4.2.7.1 - Enable Authenticated Users to Browse and Read Entries

In this trail, we will show how we will allow all authenticated users to browse and read all the entries.

By default, if the access control subsystem is enabled, no one but the administrator can browse the DIT. This is obviously not convenient ...

Partition and Access Control Area Setup

For this example we presume you have setup a partition at the namingContext dc=example,dc=com and have turned on access controls. Now you want to grant browse and read access to entries and their attributes.

Before you can add a subentry with the prescriptiveACI you'll need to create an administrative area. For now we'll make the root of the partition the Administrative Point (AP). Every entry including this entry and those underneath will be part of the autonomous administrative area for managing access controls. To do this we must add the administrativeRole operational attribute to the AP entry.

AdministrationPoint setup

In our case, the dc=example,dc=com context entry has to contain the administrativeRole attribute, with the accessControlSpecificArea value.

Let's first connect to the server using the admin user, and select the dc=example,dc=com entry :

dc=example.com

We will now add the directoryOperation attribute administrativeRole to this entry :

AdministrativeRole new attribute

and we select the accessControlSpecificArea value :

AccessControlSpecificArea

Here is the resulting entry :

Result Entry

Subentry addition

Now, we have to create a subentry in which we will add the prescriptiveACI granting access to all the users.

Let's define the ACI first.

ACIItem Description

Here's the ACIItem we will add :

{ 
  identificationTag "enableSearchForAllUsers",
  precedence 14,
  authenticationLevel simple,
  itemOrUserFirst userFirst: 
  { 
    userClasses { allUsers }, 
    userPermissions 
    { 
      {
          protectedItems {entry, allUserAttributeTypesAndValues}, 
          grantsAndDenials { grantRead, grantReturnDN, grantBrowse } 
      }
    } 
  } 
}

There are several parameters to this simple ACIItem. Here's a brief explanation of each field and it's meaning or significance.

Fields Description
identificationTag Identifies the ACIItem within an entry.
precedence Determine which ACI to apply with conflicting ACIItems.
authenticationLevel User's level of trust with values of none, simple, strong
itemOrUserFirst Determines order of item permissions or user permissions.
userClasses The set of users the permissions apply to.
userPermissions Permissions on protected items

In our case, we want to grant all the users :

userClasses { allUsers }

to be granted a read access :

  grantsAndDenials { grantRead, grantReturnDN, grantBrowse }

for the Entry and all the values :

  protectedItems {entry, allUserAttributeTypesAndValues},

The granted permissions are used to allow the user to browse the tree (grantBrowse), read the entries (grantRead) and return the DN for aliases (grantReturnDN).

PrescriptiveACI addition

Now that we have defined the ACIItem, we have to add it into a subentry associated with the administration point. This is just an entry under the administration Point, here, we will call it cn=enableSearchForAllUsers, dc=example,dc=com**.

The entry is described below in a LDIF format :

dn: cn=enableSearchForAllUsers,dc=example,dc=com
objectClass: top
objectClass: subentry
objectClass: accessControlSubentry
subtreeSpecification: {}
prescriptiveACI: 
{ 
  identificationTag "enableSearchForAllUsers",
  precedence 14,
  authenticationLevel simple,
  itemOrUserFirst userFirst: 
  { 
    userClasses { allUsers }, 
    userPermissions 
    { 
      {
          protectedItems {entry, allUserAttributeTypesAndValues}
          grantsAndDenials { grantRead, grantReturnDN, grantBrowse }
    }
  }
}

}

It's also easy to create such an entry with Apache Directory Studio. First, right click on the context entry, and select 'new Entry' :

New entry

Then create a new entry from scratch, and select the 'subentry' and 'accessControlSubentry' ObjectClasses :

ObjectClass selection

Create the RDN for this new entry :

Rdn creation

Pass the subtree editor, we don't need to define anything here, and go to the Attributes definition :

Attributes definition

The next step is to add the prescriptiveACI value, using the dedicated editor :

PrescriptiveACI addition

When the selection has been done, we have to add the permissions :

Add permissions

Once done, all the entries under dc=example,dc=com are ruled by this ACI