Tagged: ,

This topic contains 17 replies, has 5 voices, and was last updated by Profile photo of JnRouvignac JnRouvignac 2 weeks, 5 days ago.

  • Author
    Posts
  • #10380
    Profile photo of Gbadamosi Gbadamosi 
    Participant

    HI

    I have been working on OpenAM Upgrade, After the upgrade i could see the instructions to add an access control instruction (ACI) to the external directory to give the OpenAM administrative user server-side sorting privileges.

    The ACI should be similar to the following:
    aci: (targetcontrol=”1.2.840.113556.1.4.473″)(version 3.0;acl “Allow server-side sorting”; allow (read)(userdn = “ldap:///uid=openam,ou=admins,dc=example,dc=com”);).

    I am unable to do this, is there a possible command to achieve this, Please advise.

    #10381
    Profile photo of Gbadamosi Gbadamosi 
    Participant

    Tried using this but i ran into a error,
    bin/dsconfig set-access-control-handler-prop \
    –add global-aci:'(target = “ldap:///cn=schema”)(targetattr = “attributeTypes || \
    objectClasses”)(version 3.0; acl “Modify schema”; allow (write) \
    (userdn = “ldap:///uid=openam,ou=admins,dc=example,dc=com”);)’ \
    –port 4444 \
    –bindDN “cn=Directory Manager” \
    –bindPassword password \
    –trustAll \

    Please advise, if this is the right command or do i need to use any other command.

    • This reply was modified 8 months, 2 weeks ago by Profile photo of Gbadamosi Gbadamosi.
    #10386
    Profile photo of JnRouvignac JnRouvignac 
    Participant

    Could you try without breaking lines in the ACI?
    i.e.

    bin/dsconfig set-access-control-handler-prop \
    –add global-aci:'(target = “ldap:///cn=schema”)(targetattr = “attributeTypes || objectClasses”)(version 3.0; acl “Modify schema”; allow (write) (userdn = “ldap:///uid=openam,ou=admins,dc=example,dc=com”);)' \
    –port 4444 \
    –bindDN “cn=Directory Manager” \
    –bindPassword password \
    –trustAll
    • This reply was modified 8 months, 2 weeks ago by Profile photo of JnRouvignac JnRouvignac.
    #10395
    Profile photo of Gbadamosi Gbadamosi 
    Participant

    Thank you for the reply, but i am looking for

    bin/dsconfig set-access-control-handler-prop \
    –add global-aci: (targetcontrol=”1.2.840.113556.1.4.473″)(version 3.0;acl “Allow server-side sorting”; allow (read)(userdn = “ldap:///uid=openam,ou=admins,dc=example,dc=com”);).
    –port 4444 \
    –bindDN “cn=Directory Manager” \
    –bindPassword password \
    –trustAll

    This type of syntax for Giving the above ACL. to Give the Admin account for server side sorting.

    • This reply was modified 8 months, 2 weeks ago by Profile photo of Gbadamosi Gbadamosi.
    #10442
    Profile photo of Gbadamosi Gbadamosi 
    Participant

    Any clues how can i achieve this.

    #10444
    Profile photo of JnRouvignac JnRouvignac 
    Participant

    Can you please post the EXACT command you are running and its output.
    Which version of OpenDJ are you using?

    #10452
    Profile photo of Gbadamosi Gbadamosi 
    Participant

    I am using OPenDJ 2.6.0 & Command i am using to achieve is

    bin/dsconfig set-access-control-handler-prop –add global-aci:'(targetcontrol=”1.2.840.113556.1.4.473″)(version 3.0;acl “Allow server-side sorting”; allow (read)(userdn = “ldap:///uid=openam,ou=admins,dc=example,dc=com”);)’ –port 4444 –bindDN “cn=Directory Manager” –bindPassword password –trustAll –no-prompt.

    • This reply was modified 8 months, 2 weeks ago by Profile photo of Gbadamosi Gbadamosi.
    #10454
    Profile photo of JnRouvignac JnRouvignac 
    Participant

    Another time: what is the exact output of the command?

    #10460
    Profile photo of Ludo Ludo 
    Moderator

    I agree with Jean-Noel here: you are saying you have an error but do not provide any detail of the error.
    OpenDJ does report errors with quite a high level of details (in the output of the dsconfig command and in the access log for the associated LDAP operations).
    These details are the one we know and understand, and without them, we cannot provide help.

    #10469
    Profile photo of Gbadamosi Gbadamosi 
    Participant

    Hi, Thanks and sorry for missing to provide the output:

    Please find the Output:

    ./dsconfig set-access-control-handler-prop –add global-aci: ‘(targetcontrol=”1.2.840.113556.1.4.473″)(version 3.0.;acl “Allow server side sorting”; allow (read)(userdn = “ldap:///uid=openam,ou=admins,dc=example,dc=com”);)’ –port 4444 –bindDN “cn=Directory Manager” –bindPassword Passw0rd –trustAll –no-prompt
    An error occurred while parsing the command-line arguments: Argument
    “(targetcontrol=”1.2.840.113556.1.4.473”)(version 3.0.;acl “Allow server side
    sorting”; allow (read)(userdn =
    “ldap:///uid=openam,ou=admins,dc=trinet,dc=com”);)” does not start with one or
    two dashes and unnamed trailing arguments are not allowed

    See “dsconfig –help” to get more usage help

    #10474
    Profile photo of JnRouvignac JnRouvignac 
    Participant

    Is this exactly what you are running? Is your mailer playing tricks on you?
    I can see weird non ascii characters like and .
    Please note that in order to help you, you need to help us by reporting the EXACT things you do.

