上一页      目录      索引      下一页
Sun Java System Communications Services 6 2005Q1 Delegated Administrator 指南

附录 D
ACI 合并

本附录介绍了以下主题：

简介
合并和删除 ACI
分析现有 ACI
分析 ACI 的合并方式
要放弃的未使用 ACI 的列表

---

简介

在同时安装 Access Manager 与 Messaging Server 并使用 LDAP Schema 2 目录时，最初会在该目录中安装大量的访问控制指令 (Access Control Instructions, ACI)。有许多缺省 ACI 并不是 Messaging Server 所需要或使用的。

如果需要在运行时检查这些 ACI，则可能会影响 Directory Server 的性能，反过来，这又会影响 Messaging Server 查找以及其他目录操作的性能。

通过在目录中合并缺省 ACI 以减少其数量，可以提高 Directory Server 的性能。合并 ACI 也可以使其更易于管理。

减少 ACI 的方法如下：

组合、优化和简化多余的 ACI
修改 ACI 以使用更简单、更有效的语法
将 ACI 与其他 ACI 合并（在根后缀中）
删除未使用的 ACI
对于具有许多组织的目录，可以删除单个组织节点上的组织 ACI。

本附录首先介绍了如何使用 ldif 文件 (replacment.acis.ldif) 在根后缀中合并 ACI，以及如何删除目录中未使用的 ACI。有关详细信息，请参见下面的合并和删除 ACI。

接下来，本附录对每个 ACI 进行了分析，并推荐了处理该 ACI 的方法：删除 ACI、修改 ACI 以使其更有效，或重写 ACI。

请注意，在这些建议中存在以下限制：

不存在对 Directory 控制台的最终用户访问
不存在对 Access Manager 控制台的最终用户访问。

如果存在这些限制，您必须自行确定（根据您的安装要求）能否使用 ldif 文件来合并和删除 ACI，或者是否需要保留目录中现有的某些 ACI。

有关更多信息，请参见本附录后面的分析现有 ACI。

接下来，本附录介绍了由 replacement.acis.ldif 文件合并的 ACI。它列出了合并前的现有 ACI，以及合并后修改的 ACI。有关更多信息，请参见本附录后面的分析 ACI 的合并方式。

最后，本附录列出了 replacement.acis.ldif 放弃的 ACI。有关更多信息，请参见本附录后面的要放弃的未使用 ACI 的列表。

---

合并和删除 ACI

本部分列出的 ldif 文件 replacement.acis.ldif 可将合并的 ACI 安装在根后缀中，并从目录中删除未使用的 ACI。此 ldif 文件由 Delegated Administrator 提供，位于以下目录中：

da_base/lib/config-templates

将 replacement.acis.ldif 文件应用于目录时（使用 ldapmodify），ldapmodify 命令将删除根后缀中 aci 属性的所有实例，并使用 replacement.acis.ldif 文件中的 ACI 来替换这些 ACI。

因此，此过程最初将从根后缀中删除所有 ACI，然后使用下列 ACI 集来替换它们。如果目录中包含由其他应用程序（如 Portal Server）生成的 ACI，则应将这些 ACI 保存到一个文件，然后在应用 replacement.acis.ldif 文件后重新将它们应用于该目录。

