From 54e307ea0113e386ddaf854f57f8d61aa7afc57e Mon Sep 17 00:00:00 2001
From: Mark Craig <mark.craig@forgerock.com>
Date: Fri, 07 Feb 2014 15:26:17 +0000
Subject: [PATCH] Port fix for OPENDJ-1265

---
 opendj3-server-dev/src/main/docbkx/admin-guide/index.xml                |    7 +-
 opendj3-server-dev/src/main/docbkx/admin-guide/chap-privileges-acis.xml |  138 +++++++++++++++++++++++++++++++--------------
 2 files changed, 98 insertions(+), 47 deletions(-)

diff --git a/opendj3-server-dev/src/main/docbkx/admin-guide/chap-privileges-acis.xml b/opendj3-server-dev/src/main/docbkx/admin-guide/chap-privileges-acis.xml
index 92c2f5d..7dfc371 100644
--- a/opendj3-server-dev/src/main/docbkx/admin-guide/chap-privileges-acis.xml
+++ b/opendj3-server-dev/src/main/docbkx/admin-guide/chap-privileges-acis.xml
@@ -20,13 +20,14 @@
   !
   ! CCPL HEADER END
   !
-  !      Copyright 2011-2013 ForgeRock AS
+  !      Copyright 2011-2014 ForgeRock AS
   !    
 -->
 <chapter xml:id='chap-privileges-acis'
          xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
          xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
-         xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
+         xsi:schemaLocation='http://docbook.org/ns/docbook
+                             http://docbook.org/xml/5.0/xsd/docbook.xsd'
          xmlns:xlink='http://www.w3.org/1999/xlink'
          xmlns:xinclude='http://www.w3.org/2001/XInclude'>
  <title>Configuring Privileges &amp; Access Control</title>
@@ -1156,7 +1157,7 @@
    ACIs.</para></footnote> However, OpenDJ also allows anonymous access by
    default to use some controls, to perform certain extended operations, to
    view root DSE operational attributes, to view directory schema definitions,
-   to view some other operational attibutes, and to perform compare and search
+   to view some other operational attributes, and to perform compare and search
    operations.</para>
 
    <para>These default capabilities are defined on the
@@ -1172,57 +1173,106 @@
  --bindPassword password
  --property global-aci</screen>
 
-   <para>To disable anonymous read access for example, use the
-   <command>dsconfig set-access-control-handler-prop</command> command.</para>
+   <para>
+    You can disable anonymous access either
+    by editing relevant <literal>global-aci</literal> properties,
+    or by using the global server configuration property,
+    <literal>reject-unauthenticated-requests</literal>.
+    Editing relevant <literal>global-aci</literal> properties
+    lets you take a fine-grained approach to limit anonymous access.
+    Setting <literal>reject-unauthenticated-requests:true</literal>
+    causes OpenDJ directory server to reject all requests
+    from clients who are not authenticated
+    except bind requests and StartTLS requests.
+   </para>
 
-   <para>First, remove the <literal>global-aci</literal> attribute value that
-   allows anonymous read access. Do not wrap the lines in the following
-   example if you use it as the basis for your script.</para>
-
-   <screen>$ dsconfig \
- set-access-control-handler-prop \
- --remove global-aci:\(targetattr!=\"userPassword\|\|authPassword\|\|changes\|\
-\|changeNumber\|\|changeType\|\|changeTime\|\|targetDN\|\|newRDN\|\
-\|newSuperior\|\|deleteOldRDN\|\|targetEntryUUID\|\|changeInitiatorsName\|\
-\|changeLogCookie\|\|includedAttributes\"\)\(version\ 3.0\;\ acl\ \"Anonymous\
-\ read\ access\"\;\ allow\ \(read,search,compare\)\
-\ userdn=\"ldap:///anyone\"\;\)\
- --hostname opendj.example.com \
- --port 4444 \
- --bindDN cn=Directory\ Manager \
- --bindPassword password \
- --trustAll \
- --no-prompt</screen>
-
-   <para>If the <literal>global-aci</literal> does not match the ACI exactly
-   then the command fails to remove the value. An alternative approach is to
-   use the <command>dsconfig</command> command interactively, adding the
-   <option>--commandFilePath</option> option. You can then use the command
-   you capture to remove the property value on other servers for example.
-   To use the <command>dsconfig</command> command this way, start the
-   command as follows.</para>
+   <para>
+    To take a fine-grained approach,
+    use the <command>dsconfig</command> command
+    to edit <literal>global-aci</literal> properties.
+    One of the most expedient ways to do this is to use the command interactively
+    on one OpenDJ directory server, capturing the output to a script with the
+    <option>--commandFilePath <replaceable>script</replaceable></option> option,
+    and then editing the script for use on other servers.
+    With this approach, you can
+    allow anonymous read access to the root DSE and to directory schemas
+    so that clients do not have to authenticate to discover server capabilities,
+    and also allow anonymous users access to some controls and extended operations.
+   </para>
 
    <screen>$ dsconfig
  --port 4444
  --hostname opendj.example.com
  --bindDN "cn=Directory Manager"
  --bindPassword password
- --commandFilePath /tmp/captured-command.sh</screen>
+ --commandFilePath /tmp/captured-global-aci-edits.sh
 
-   <para>Next, add a global ACI value that allows authenticated users to
-   perform read operations. You can use <command>dsconfig</command>
-   interactively to add the ACI value as shown below
-   <literal>(targetattr!= &#8230; userdn="ldap:///all";)</literal>.</para>
+# The dsconfig command runs interactively.
 
