ACI question: * allowed

Similar Messages

• ACI Question

  I would like to give all members of a group in the directory access to read all attributes except the userPassword. I have created the following ACI:
  (targetattr != "userPassword")(version 3.0;acl "Read All Access"; allow (read,compare,search)
  (groupdn = "ldap:///cn=Read_All_Access,ou=Groups,dc=pwcglobal,dc=com") ;)
  Is this the correct syntax for this? It does not seem to be working as memebers of the group can still see the userPassword attribute.
  There are no other aci's conflicting. When I remove my test user from the group it can see nothing, which is what I want.
  thanks,

  The ACI itself and your results are not incompatible. What your ACI says is that members of the group should be able to read all attributes other than userPassword. The observation that they can read userPassword is not in contradiction, though it is out of scope.
  I see that you have asserted that there are no conflicting ACIs. If you want another few sets of eyes on that, could you paste your ACIs into the thread? As I said there is nothing in the single ACI you have pasted that would determine whether members of that group should or should not be able to read the userPassword.
  Other suggestions:
  1) Remove the ACI entirely and see if the group member you are testing with can still read userPassword.
  2) Use the getEffectiveRights control to view ACI rights.
  3) Change the ACI to allow read access to all except another, different attribute and see if the same behavior occurs.

• Deny/allow aci question

  I want to allow specific users certain right to an attribute but then I want to deny all others that I didnt specify. How would you do this? Lets say..
  Allow(write,read,search) (userdn="ldap:///johndoe"); Then I want to deny access to te rest of the users that are not john doe. I dont even want them to have read access. Thanks. Also, is therea way to change the default access to none instead of read and search. Thanks in advance.

  By default, if there are no ACIs present, there is no access. You must always explicitly allow access, otherwise, it is denied. Keep in mind, though, that the installation and instance creation process adds certain ACIs by default - you may have to remove or edit them.

• Nokia 6230 car hands free ACI question

  hello there,
  I was trying to connect my nokia 6230 to the car's audio AUX input in order to be able to listen to MP3.
  I have a very good knowkedge in Electronics, so i did some changes in the hands-free car kit.
  question is : I noticed that when the car kit is connected to the phone (& the car icon appears), the audio output becomes MONO, which means I can't really enjoy stereo MP3 (with my change I bypasssed the car kit's speaker output with relay only when call is active).
  the audio out pins of the pop port are at pins 11-14.
  BUT - again - when car kit is attached, output pins 13-14 are inactive (only mono from pins 11-12 is available)
  does anyone know how to hack this further more so it becomes stereo ? (I guess it is something with the ACI protocol ?? (pin 3))
  thanks,
  TOM

  The phone is only seeing your "modification" as the basic the mono headset. It needs to recognise the ACI chip in the headset, that tells the phone whats plugged in and therefore what audio paths to turn on. Unless you can mimic the ACI info (copywright infringement so be aware)the phone wont open the second audio path.Message Edited by megadodo on 06-Sep-200704:16 PM

• Zimbra Security Question:  Allow / Block embedded javascript or tags?

  Technical requirement: Ability to send in plain text and rich text and HTML (limited HTML, no javascripting or harmful tags)
  Can javascript or tags be embedded in an email through the Zimbra interface?
  Also, Zimbra has developed ALE (AJAX Linking and Embedding), a technology that allows users to embed applets into e-mail. For example, users can share a live spreadsheet in e-mail, rather than sending copies back and forth. Are applets a potential security risk? Can they be blocked?
  Thanks for your time.