有关使用此 ldif 文件清除 ACI 的说明，请参见本部分后面的替换 ACI 的步骤。

replacement.acis.ldif 文件

dn: $rootSuffix
changetype: modify
replace: aci
aci: (targetattr = "*")(version 3.0; acl "Configuration Administrator";
  allow (all)
  userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,
o=NetscapeRoot";)
aci: (target=""ldap:///$rootSuffix")
  (targetfilter=(!(objectclass=sunServiceComponent)))
  (targetattr != "userPassword||passwordHistory
  ||passwordExpirationTime||passwordExpWarned||passwordRetryCount
  ||retryCountResetTime||accountUnlockTime||passwordAllowChangeTime")
  (version 3.0; acl "anonymous access rights";
  allow (read,search,compare)
  userdn = "ldap:///anyone"; )
aci: (targetattr != "nsroledn||aci||nsLookThroughLimit||nsSizeLimit
  ||nsTimeLimit||nsIdleTimeout||passwordPolicySubentry||passwordExpiration Time
  ||passwordExpWarned||passwordRetryCount||retryCountResetTime
  ||accountUnlockTime||passwordHistory||passwordAllowChangeTime||uid||memb erOf
  ||objectclass||inetuserstatus||ou||owner||mail||mailuserstatus
  ||memberOfManagedGroup||mailQuota||mailMsgQuota||mailhost
  ||mailAllowedServiceAccess||inetCOS||mailSMTPSubmitChannel")
  (version 3.0; acl "Allow self entry modification";
  allow (write)
  userdn ="ldap:///self";)
aci: (targetattr != " aci || nsLookThroughLimit || nsSizeLimit
  || nsTimeLimit|| nsIdleTimeout")
  (version 3.0; acl "Allow self entry read search";
  allow(write)
  userdn ="ldap:///self";)
|aci: (target="ldap:///$rootSuffix")
  (targetattr="*")
  (version 3.0; acl "S1IS Proxy user rights";
  allow (proxy)
  userdn = "ldap:///cn=puser,ou=DSAME Users,
  $rootSuffix"; )
aci: (target="ldap:///$rootSuffix")
  (targetattr="*")
  (version 3.0; acl "S1IS special dsame user rights for all under the root suffix";
  allow (all)
  userdn = "ldap:///cn=dsameuser,ou=DSAME Users,
  $rootSuffix"; )
aci: (target="ldap:///$rootSuffix")
  (targetattr="*")
  (version 3.0; acl "S1IS special ldap auth user rights";
  allow (read,search)
  userdn = "ldap:///cn=amldapuser,ou=DSAME Users,
  $rootSuffix"; )
aci: (target="ldap:///$rootSuffix")
  (targetattr="*")
  (version 3.0; acl "S1IS Top-level admin rights";
  allow (all)
  roledn = "ldap:///cn=Top-level Admin Role,
  $rootSuffix"; )
aci: (targetattr="*")
  (version 3.0; acl "Messaging Server End User Administrator Read Only Access";
  allow (read,search)
  groupdn="ldap:///cn=Messaging End User Administrators Group,ou=Groups,
  $rootSuffix";)
aci: (targetattr="objectclass || mailalternateaddress || Mailautoreplymode ||
  mailprogramdeliveryinfo || preferredlanguage || maildeliveryoption
  || mailforwardingaddress || mailAutoReplyTimeout || mailautoreplytextinternal
  || mailautoreplytext || vacationEndDate || vacationStartDate
  || mailautoreplysubject || maxPabEntries || mailMessageStore
  || mailSieveRuleSource || sunUCDateFormat || sunUCDateDeLimiter
  || sunUCTimeFormat || mailuserstatus || maildomainstatus")
  (version 3.0; acl "Messaging Server End User Administrator All Access";
  allow (all)
  groupdn = "ldap:///cn=Messaging End User Administrators Group,ou=Groups,
  $rootSuffix";)
aci: (targetattr = "*")
  (version 3.0;acl "Allow Read-Only Access";
  allow (read,search,compare)
  groupdn = "ldap:///cn=Read-Only,ou=Groups,
  $rootSuffix";)
aci: (target="ldap:///cn=Organization Admin Role,($dn),$rootSuffix")
  (targetattr="*")
  (version 3.0; acl "S1IS Organization Admin Role access deny";
  deny (write,add,delete,compare,proxy)
  roledn = "ldap:///cn=Organization Admin Role,($dn),
  $rootSuffix";)
aci: (target="ldap:///($dn),$rootSuffix")
  (targetattr="*")
  (version 3.0; acl "Organization Admin Role access allow read";
  allow(read,search)
  roledn = "ldap:///cn=Organization Admin Role,[$dn],
  $rootSuffix" ;)
aci: (target="ldap:///($dn),$rootSuffix")
  (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
  (entrydn=($dn),$rootSuffix))))
  ( targetattr = "*")
  (version 3.0; acl "S1IS Organization Admin Role access allow";
  allow (all)
  roledn = "ldap:///cn=Organization Admin Role,[$dn],
  $rootSuffix";)

