4.2.7.1 - Enable Authenticated Users to Browse and Read Entries

In this trail, we will show how we will allow all authenticated users to browse and read all the entries.

By default, if the access control subsystem is enabled, no one but the administrator can browse the DIT. This is obviously not convenient …

Partition and Access Control Area Setup

For this example we presume you have setup a partition at the namingContext dc=example,dc=com and have turned on access controls. Now you want to grant browse and read access to entries and their attributes.

Before you can add a subentry with the prescriptiveACI you’ll need to create an administrative area. For now we’ll make the root of the partition the Administrative Point (AP). Every entry including this entry and those underneath will be part of the autonomous administrative area for managing access controls. To do this we must add the administrativeRole operational attribute to the AP entry.

AdministrationPoint setup

In our case, the dc=example,dc=com context entry has to contain the administrativeRole attribute, with the accessControlSpecificArea value.

Let’s first connect to the server using the admin user, and select the dc=example,dc=com entry :

We will now add the directoryOperation attribute administrativeRole to this entry :

and we select the accessControlSpecificArea value :

Here is the resulting entry :

Subentry addition

Now, we have to create a subentry in which we will add the prescriptiveACI granting access to all the users.

Let’s define the ACI first.

ACIItem Description

Here’s the ACIItem we will add :

{ 
  identificationTag "enableSearchForAllUsers",
  precedence 14,
  authenticationLevel simple,
  itemOrUserFirst userFirst: 
  { 
    userClasses { allUsers }, 
    userPermissions 
    { 
      {
          protectedItems {entry, allUserAttributeTypesAndValues}, 
          grantsAndDenials { grantRead, grantReturnDN, grantBrowse } 
      }
    } 
  } 
}

There are several parameters to this simple ACIItem. Here’s a brief explanation of each field and it’s meaning or significance.

In our case, we want to grant all the users :

userClasses { allUsers }

to be granted a read access :

grantsAndDenials { grantRead, grantReturnDN, grantBrowse } 

for the Entry and all the values :

protectedItems {entry, allUserAttributeTypesAndValues}, 

The granted permissions are used to allow the user to browse the tree (grantBrowse), read the entries (grantRead) and return the DN for aliases (grantReturnDN).

PrescriptiveACI addition

Now that we have defined the ACIItem**, we have to add it into a **subentry** associated with the **administration point**. This is just an entry under the **administration Point**, here, we will call it **cn=enableSearchForAllUsers, dc=example,dc=com**.

The entry is described below in a LDIF format :

dn: cn=enableSearchForAllUsers,dc=example,dc=com
objectClass: top
objectClass: subentry
objectClass: accessControlSubentry
subtreeSpecification: {}
prescriptiveACI: 
{ 
  identificationTag "enableSearchForAllUsers",
  precedence 14,
  authenticationLevel simple,
  itemOrUserFirst userFirst: 
  { 
    userClasses { allUsers }, 
    userPermissions 
    { 
      {
          protectedItems {entry, allUserAttributeTypesAndValues}
          grantsAndDenials { grantRead, grantReturnDN, grantBrowse }
    }
  }
}
}

It’s also easy to create such an entry with Apache Directory Studio. First, right click on the context entry, and select ‘new Entry’ :

Then create a new entry from scratch, and select the ‘subentry’ and ‘accessControlSubentry’ ObjectClasses :

Create the RDN for this new entry :

Pass the subtree editor, we don’t need to define anything here, and go to the Attributes definition :

The next step is to add the prescriptiveACI value, using the dedicated editor :

When the selection has been done, we have to add the permissions :

Once done, all the entries under dc=example,dc=com are ruled by this ACI