- enable security in Tamino via SMH 2. make the following ACL request:
ACL /tamino/welcome_4_4_1/ino:dav/ino:dav/test HTTP/1.1 Host:localhost Content-Type: text/xml Content-Length:649 Authorization: Basic XXX <?xml version="1.0" encoding="UTF-8" ?> <D:acl xmlns:D="DAV:"> <D:ace> <D:principal> <D:href>/tamino/welcome_4_4_1/ino:dav/ino:davPrincipal/ino:user/DOMAIN\user</D:href> </D:principal> <D:grant> <D:privilege><D:read/></D:privilege> <D:privilege><D:write/></D:privilege> </D:grant> </D:ace> <D:ace> <D:principal> <D:property><D:owner/></D:property> </D:principal> <D:grant> <D:privilege><D:administer/></D:privilege> </D:grant> </D:ace> <D:ace> <D:principal><D:all/></D:principal> <D:grant> <D:privilege><D:read/></D:privilege> </D:grant> </D:ace> </D:acl>
- receve the following error:
HTTP/1.1 400 Bad Request Date: Thu, 13 Oct 2005 17:56:53 GMT Server: Apache/2.0.54 (Win32) X-INO-returnvalue: 8552 X-INO-Version: 4.4.1.1 Content-Length: 0 Connection: close Content-Type: text/plain
The request is taken as is from the book by Lisa Dusseault, page 348 A quick search on 8552 in the Tamino Documentation finds this page: file:///C:/Program%20Files/Software%20AG/Tamino/Tamino%204.4.1.1/Documentation/en/xprog/xprspstr.htm#spyanchor0 that says
Any idea what went wrong?
OK, the ace that triggers the error comes here:
<D:ace> <D:principal> <D:property><D:owner/></D:property> </D:principal> <D:grant> <D:privilege><D:administer/></D:privilege> </D:grant> </D:ace>
That is, the following ACL works:
ACL /tamino/welcome_4_4_1/ino:dav/ino:dav/test HTTP/1.1 Host:localhost Content-Type: text/xml Content-Length:649 Authorization: Basic XXX <?xml version="1.0" encoding="UTF-8" ?> <D:acl xmlns:D="DAV:"> <D:ace> <D:principal> <D:href>/tamino/welcome_4_4_1/ino:dav/ino:davPrincipal/ino:user/DOMAIN\user</D:href> </D:principal> <D:grant> <D:privilege><D:read/></D:privilege> <D:privilege><D:write/></D:privilege> </D:grant> </D:ace> <D:ace> <D:principal><D:all/></D:principal> <D:grant> <D:privilege><D:read/></D:privilege> </D:grant> </D:ace> </D:acl>
Now, whether I try to log in as a DOMAIN\user or as a DOMAIN\anyotheruser, I can write to the folder test. Given that the WebDAV from Tamino 4.4.1 does not support inverted principals, I have no clue about how to deny access to DOMAIN\anyotheruser. P.S. The Security Manager in SMH contains an OS Domain with the option Accept Users = “all”.
Extra info: We decided to retest with two OS Domains and the option Accept Users = “defined” by preforming the following steps: 1. recreated the Tamino DB 2. Added 2 Security os Domains 3. Set
‹?xml version="1.0" encoding="UTF-8" ?› ‹D:acl xmlns:D="DAV:"› ‹D:ace› ‹D:principal› ‹D:href›/tamino/test/ino:dav/ino:davPrincipal/ino:user/DOMAIN\user‹/D:href› ‹/D:principal› ‹D:grant› ‹D:privilege›‹D:all/›‹/D:privilege› ‹/D:grant› ‹/D:ace› ‹D:ace› ‹D:principal›‹D:all/›‹/D:principal› ‹D:grant› ‹D:privilege›‹D:read/›‹/D:privilege› ‹/D:grant› ‹/D:ace› ‹/D:acl›
on the root of the WebDAV repository /tamino/test/ino:dav/ino:dav 4. Then, we activated the Security by setting authentication to “tamino” 5. restarted ther Tamino DB 4. and we could not log into WebDAV with DOMAIN\user nor with any other DOMAIN user. All authentication attempts results in the 403 Access denied response.