替换 ACI 的步骤

开始之前的准备工作

在开始此过程之前，建议您首先检查目录中的现有 ACI。您应该确定是否需要保留可能会在此过程中删除的任何 ACI。

此过程最初将从根后缀中删除所有 ACI，然后使用下列 ACI 集来替换它们。如果目录中包含由 Messaging Server 之外的其他应用程序生成的 ACI，则应将这些 ACI 保存到一个文件，然后在应用 replacement.acis.ldif 文件后重新将它们应用于该目录。

为了帮助您分析由 Access Manager 和 Messaging Server 生成的现有 ACI，请参见位于本附录后面的以下部分：

分析现有 ACI
分析 ACI 的合并方式
要放弃的未使用 ACI 的列表

替换 ACI

要合并根后缀中的 ACI 并删除未使用的 ACI，请执行以下步骤：

保存根后缀中的现有 ACI。可以使用 ldapsearch 命令，如下例所示：

ldapsearch -D "cn=Directory Manager" -w <password>
-s base -b <$rootSuffix> aci=* aci ><filename>

其中

<password> 为 Directory Server 管理员的密码。

<$rootSuffix> 为您的根后缀，如 o=usergroup。

<filename> 为文件名，该文件用于写入保存的 ACI。

复制并重命名 replacement.acis.ldif 文件。

安装 Delegated Administrator 时，会将 replacement.acis.ldif 文件安装在以下目录中：

da_base/lib/config-templates

在 replacement.acis.ldif 文件的副本中编辑 $rootSuffix 条目。

将根后缀参数 $rootSuffix 更改为您的根后缀（如 o=usergroup）。$rootSuffix 参数在 ldif 文件中出现多次；必须替换每个实例。

使用 LDAP 目录工具 ldapmodify 替换 ACI。

例如，可以运行以下命令：

ldapmodify -D <directory manager> -w <password>
-f <replacement.acis.finished.ldif>

其中

<directory manager> 为 Directory Server 管理员的名称。

<password> 为 Directory Service 管理员的密码。

<replacement.acis.finished.ldif> 为编辑过的的 ldif 文件的名称，该文件用于在目录中合并和删除 ACI。

删除动态组织 ACI

使用 Delegated Administrator 控制台创建组织时，将在组织节点上创建一组 ACI。

由于在上述过程中安装了替换 ACI，因此不再需要这些按组织创建的 ACI。可以使用 Access Manager 控制台来阻止按组织创建 ACI。请执行以下步骤：

以 amadmin 的身份登录到 AM 控制台。AM 控制台位于以下 URL 中：

http://<machine name>:<port>/amconsole

其中

<machine name> 为运行 Access Manager 的计算机

<port> 为端口

选择服务配置标签。

缺省情况下，将显示“管理”配置页。

在控制台的右侧向下滚动，直到出现动态管理角色 ACI。
选择并删除动态管理角色 ACI 文本框中的所有 ACI。
保存编辑过的设置。

---

分析现有 ACI

本部分中的列表显示了安装 Access Manager 和 Messaging Server 时在目录中安装的 ACI。此外，它还介绍了每个 ACI 的功能，以及对能否保留、合并或放弃 ACI 的建议。

可以将 ACI 划分为以下几类：

根后缀
Access Manager
顶级帮助台管理员角色
顶级策略管理员角色
AM 自身
AM 匿名
AM 拒绝写入访问权限
AM 容器管理员角色
组织帮助台
AM 组织管理员角色
AM 杂项
Messaging Server

根后缀

-------------------------------------------------------------------------------------------------------------

dn:$rootSuffix
#
# consolidate
#
aci:
(targetattr != "nsroledn || aci || nsLookThroughLimit || nsSizeLimit ||
nsTimeLimit || nsIdleTimeout || passwordPolicySubentry || passwordExpirationTime
|| passwordExpWarned || passwordRetryCount || retryCountResetTime
|| accountUnlockTime || passwordHistory || passwordAllowChangeTime")
(version 3.0; acl "Allow self entry modification except for nsroledn, aci, resource limit attributes, passwordPolicySubentry and password policy state attributes";
allow (write)
userdn ="ldap:///self";)

