content/apacheds/advanced-ug/4.2.7.1-enable-authenticated-users-to-browse-and-read-entries.mdtext - directory-site - Git at Google

 Title: 4.2.7.1 - Enable Authenticated Users to Browse and Read Entries
 NavPrev: 4.2.7-using-acis-trail.html
 NavPrevText: 4.2.7 Using ACIs trail
 NavUp: 4.2.7-using-acis-trail.html
 NavUpText: 4.2.7 Using ACIs trail
 NavNext: 4.2.8-acis-administration.html
 NavNextText: 4.2.8 - ACIs administration
 Notice: Licensed to the Apache Software Foundation (ASF) under one
     or more contributor license agreements.  See the NOTICE file
     distributed with this work for additional information
     regarding copyright ownership.  The ASF licenses this file
     to you under the Apache License, Version 2.0 (the
     "License"); you may not use this file except in compliance
     with the License.  You may obtain a copy of the License at
     .
     http://www.apache.org/licenses/LICENSE-2.0
     .
     Unless required by applicable law or agreed to in writing,
     software distributed under the License is distributed on an
     "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
     KIND, either express or implied.  See the License for the
     specific language governing permissions and limitations
     under the License.

 # 4.2.7.1 - Enable Authenticated Users to Browse and Read Entries

 In this trail, we will show how we will allow all authenticated users to browse and read all the entries.

 By default, if the access control subsystem is enabled, no one but the administrator can browse the DIT. This is obviously not convenient ...

 # Partition and Access Control Area Setup

 For this example we presume you have setup a partition at the namingContext **dc=example,dc=com** and have turned on access controls. Now you want to grant browse and read access to entries and their attributes.

 Before you can add a **subentry** with the **prescriptiveACI** you'll need to create an **administrative area**. For now we'll make the root of the partition the **Administrative Point** (**AP**). Every entry including this entry and those underneath will be part of the autonomous administrative area for managing access controls. To do this we must add the **administrativeRole** operational attribute to the **AP** entry.

 <DIV class="warning" markdown="1">
 <B>Reminder...</B>
 Don't forget to check the 'fetch subentries' and 'fetch operational attributes' in your connection's browser option tab, otherwise some parts of the following tutorial will not appear !
 </DIV>


 ## AdministrationPoint setup

 In our case, the **dc=example,dc=com** context entry has to contain the **administrativeRole** attribute, with the **accessControlSpecificArea** value.

 Let's first connect to the server using the **admin** user, and select the **dc=example,dc=com** entry :

 ![dc=example.com](images/ACI-example.png)


 We will now add the **directoryOperation** attribute **administrativeRole** to this entry :

 ![AdministrativeRole new attribute](images/ACI-new-attribute.png)

 and we select the **accessControlSpecificArea** value :

 ![AccessControlSpecificArea](images/ACI-access-control-specific-area.png)

 Here is the resulting entry :

 ![Result Entry](images/ACI-result-entry.png)

 ## Subentry addition

 Now, we have to create a **subentry** in which we will add the **prescriptiveACI** granting access to all the users.

 Let's define the ACI first.

 ### ACIItem Description

 Here's the ACIItem we will add :

     :::Java
     {
       identificationTag "enableSearchForAllUsers",
       precedence 14,
       authenticationLevel simple,
       itemOrUserFirst userFirst:
       {
         userClasses { allUsers },
         userPermissions
         {
           {
 	          protectedItems {entry, allUserAttributeTypesAndValues},
 	          grantsAndDenials { grantRead, grantReturnDN, grantBrowse }
           }
         }
       }
     }

 There are several parameters to this simple ACIItem. Here's a brief
 explanation of each field and it's meaning or significance.

 | Fields | Description |
 |---|---|
 | identificationTag | Identifies the ACIItem within an entry. |
 | precedence | Determine which ACI to apply with conflicting ACIItems. |
 | authenticationLevel | User's level of trust with values of none, simple, strong |
 | itemOrUserFirst | Determines order of item permissions or user permissions. |
 | userClasses | The set of users the permissions apply to. |
 | userPermissions | Permissions on protected items |

 In our case, we want to grant all the users :

     :::Java
     userClasses { allUsers }

 to be granted a read access :

     :::Java
 	  grantsAndDenials { grantRead, grantReturnDN, grantBrowse }

 for the Entry and all the values :

     :::Java
  	  protectedItems {entry, allUserAttributeTypesAndValues},

 The granted permissions are used to allow the user to browse the tree
 (**grantBrowse**), read the entries (**grantRead**) and return the DN for
 aliases (**grantReturnDN**).