    I think the error message is quite clear:
    dsconfig rejected the command line argument “(targetcontrol=”1.2.840.113556.1.4.473”)(version 3.0.;acl “Allow server side sorting”; allow (read)(userdn = “ldap:///uid=openam,ou=admins,dc=trinet,dc=com”);)”

    I think you have an extra space between global-aci: and '(targetcontrol=... that should not be there according to other documentation.
    Please try again without the extra space and tell us if that works.

    #10475
    Profile photo of Ludo Ludo 
    Moderator

    There should be no space after the global-aci:
    The –add command take a single parameter which is global-aci:'(target…)’
    Note that ‘ and ” characters should be the simple ascii simple quote and double quote characters (as per bash command). Unfortunately, when copy/pasted into text input fields (or Word documents), they can get changed to typographic quotes (as in the example above).

    The following command works for me (as a single line).

    ./dsconfig set-access-control-handler-prop --add global-aci:'(targetcontrol="1.2.840.113556.1.4.473")(version 3.0;acl "Allow server side sorting"; allow (read)(userdn = "ldap:///uid=openam,ou=admins,dc=example,dc=com");)' --port 4444 --bindDN "cn=Directory Manager" --bindPassword secret12 --trustAll --no-prompt
    
    • This reply was modified 8 months, 2 weeks ago by Profile photo of Ludo Ludo.
    #10482
    Profile photo of Gbadamosi Gbadamosi 
    Participant

    Thanks @jnrouvignac & @ludo. I was able to execute the command now.
    Just need a small Input on how can i check if the uid=openam has the required aci set.

    Thanks for your inputs again.

    #10483
    Profile photo of Gbadamosi Gbadamosi 
    Participant

    I have used the Below command and got the output as follows:

    ./ldapsearch –control effectiverights –port 1389 –bindDN “cn=Directory Manager” –bindPassword Passw0rd –baseDN “uid=openam,ou=admins,dc=example,dc=com” “cn=*” aclRights aclRightsInfo
    dn: uid=openam,ou=admins,dc=trinet,dc=com
    aclRightsInfo;logs;entryLevel;read: acl_summary(main): access allowed(read) on e
    ntry/attr(uid=openam,ou=admins,dc=example,dc=com, NULL) to (cn=Directory Manager
    ,cn=Root DNs,cn=config) (not proxied) ( reason: user has bypass-acl privileges
    )
    aclRightsInfo;logs;entryLevel;write: acl_summary(main): access allowed(write) on
    entry/attr(uid=openam,ou=admins,dc=example,dc=com, NULL) to (cn=Directory Manag
    er,cn=Root DNs,cn=config) (not proxied) ( reason: user has bypass-acl privilege
    s )
    aclRightsInfo;logs;entryLevel;add: acl_summary(main): access allowed(add) on ent
    ry/attr(uid=openam,ou=admins,dc=example,dc=com, NULL) to (cn=Directory Manager,c
    n=Root DNs,cn=config) (not proxied) ( reason: user has bypass-acl privileges )
    aclRightsInfo;logs;entryLevel;delete: acl_summary(main): access allowed(delete)
    on entry/attr(uid=openam,ou=admins,dc=example,dc=com, NULL) to (cn=Directory Man
    ager,cn=Root DNs,cn=config) (not proxied) ( reason: user has bypass-acl privile
    ges )
    aclRights;entryLevel: add:1,delete:1,read:1,write:1,proxy:1
    aclRightsInfo;logs;entryLevel;proxy: acl_summary(main): access allowed(proxy) on
    entry/attr(uid=openam,ou=admins,dc=example,dc=com, NULL) to (cn=Directory Manag
    er,cn=Root DNs,cn=config) (not proxied) ( reason: user has bypass-acl privilege
    s )

    I want to check if the user has the Severside sorting is enabled.

    • This reply was modified 8 months, 2 weeks ago by Profile photo of Gbadamosi Gbadamosi.
    #10496
    Profile photo of Ludo Ludo 
    Moderator
    -g, --getEffectiveRightsAuthzid {authzID}
        Use geteffectiverights control with the provided authzid
    
    Example: -g "dn:uid=openam,ou=admins,dc=example,dc=com"
    

    But I’m not sure Controls and Extended Operations are reported in the ACLRights (that are more tied to attributes and objectclasses).

Viewing 15 posts - 1 through 15 (of 18 total)

You must be logged in to reply to this topic.

©2017 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your username and password

Lost your password?

Forgot your details?