-   <programlisting language="ldif">global-aci: (targetattr!="userPassword||
- authPassword||changes||changeNumber||changeType||changeTime||targetDN||newRDN||
- newSuperior||deleteOldRDN||targetEntryUUID||changeInitiatorsName||
- changeLogCookie||includedAttributes")(version 3.0; acl "Authenticated users
- read access"; allow (read,search,compare) userdn="ldap:///all";)</programlisting>
+# Edit Access Control Handler, global-aci attributes replacing
+# userdn="ldap:///anyone" (anonymous) with userdn="ldap:///all" (authenticated)
+# in "Anonymous read access" and "User-Visible Operational Attributes" ACIs.
 
-   <para>Notice that these changes are made to the OpenDJ directory server
-   configuration, and so are not replicated to other servers. You must instead
-   apply the changes separately to each server.</para>
+# To make this change, you first remove the existing values,
+# then add the edited values, and finally apply the changes.
+</screen>
+
+   <para>
+    Make sure that you also set appropriate ACIs on any data that you import.
+   </para>
+
+   <para>
+    At this point, clients must authenticate to view search results for example.
+   </para>
+
+   <screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(uid=bjensen)"
+$ ldapsearch --bindDN uid=bjensen,ou=people,dc=example,dc=com
+ --bindPassword hifalutin --port 1389 --baseDN dc=example,dc=com
+ "(uid=bjensen)" cn uid
+dn: uid=bjensen,ou=People,dc=example,dc=com
+cn: Barbara Jensen
+cn: Babs Jensen
+uid: bjensen
+</screen>
+
+   <para>
+    You can download an example of the captured command,
+    <link xlink:href="http://opendj.forgerock.org/captured-global-aci-edits.sh"
+    >captured-global-aci-edits.sh</link>.
+   </para>
+
+   <para>
+    To reject anonymous access except bind and StartTLS requests,
+    set <literal>reject-unauthenticated-requests:true</literal>.
+   </para>
+
+   <screen>$ dsconfig
+ set-global-configuration-prop
+ --port 4444
+ --hostname opendj.example.com
+ --bindDN "cn=Directory Manager"
+ --bindPassword password
+ --trustAll
+ --no-prompt
+ --set reject-unauthenticated-requests:true</screen>
+
+   <para>
+    Once you set the property, anonymous clients trying to search for example
+    get an <literal>Unwilling to Perform</literal> response from OpenDJ.
+   </para>
+
+   <screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(uid=bjensen)"
+SEARCH operation failed
+Result Code:  53 (Unwilling to Perform)
+Additional Information:  Rejecting the requested operation
+ because the connection has not been authenticated</screen>
+
+   <para>
+    In both cases, notice that the changes apply to
+    a single OpenDJ directory server configuration,
+    and so are not replicated to other servers.
+    You must instead apply the changes separately to each server.
+   </para>
   </example>
 
   <example xml:id="access-control-full-access">
diff --git a/opendj3-server-dev/src/main/docbkx/admin-guide/index.xml b/opendj3-server-dev/src/main/docbkx/admin-guide/index.xml
index bc5a334..c42b810 100644
--- a/opendj3-server-dev/src/main/docbkx/admin-guide/index.xml
+++ b/opendj3-server-dev/src/main/docbkx/admin-guide/index.xml
@@ -20,13 +20,14 @@
   !
   ! CCPL HEADER END
   !
-  !      Copyright 2011-2013 ForgeRock AS
+  !      Copyright 2011-2014 ForgeRock AS
   !
 -->
 <book xml:id='admin-guide'
  xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
  xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
- xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
+ xsi:schemaLocation='http://docbook.org/ns/docbook
+                     http://docbook.org/xml/5.0/xsd/docbook.xsd'
  xmlns:xlink='http://www.w3.org/1999/xlink'
  xmlns:xinclude='http://www.w3.org/2001/XInclude'>
  <info>
@@ -36,7 +37,7 @@
    project offers open source LDAP directory services in Java.</para>
   </abstract>
   <copyright>
-   <year>2011-2013</year>
+   <year>2011-2014</year>
    <holder>ForgeRock AS</holder>
   </copyright>
   <authorgroup>

--
Gitblit v1.10.0