[midPoint] Does Midpoint support ApacheDS?
Radovan Semancik
radovan.semancik at evolveum.com
Wed Oct 2 11:19:57 CEST 2013
On 10/02/2013 10:50 AM, Deepak Natarajan wrote:
> Regarding this aci attribute (defined on ou=People,dc=example,dc=com from your example.ldif)
>
> aci: (targetattr="*||ds-pwp-account-disabled")(version 3.0; acl "IDM Access"; allow (all) userdn="ldap:///uid=idm,ou=Administrators,dc=example,dc=com";)
>
> When is this required? I understand this is to allow access to that subtree for the idm LDAP account - so will I need this attribute on all our organizational subtrees (if they are part of our midpoint resource schemas)?
Yes. Most likely. Or on some common parent entry (e.g. dc=example,dc=com
in this case). However here I assume that Apache DS is using similar
hierarchical ACI evaluation as OpenDJ, i.e. that ACIs on parent entries
are applied to the entire subtree. I have not studied the Apache DS
documentation. I just had a very quick look at ACI example and that was
enough to conclude that the ACI syntax is not compatible with OpenDJ. I
haven't gone any deeper. Therefore I do not know for sure.
--
Radovan Semancik
Software Architect
evolveum.com
More information about the midPoint
mailing list