 <a name="2.5.7.1EnableAuthenticatedUserstoBrowseandReadEntries-PrescriptiveACIaddition"></a>

 ## PrescriptiveACI addition

 Now that we have defined the *A*CIItem**, we have to add it into a **subentry**
 associated with the **administration point**. This is just an entry under the
 **administration Point**, here, we will call it **cn=enableSearchForAllUsers,
 dc=example,dc=com**.

 The entry is described below in a LDIF format :

     :::Java
     dn: cn=enableSearchForAllUsers,dc=example,dc=com
     objectClass: top
     objectClass: subentry
     objectClass: accessControlSubentry
     subtreeSpecification: {}
     prescriptiveACI:
     {
       identificationTag "enableSearchForAllUsers",
       precedence 14,
       authenticationLevel simple,
       itemOrUserFirst userFirst:
       {
         userClasses { allUsers },
         userPermissions
         {
           {
 	          protectedItems {entry, allUserAttributeTypesAndValues}
 	          grantsAndDenials { grantRead, grantReturnDN, grantBrowse }
         }
       }
     }
   }

 It's also easy to create such an entry with **Apache Directory Studio**.
 First, right click on the context entry, and select 'new Entry' :

 ![New entry](images/ACI-new-entry.png)

 Then create a new entry from scratch, and select the 'subentry' and
 'accessControlSubentry' ObjectClasses :

 ![ObjectClass selection](images/ACI-subentry-oc.png)

 Create the RDN for this new entry :

 ![Rdn creation](images/ACI-rdn-creation.png)

 Pass the subtree editor, we don't need to define anything here, and go to
 the Attributes definition :

 ![Attributes definition](images/ACI-attributes-definition.png)

 The next step is to add the **prescriptiveACI** value, using the dedicated
 editor :

 ![PrescriptiveACI addition](images/ACI-prescriptive-aci.png)

 When the selection has been done, we have to add the permissions :

 ![Add permissions](images/ACI-add-permissions.png)


 Once done, all the entries under **dc=example,dc=com** are ruled by this ACI
	Title: 4.2.7.1 - Enable Authenticated Users to Browse and Read Entries
	NavPrev: 4.2.7-using-acis-trail.html
	NavPrevText: 4.2.7 Using ACIs trail
	NavUp: 4.2.7-using-acis-trail.html
	NavUpText: 4.2.7 Using ACIs trail
	NavNext: 4.2.8-acis-administration.html
	NavNextText: 4.2.8 - ACIs administration
	Notice: Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at
	.
	http://www.apache.org/licenses/LICENSE-2.0
	.
	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.

	# 4.2.7.1 - Enable Authenticated Users to Browse and Read Entries

	In this trail, we will show how we will allow all authenticated users to browse and read all the entries.

	By default, if the access control subsystem is enabled, no one but the administrator can browse the DIT. This is obviously not convenient ...

	# Partition and Access Control Area Setup

	For this example we presume you have setup a partition at the namingContext dc=example,dc=com and have turned on access controls. Now you want to grant browse and read access to entries and their attributes.

	Before you can add a subentry with the prescriptiveACI you'll need to create an administrative area. For now we'll make the root of the partition the Administrative Point (AP). Every entry including this entry and those underneath will be part of the autonomous administrative area for managing access controls. To do this we must add the administrativeRole operational attribute to the AP entry.

	<DIV class="warning" markdown="1">
	<B>Reminder...</B>
	Don't forget to check the 'fetch subentries' and 'fetch operational attributes' in your connection's browser option tab, otherwise some parts of the following tutorial will not appear !
	</DIV>


	## AdministrationPoint setup

	In our case, the dc=example,dc=com context entry has to contain the administrativeRole attribute, with the accessControlSpecificArea value.

