,dc=mydomain,dc=fr
> objectClass: top
> objectClass: subentry
> objectClass: accessControlSubentry
> cn: allowGlobalAdministration
> subtreeSpecification: { specificationFilter (LDAPadmin=TRUE) }
> prescriptiveACI: {
> identificationTag "allowGlobalAdministration", precedence 30,
> authenticationLevel none,
> itemOrUserFirst userFirst: { userClasses { allUsers }, userPermissions { {
> protectedItems { entry, allUserAttributeTypes,
> allUserAttributeTypesAndValues },
> grantsAndDenials { grantImport, grantDiscloseOnError, grantInvoke,
> grantAdd,
> grantCompare, grantExport, grantBrowse, grantRead, grantFilterMatch,
> grantRemove,
> grantReturnDN, grantRename, grantModify } } } } }
>
> Also, it's a detail but if I do a ldapmodify with all these entry together
> there is an error. I have to do one the request one acl per one acl.
>
> On Mon, Jan 29, 2018 at 8:56 PM, Emmanuel Lécharny <el...@gmail.com>
> wrote:
>
>>
>>
>> Le 29/01/2018 à 16:47, Қαεζ ₪ a écrit :
>>> Hello,
>>>
>>> I'm currently deploying an ApacheDS server, version M24, and I'm trying
>> to
>>> set up 3 ACL :
>>> - Everyone can update it's own password : Done ;
>>> - Everyone can read & browse the LDAP : Done ;
>>> - Only users who got LDAPadmin attributes to TRUE can do anything to
>>> anyone, like creating a cn, with subentries and so on : Fail.
>>>
>>> Either I got an error 80 (Internal implementation specific error), either
>>> the request is sent but has no effect : the specificationFilter
>>> (LDAPadmin=TRUE) applied to All Users with all rights given to Entry,
>>> AllUserAttributeTypesAndValues does not work.
>>>
>>> Anyone have experienced this ?
>>
>> Can you send us your ACL definitions ?
>>
>> --
>> Emmanuel Lecharny
>>
>> Symas.com
>> directory.apache.org
>>
>>
>
--
Emmanuel Lecharny
Symas.com
directory.apache.org
Fwd: Re: ApacheDS ACL over custom schema
Posted by Қαεζ ₪ <dr...@gmail.com>.
Sure, here they are :
Only self password modify :
dn: cn=allowSelfModifications,dc=mydomain,dc=fr
objectClass: top
objectClass: subentry
objectClass: accessControlSubentry
cn: allowSelfModifications
subtreeSpecification: { }
prescriptiveACI: {
identificationTag "allowSelfModifications", precedence 20,
authenticationLevel none,
itemOrUserFirst userFirst: { userClasses { thisEntry }, userPermissions {
{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse,
grantRead } },
{ protectedItems {allAttributeValues {userPassword}}, grantsAndDenials {
grantAdd,
grantRemove } } } } }
Everyone can read & browse :
dn: cn=allowGlobalRead,dc=mydomain,dc=fr
objectClass: subentry
objectClass: accessControlSubentry
objectClass: top
cn: allowGlobalRead
subtreeSpecification: { }
prescriptiveACI: {
identificationTag "allowGlobalRead", precedence 10, authenticationLevel
none,
itemOrUserFirst userFirst: { userClasses { allUsers }, userPermissions { {
protectedItems {entry, allUserAttributeTypesAndValues}, grantsAndDenials {
grantRead, grantReturnDN, grantFilterMatch, grantBrowse
} } } } }
LDAPadmin=TRUE can do everything : (NOT WORKING)
dn: cn=allowGlobalAdministration,dc=mydomain,dc=fr
objectClass: top
objectClass: subentry
objectClass: accessControlSubentry
cn: allowGlobalAdministration
subtreeSpecification: { specificationFilter (LDAPadmin=TRUE) }
prescriptiveACI: {
identificationTag "allowGlobalAdministration", precedence 30,
authenticationLevel none,
itemOrUserFirst userFirst: { userClasses { allUsers }, userPermissions { {
protectedItems { entry, allUserAttributeTypes,
allUserAttributeTypesAndValues },
grantsAndDenials { grantImport, grantDiscloseOnError, grantInvoke,
grantAdd,
grantCompare, grantExport, grantBrowse, grantRead, grantFilterMatch,
grantRemove,
grantReturnDN, grantRename, grantModify } } } } }
Also, it's a detail but if I do a ldapmodify with all these entry together
there is an error. I have to do one the request one acl per one acl.
On Mon, Jan 29, 2018 at 8:56 PM, Emmanuel Lécharny <el...@gmail.com>
wrote:
>
>
> Le 29/01/2018 à 16:47, Қαεζ ₪ a écrit :
> > Hello,
> >
> > I'm currently deploying an ApacheDS server, version M24, and I'm trying
> to
> > set up 3 ACL :
> > - Everyone can update it's own password : Done ;
> > - Everyone can read & browse the LDAP : Done ;
> > - Only users who got LDAPadmin attributes to TRUE can do anything to
> > anyone, like creating a cn, with subentries and so on : Fail.
> >
> > Either I got an error 80 (Internal implementation specific error), either
> > the request is sent but has no effect : the specificationFilter
> > (LDAPadmin=TRUE) applied to All Users with all rights given to Entry,
> > AllUserAttributeTypesAndValues does not work.
> >
> > Anyone have experienced this ?
>
> Can you send us your ACL definitions ?
>
> --
> Emmanuel Lecharny
>
> Symas.com
> directory.apache.org
>
>
Re: ApacheDS ACL over custom schema
Posted by Emmanuel Lécharny <el...@gmail.com>.
Le 29/01/2018 à 16:47, Қαεζ ₪ a écrit :
> Hello,
>
> I'm currently deploying an ApacheDS server, version M24, and I'm trying to
> set up 3 ACL :
> - Everyone can update it's own password : Done ;
> - Everyone can read & browse the LDAP : Done ;
> - Only users who got LDAPadmin attributes to TRUE can do anything to
> anyone, like creating a cn, with subentries and so on : Fail.
>
> Either I got an error 80 (Internal implementation specific error), either
> the request is sent but has no effect : the specificationFilter
> (LDAPadmin=TRUE) applied to All Users with all rights given to Entry,
> AllUserAttributeTypesAndValues does not work.
>
> Anyone have experienced this ?
Can you send us your ACL definitions ?
--
Emmanuel Lecharny
Symas.com
directory.apache.org