  Hi guigs2,
  if there is no problem in open the bug ticket being a simple user I'll report by myself (if I haven't misunderstood you). (Confirm this and I'll do myself).
  About the AJAX problem, here we have a sample test that works after toggle the preference:
  http://www.w3schools.com/xml/xml_http.asp
  I know about noscript and I don't like it. I prefer to do manually (those measures and more). What bothered me is that even toggle the preference, what in the past did the job of stopping the execution of scripts, now doesn't. In about version 24 it was only happening to event listeners not being blocked (used nowadays for dynamic events assignments). Now is with every javascript code.
  About the tracking methods, I'm aware of HTTP tracking without any need of javascript. Even a simple "knock knock" on any kind of server leaves a trace.
  I was just pointing that this preference stopping doing its job (stopping scripts executions) has the worst sceneario in a security way with XMLHttpRequest calls.
  But one of the things that bothers me too, and it is not related to tracking, is that, in humble machines as mine, some javascript codes make drop whole performance and the preference toggle now does nothing, so the script keeps running without being able of doing anything and sometimes you don't have the option to load a page without javascript because you need some feature of that page that requires javascript what becomes "all or nothing".
  Regards.

• Shipping Recalled Battery back to ACI Question

  So I got my replacement battery for my powerbook and packaged up the old battery to ship it back. I looked at the label and couldn't tell what carrier sent it or who was suppose to return ship it to ACI. Am I wrong in assuming that Apple is footing the bill for the return shipping? So I read on the enclosed note that it appears that the US Postal Service is suppose to accept the prepackaged label. So I went to my local post office and the agent behind tha counter said it wasn't one of their accounts. ***? He said I could send it but I would have to pay. Then they ran the zip code on the return label and it didn't come up right either. Has anyone else had this problem? Is it suppose to go UPS or FedEx or DHL instead on USPS? HELP!!

  From my understanding it is DHL.

• Default acis on DS 5.2

  Hello everyone.
  I have recently set up DS 5.2. I plan to not allow anonymous access. I noticed however that on o=Netscaperoot and below, anonymous access is enabled by default. I would like to ask if it is ok to remove these acis, or this could cause problems.
  thank you in advance.

  2) Your aci assumes that "targetattr !=" means all
  attributes except the following. That's not the way
  access control works. By default, the DS denies
  access to everything unless access is explicitly
  granted. So, unless you have another aci that allows
  access to (targetattr = "*"), this won't work.That's what I thought, too, but I tested an ACI that allowed access to all fields, and in fact retrieved everything including those explicitly disallowed by the first ACI. So I looked back at my original attempt and noticed it still had the string "aci:" in front. when I removed that (and the "all permission" ACI) the directory server started behaving as expected. Problem apparently solved, except "why did the ACI syntax checker not barf on that ACI?"
  A now-rhetorical question... thanks!

• Question Slide Failure Levels Issue

  I have 2 rather large assessments that I need to edit TODAY
  UGH! of course! They were originally meant to only give the user 1
  attempt at each, and therefore 1 failure level. The question slides
  were imported from various projects, and changed to 1 attempt/1
  failure level, and various other things were changed about the
  formatting. Now, the decision has been made to allow users 3
  attempts at each question, and therefore 3 failure levels. When I
  make this change, publish & test, the question allows me one
  attempt, and continues to the next question!!!
  Please help!!
  Thanks

  We decided to just allow the users to review the quiz, and
  leave the questions at 1 attempt/failure level each - at least for
  now. Adobe support told me the question slides were corrupted, and
  that I could recreate them by inserting new question slides, which
  apparently worked for them in the testing. Of course, since I don't
  have the time to completely recreate the entire assessment, I have
  not done that.

• 2630. java applications. Allow network access?

  when entering some java application on nokia 2630 ,for example google maps, it asks:
  "Allow network access? the application is not from a trusted supplier" for three times. On the fourth time: "try again later or try to install new version".
  Some other applications are working allmost properly... but they use to ask every 5-10 seconds the same question: "Allow network access? The application is not..."
  And some applications are working correctly. miniopera and jimm.
  So, the problem is not in gprs settings.
  What can i do with this problem?

  You can either try to get hold of a trusted build of the application you want to run or you can change the Application access setting. When you have an application selected, click Option then Application Access and set the Network access Ask first time only.
  Knowledge should be your Advisor when you need help.
  1610»2110»8110»5110»3310»6210»7250i»6220»6230»6230i»6233
  Love me or hate me, its still an obsession. Love me or hate me, that is the question. If you love me then Thank you! If you hate me then ...

• ACI and dynamic groups

  I can't seem to get dynamic groups working. Here's my dynamic group setup:
  ldapsearch -D "cn=directory manager" -w "passwd01" -b "ou=internal,dc=example,dc=com" "objectclass=groupOfUrls"
  version: 1
  dn: cn=istest,ou=Groups,ou=internal,dc=example,dc=com
  cn: istest
  objectClass: top
  objectClass: groupOfUrls
  ou: Groups
  memberURL: ldap:///ou=people,ou=internal,dc=example,dc=com??sub?(uid=user1)
  I know for sure user1 exists:
  ldapsearch -D "cn=directory manager" -w "passwd01" -b "ou=internal,dc=example,dc=com" "uid=user1"
  version: 1
  dn: uid=user1,ou=people,ou=internal,dc=example,dc=com
  objectClass: shadowAccount
  objectClass: posixAccount
  objectClass: account
  objectClass: top
  loginShell: /bin/bash
  uidNumber: 3000
  homeDirectory: /home/user1
  gecos: User1
  cn: User1
  gidNumber: 500
  uid: user1
  When I run a search, I get nothing:
  ldapsearch -D "cn=Directory Manager" -w passwd01 -b "ou=internal,dc=example,dc=com" "(isMemberOf=cn=istest,ou=Groups,ou=internal,dc=example,dc=com)"
  Directory Server version: 6.3
  Using /usr/bin/ldapsearch on solaris 10.
  My main objective so to use dynamic groups to setup some ACI. eg: allow user w/ attribute gidNumber=400 full read/write.
  mike

  ismemberof only works for static groups.
  My main objective so to use dynamic groups to setup some ACI.
  eg: allow user w/ attribute gidNumber=400 full read/write.Have you considered using filtered roles ?

• ACI restrict read access to certain DNS domains

  Hello all. I need help with creating an ACI. We have telephonenumber populated in our directory. We want people under our domains to allow people to read the value of telephonenumber, but not anyone outside our domain. I've created an aci that allows read and search of telephonenumber from our DNS domains, however people outside those domains still have access. I tried removing telephonenumber from the Anonymous Access list, but then even people in our domains can't read the value. So, any help on this would be greatly appreciated.
  Thanks,
  Bob Jones

  Hi Bob,
  It sounds like the new ACI you created probably wasn't working in the first place. If removing the attribute from the anonymous ACI removed everyone's view of telephonenumber - that was the ACI that was being used to access the attribute in the first place.
  Can you post a sample of the ACI you are trying to utilize to grant access to telephonenumber - that might be quickest ....

• Navigation issues with question slides in Captivate 6

  In earlier versions of Captivate (5.5) we have always been able to insert question slides into our projects as checkpoints and allow the user to freely navigate through the project and answer the checkpoint questions as often as they like. We have also been able to provide success and failure feedback popups for those question.
  In Captivate 6 we are seeing that question slides can apparently only be answered once and do not reset to be answered again the next time the user navigations to those slides. We want to allow the user to answer checkpoint questions as often as they like and we need to be able to provide success and failure feedback popups. We have tried every imaginable combination of setting with no success. Has anyone else been experiencing this or have a solution to this problem?
  Thanks,
  Vernon . . .

  When I run the same projects with the exact same settings side by side in Captivate 5 and Captivate 6, in the Cap 5 project I can navigate the project freely and answer the checkpoint questions repeatedly as often as I like. As I navigate the questions are reset and can be answered again every time I enter the question slides.
  In Cap 6 the questions are locked after the first answer and cannot be answered a second time. Even stranger is the fact that when tested using only a subset of the slides adjacent to the question slide (next 3) it works and does appear to reset the question allowing repeated answers, but it fails when the entire project is run.
  I have asked our other developers to test this and they are experiencing the same problem with their projects.
  The only difference I can see between the two projects is that the Quiz results slide in Cap 6 cannot be deleted whereas it does not exist in the Cap 5 project ???

• ACI issue

  Hi all
  I want to create a ACI to allowed specified IP access my OUD data.
  During creating, I added 193.168.186.89 to the ip address filters.
  The following error accurred:
  javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - When attempting to modify entry dc=example,dc=com to add one or more values for attribute aci, value "(targetscope = "subtree") (version 3.0; acl "test"; allow (import,delete,add,read,search,export,compare,proxy,selfwrite,write) ip = "oracle.idm.directoryservices.odsm.model.aci.PatternIP@109e24d3";)" was found to be invalid according to the associated syntax: The provided Access Control Instruction (ACI) bind rule ip expression value "oracle.idm.directoryservices.odsm.model.aci.PatternIP@109e24d3" is invalid. A valid ip keyword expression requires one or more comma-separated elements of a valid IP address list expression]; remaining name 'dc=example,dc=com'
  Is anybody familiar with this error.
  I would appreciate to any relay.

  Thanks.
  Looks like a bug in ODSM with IP patterns ...
  As a workaround, you can add the aci manually, using the ldapmodify command, e.g.
  ldapmodify -p <ldap port> -D <admin dn e.g. cn=directory manager" -w <password>
  dn: dc=example,dc=com
  changetype: modify
  add: aci
  aci: (targetscope = "subtree") (version 3.0; acl "test"; allow (import,delete,add,read,search,export,compare,proxy,selfwrite,write) ip = "<your IP pattern>";)
  see http://docs.oracle.com/cd/E22289_01/html/821-1277/bind-rule-syntax.html#defining-access-from-specific-ip-address for IP patterns
  and
  http://docs.oracle.com/cd/E22289_01/html/821-1273/managing-acis-with-ldapmodify.html#scrolltoc for aci creation via ldapmodify
  HTH
  -Sylvain

• Locked by ACI

  Hi,
  I tried modifying the default aci that allows anonymous access by putting in "deny" for "allow".
  Now i am unable to view the ACI itself to modify it back.
  The ACI was on top of o=sample.com and target was the same o=sample.com.
  Is there anything that i can do to change it back...i am not able to view or do anything under o=sample.com

  Got it resolved by removing the aci using ldapmodify...

• ACI consolidation?

  I'm currently working on a Directory Server analysis for a customer in order to determine whether some ACIs can be removed from the system to improve performance. I know that a single ACI can have multiple permission/bind rule statements to apply access rules for multiple users/groups/roles/etc., but does doing this present a performance increase over having two separate ACIs that each only have one permission/bind rule statement?
  For example, is this:
  (targetattr = "*") (version 3.0; acl "Consolidated ACI";
  allow (all) userdn = "ldap:///uid=admin1,ou=People,dc=example,dc=com";
  allow (read,search) userdn = "ldap:///uid=user423,ou=People,dc=example,dc=com"; )
  any better than this?
  (targetattr = "*") (version 3.0; acl "Separate ACI 1"; allow (all) userdn = "ldap:///uid=admin1,ou=People,dc=example,dc=com"; )
  (targetattr = "*") (version 3.0; acl "Separate ACI 2"; allow (read,search) userdn = "ldap:///uid=user423,ou=People,dc=example,dc=com"; )
  PS: Are there code tags on this forum that I can use to block out code/syntax examples with a monospaced font or the like?
  Edited by: 953418 on Aug 17, 2012 8:22 AM

  Remember that placement of ACIs is important.
  When accessing an entry the server collects all the ACIs on the path between the root suffix and the entry, and processes those ACIs.
  Now, you can collect al your ACIs together and place them on the suffix, but there are a couple of potential drawbacks:
  1) Do you really want all of the ACIs to affect the entire DIT? Or do you want to restrict a given ACI to a specific sub-tree? If its the latter, place it on the sub-tree.
  2) If you put all the ACIs on the suffix, every one of them will potentially be processed for every request. This can have a noticeable performance impact. By placing them close to where their effect is required, you limit their scope, and the number of times they get processed.
  Also keep in mind that other than affecting scope, placement has no effect on order of processing.