	Let's first connect to the server using the admin user, and select the dc=example,dc=com entry :

	![dc=example.com](images/ACI-example.png)


	We will now add the directoryOperation attribute administrativeRole to this entry :

	![AdministrativeRole new attribute](images/ACI-new-attribute.png)

	and we select the accessControlSpecificArea value :

	![AccessControlSpecificArea](images/ACI-access-control-specific-area.png)

	Here is the resulting entry :

	![Result Entry](images/ACI-result-entry.png)

	## Subentry addition

	Now, we have to create a subentry in which we will add the prescriptiveACI granting access to all the users.

	Let's define the ACI first.

	### ACIItem Description

	Here's the ACIItem we will add :

	:::Java
	{
	identificationTag "enableSearchForAllUsers",
	precedence 14,
	authenticationLevel simple,
	itemOrUserFirst userFirst:
	{
	userClasses { allUsers },
	userPermissions
	{
	{
	protectedItems {entry, allUserAttributeTypesAndValues},
	grantsAndDenials { grantRead, grantReturnDN, grantBrowse }
	}
	}
	}
	}

	There are several parameters to this simple ACIItem. Here's a brief
	explanation of each field and it's meaning or significance.

	\| Fields \| Description \|
	\|---\|---\|
	\| identificationTag \| Identifies the ACIItem within an entry. \|
	\| precedence \| Determine which ACI to apply with conflicting ACIItems. \|
	\| authenticationLevel \| User's level of trust with values of none, simple, strong \|
	\| itemOrUserFirst \| Determines order of item permissions or user permissions. \|
	\| userClasses \| The set of users the permissions apply to. \|
	\| userPermissions \| Permissions on protected items \|

	In our case, we want to grant all the users :

	:::Java
	userClasses { allUsers }

	to be granted a read access :

	:::Java
	grantsAndDenials { grantRead, grantReturnDN, grantBrowse }

	for the Entry and all the values :

	:::Java
	protectedItems {entry, allUserAttributeTypesAndValues},

	The granted permissions are used to allow the user to browse the tree
	(grantBrowse), read the entries (grantRead) and return the DN for
	aliases (grantReturnDN).

	<a name="2.5.7.1EnableAuthenticatedUserstoBrowseandReadEntries-PrescriptiveACIaddition"></a>

	## PrescriptiveACI addition

	Now that we have defined the ACIItem, we have to add it into a subentry**
	associated with the administration point. This is just an entry under the
	administration Point, here, we will call it **cn=enableSearchForAllUsers,
	dc=example,dc=com**.

	The entry is described below in a LDIF format :

	:::Java
	dn: cn=enableSearchForAllUsers,dc=example,dc=com
	objectClass: top
	objectClass: subentry
	objectClass: accessControlSubentry
	subtreeSpecification: {}
	prescriptiveACI:
	{
	identificationTag "enableSearchForAllUsers",
	precedence 14,
	authenticationLevel simple,
	itemOrUserFirst userFirst:
	{
	userClasses { allUsers },
	userPermissions
	{
	{
	protectedItems {entry, allUserAttributeTypesAndValues}
	grantsAndDenials { grantRead, grantReturnDN, grantBrowse }
	}
	}
	}
	}

	It's also easy to create such an entry with Apache Directory Studio.
	First, right click on the context entry, and select 'new Entry' :

	![New entry](images/ACI-new-entry.png)

	Then create a new entry from scratch, and select the 'subentry' and
	'accessControlSubentry' ObjectClasses :

	![ObjectClass selection](images/ACI-subentry-oc.png)

	Create the RDN for this new entry :

	![Rdn creation](images/ACI-rdn-creation.png)

	Pass the subtree editor, we don't need to define anything here, and go to
	the Attributes definition :

	![Attributes definition](images/ACI-attributes-definition.png)

	The next step is to add the prescriptiveACI value, using the dedicated
	editor :

	![PrescriptiveACI addition](images/ACI-prescriptive-aci.png)

	When the selection has been done, we have to add the permissions :

	![Add permissions](images/ACI-add-permissions.png)


	Once done, all the entries under dc=example,dc=com are ruled by this ACI