Perl 6 - the future is here, just unevenly distributed

IRC log for #openam, 2016-10-19

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
07:17 aldaris joined #openam
07:48 KermitTheFragger joined #openam
08:25 abyss aldaris: Sorry, me again;) I've created user in ldap and the I give him access to whole domain (dn): https://gist.github.com/anonymous​/3966f8a45288fb5e61539e3a9aab2155
08:26 abyss That user can create folders (ou) in tree dc=ydp,dc=eu and can delete this new folders, but when I put something in it (for example new user) then I get error in gist...
08:26 abyss Why?;)
08:27 aldaris because the entry you are trying to delete has subentries
08:27 aldaris so you need to use the delete subtree control
08:28 aldaris but then probably the targetcontrol is missing from your ACI entry
08:28 aldaris probably it should be a separate ACI entry, but I'm not the biggest ACI expert
08:28 abyss :)
08:28 aldaris 1.2.840.113556.1.4.805 is the OID for subtree delete
08:28 abyss yeah I did it with --deleteSubtree
08:29 aldaris have a look at DJ docs and search for "targetcontrol"
08:29 aldaris should give you what you need
08:29 abyss ok, thank you very much :)
08:29 aldaris the OID above is the one you should be using with it
08:29 abyss (as always;)) I hope I'm not disturbing you a lot?;)
08:30 aldaris it's alright ;)
08:30 abyss ;)
08:31 abyss I thought when I give allow all and targetattr * then everything should work - administrating ldap is not so easy;)
08:51 aldaris joined #openam
09:14 abyss aldaris: may I give targetcontrol = "*" ? ;) It may solve other issues that may appear;)
09:15 aldaris wouldn't recommend it
09:15 abyss ok ;)
09:15 aldaris probably you want to limit what your user can do
09:15 abyss yes
09:15 aldaris that's why you aren't using directory manager in the first place
09:15 abyss yes
09:15 abyss ;)
09:16 aldaris probably also why your previous aci with allow(all) should be revisited at a later point
09:17 abyss Because directory manager can do everything even change replication and ldap config, I'd like to give new user to allow modyfying only dn: dc=ydp,dc=eu (but firstly I'd like to give him to modyfiying or delete only tree people but it is hard to do ;))
09:17 abyss aldaris: ok, thank you
09:22 abyss aldaris: Result Code:  50 (Insufficient Access Rights) I get this now ;)
09:23 abyss aci: (target="ldap:///dc=ydp,dc=eu") (targetattr = "*")(targetcontrol = "1.2.840.113556.1.4.805")(version 3.0; acl "Full access to People"; allow(all) userdn =  "ldap:///uid=Technical User,cn=Tech,ou=Groups,dc=ydp,dc=eu";)
09:24 abyss ok I suppose to use + not = ;)
09:26 abyss there's not such thing like + :( I give: aci: (target="ldap:///dc=ydp,dc=eu") (targetattr = "*")(targetcontrol = "*")(version 3.0; acl "Full access to People"; allow(all) userdn =  "ldap:///uid=Technical User,cn=Tech,ou=Groups,dc=ydp,dc=eu";) and  the same error :/
09:27 asyd abyss: and what is the error
09:27 asyd when it occurs
09:27 aldaris "To include multiple targets, enclose each individual target in parentheses, (). When you specify multiple targets, all targets must match for the ACI to apply (AND)."
09:27 aldaris so did you update your existing ACI, or added a new one?
09:28 abyss a new one
09:28 abyss I deleted old and added new one
09:28 aldaris so what ACIs do you have now and what request fails with LDAP 50?
09:29 abyss asyd: I do: ldapdelete --hostname='10.2.136.82' --port=1636 --bindDN='uid=Technical User,cn=Tech,ou=Groups,dc=ydp,dc=eu' -w here'sthepass --trustAll --useSSL --noPropertiesFile --deleteSubtree ou=people1,dc=ydp,dc=eu
09:32 aldaris I'd suggest to remove the targetattr part of the ACI, or you may need to also include "+" to get things working
09:33 abyss aldaris: when I don't put targetcontrol (it doesn't matter with * or 1.2.840.113556.1.4.805) then I can't delete folder at all. When I remove targetcontrol I can delete empty folder only.
09:38 abyss theres no such a thing like + ;) I thought I saw this but in documentation is only = and ||, I removed targetattr but still the same error;)
09:47 abyss I'm giving up;)
10:08 abyss I can delete empty tree and everything in that tree but I can't delete not empty tree;)
10:27 aldaris joined #openam
10:39 aldaris abyss does this help? https://idmdude.com/2015/03/19/o​pendj-access-control-explained/
10:39 aldaris there are ways to debug ACI issues, I think the aclRights attribute is for that
10:46 abyss aldaris: thank you
12:36 aldaris joined #openam
14:08 aldaris joined #openam
14:31 aldaris joined #openam
14:31 aldaris1 joined #openam
14:51 aldaris joined #openam
15:18 aldaris joined #openam
15:23 aldaris joined #openam

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary