Apacheds configuring users and user groups for SSO

Apacheds document is more difficult to read, the definition of User Rights section is more obscure, fortunately, nut has been chewed down.

First, leave the useful information I have seen:

1, official documents-Basic User manual: Http://directory.apache.org/apacheds/basic-user-guide.html mainly introduces the installation and basic operation, login and so on.

2. Official documents-Advanced User manual: Http://directory.apache.org/apacheds/advanced-user-guide.html introduces code compilation, system structure, service configuration, and service rights Management, here spit a bit, Really hard to understand, and all kinds of todo;

3, looks like the official document: Http://joacim.breiler.com/apacheds/book.html introduced very detailed, the example is also very rich.

4. Access control Instance Fr20_apacheds_access_control_administration_the_x.500_way.pdf

=============================================================================================================

Common noun Analysis:

DIT Directory Information Tree
AA Administrative Areas
AP Administrative points

AAA Autonomous administrative area has autonomous management areas, all entities are unified management
SAA specific administrative area specific administrative areas
IAA Inner administrative Area internal management zone

SAP Specific Administrative point
ACI Access Control Information

Usually an entry are selected as the administrative point and marked with an operational attribute. The attributetype of the operational attribute is ' administrativerole '.
By adding an optional property to make an entity a management point

ACSA access Control Specific area

=============================================================================================================== ==

Practical Walkthrough

Demand:

1, LDAP Super Administrator, to manage all the data on LDAP;

2, anonymous users can view user information;

3, the user is divided into development, testing and operation of three groups;

4. Authorized by user Group

Operation Guide:

1, install apacheds service end;

Download address: Apacheds-2.0.0-m15-64bit.bin Download to directory/home/apacheds/

chmod +x *.bin

/etc/init.d/apacheds-2.0.0-m15-default start

This completes the installation and start-up of the Apacheds

2. Install Apache Directory Studio

This time use Eclipse plugin, see http://directory.apache.org/studio/installation-in-eclipse.html, also support Eclipse market installation.

3. Connection and Configuration

Switch to the LDAP view of Eclipse, create a new connection

hostname:199.155.122.90 port:10389 Encryption Method:nocryption (different cryptographic algorithm ports note)

Authentication Method:simple User:uid=admin,ou=system Passwd:secret (the default highest privilege user)

Openconfiguration Enable access Control, disable Anonymous Logon

Restart Apacheds service in effect

4. Partition settings

System default Example partition, we delete it, and new, this time create dc=xxx.com

5, new ou=users, new ou=groups.

dn:ou=groups,dc=taotaosou.com
objectclass:organizationalunit
objectclass:top
ou:groups

dn:ou=users,dc=taotaosou.com
objectclass:organizationalunit
objectclass:top
ou:users

6, root directory Enable permission control, add Administrativerole attribute is the key

dn:dc=taotaosou.com
objectclass:domain
objectclass:top
dc:taotaosou.com
administrativerole: Accesscontrolspecificarea

7. Add Anonymous Read permissions

dn:cn=enableallusersread,dc=taotaosou.com
objectclass:subentry
objectclass:accesscontrolsubentry
Objectclass:top
cn:enableallusersread
prescriptiveaci: {identificationtag "Enableallusersread",  Precedence 0, Aut
 henticationlevel None, Itemoruserfirst userfirst: {userclasses {allUsers 
 }, userpermissions { {protecteditems {entry, Alluserattributetypesandvalu
 es}, grantsanddenials {grantcompare, Grantfiltermatch, Gran TRead, Grantre
 turndn, Grantbrowse}}}}
subtreespecification: {}

8, add users to modify the data permissions

dn:cn=allowselfaccessandmodification,dc=taotaosou.com
objectclass:subentry
objectClass: Accesscontrolsubentry
objectclass:top
cn:allowselfaccessandmodification
Prescriptiveaci: { Identificationtag "Allowselfaccessandmodification", Prece
 dence, AuthenticationLevel simple, ItemOrUserFirst Userfirst: {userclas
 ses {thisentry}, userpermissions {{protecteditems {entry, Alluserattri
 Butetypesandvalu ES}, Grantsanddenials {grantremove, grantexport, grantcom
 pare, Grantimport, Grantread, Grantfiltermatch, Grantmodify, Grantinvoke, G
 rantdiscloseonerror, Grantrename, Grantreturndn, Grantbrowse, GrantAdd}}} 
 }< C11/>subtreespecification: {}

9. Add Administrator Privileges

dn:cn=enableadminsuper,dc=taotaosou.com
objectclass:subentry
objectclass:accesscontrolsubentry
Objectclass:top
cn:enableadminsuper
prescriptiveaci: {identificationtag "Enableadminsuper", precedence 0, Authe
 Nticationlevel Strong, Itemoruserfirst Userfirst: {userclasses {usergroup {
  "cn=administrator,ou=gourp , dc=taotaosou.com "}}, UserPermissions {{PR
 otecteditems {entry, alluserattributetypesandvalues}, Grantsanddenia ls { 
 grantremove, Grantexport, Grantcompare, Grantimport, Grantread, Grantfilter
 Match, Grantmodify, Grantinvoke, Grantdiscloseonerror, Grantrename, Grantre
 turndn, Grantbrowse, Grantadd}
}}} Subtreespecification: {}