操作：合并。

不需要对此后缀的自身访问。此 ACI 是重复的；可以将其合并到根后缀上的自身 ACI 中。

------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# retain
#
aci:
(targetattr = "*")
(version 3.0; acl "Configuration Administrator";
allow (all)
userdn = "ldap:///uid=admin, ou=Administrators, ou=TopologyManagement,o=NetscapeRoot";)

操作：保留。

此为“管理员”用户，该用户将使用“通过验证”来通过 slapd-config 实例的验证。如果作为 Directory Manager 执行所有配置（使用命令行实用程序），则不需要此 ACI。如果有人需要作为此用户通过控制台的验证，则可保留此 ACI。可以删除相似的 ACI。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(targetattr ="*")
(version 3.0;acl "Configuration Administrators Group";
allow (all)
(groupdn = "ldap:///cn=Configuration Administrators, ou=Groups, ou=TopologyManagement, o=NetscapeRoot");)

操作：放弃所有数据库后端。

此为“配置管理员”组，如果使用控制台来委托服务器管理权限，则该组将具有相应权限。

------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(targetattr ="*")
(version 3.0;acl "Directory Administrators Group";
allow (all)
(groupdn = "ldap:///cn=Directory Administrators, $rootSuffix");)

操作：放弃所有数据库后端。

此为一般的“目录管理员”组权限定义。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(targetattr = "*")
(version 3.0; acl "SIE Group";
allow (all)
groupdn = "ldap:///cn=slapd-whater, cn=Sun ONE Directory Server, cn=Server Group, cn=whater.red.iplanet.com, ou=red.iplanet.com, o=NetscapeRoot";)

操作：放弃所有数据库后端。

此为与控制台/管理服务器相关的组权限定义。

-------------------------------------------------------------------------------------------------------------

Access Manager

-------------------------------------------------------------------------------------------------------------

# retain
#
aci:
(target="ldap:///$rootSuffix")
(targetattr="*")
(version 3.0; acl "S1IS Proxy user rights";
allow (proxy)
userdn = "ldap:///cn=puser,ou=DSAME Users,$rootSuffix"; )

操作：保留。

此 ACI 将访问权限授予 Access Manager 的系统用户。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# retain
#
aci:
(target="ldap:///$rootSuffix")
(targetattr="*")
(version 3.0; acl "S1IS special dsame user rights for all under the root suffix";
allow (all)
userdn = "ldap:///cn=dsameuser,ou=DSAME Users,$rootSuffix"; )

操作：保留。

此 ACI 将访问权限授予 Access Manager 的系统用户。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# retain
#
aci:
(target="ldap:///$rootSuffix")(targetattr="*")|
(version 3.0;acl "S1IS special ldap auth user rights";
allow (read,search)
userdn = "ldap:///cn=amldapuser,ou=DSAME Users,$rootSuffix"; )

操作：保留。

此 ACI 将访问权限授予 Access Manager 的系统用户。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target="ldap:///cn=amldapuser,ou=DSAME Users,$rootSuffix")
(targetattr = "*")
(version 3.0;
acl "S1IS special ldap auth user modify right";
deny (write)
roledn != "ldap:///cn=Top-level Admin Role,$rootSuffix";)

操作：放弃。

此 ACI 阻止顶级管理员 (Top-Level Administrator, TLA) 修改 amldapuser 帐户。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# retain
#
aci:
(target="ldap:///$rootSuffix")
(targetattr="*")
(version 3.0; acl "S1IS Top-level admin rights";
allow (all)
roledn = "ldap:///cn=Top-level Admin Role,$rootSuffix"; )

操作：保留。

此 ACI 将访问权限授予顶级管理员角色。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(targetattr="iplanet-am-saml-user || iplanet-am-saml-password")(targetfilter="(objectclass=iplanet-am-saml-serv ice)")
(version 3.0; acl "S1IS Right to modify saml user and password";
deny (all)
(roledn != "ldap:///cn=Top-level Admin Role,$rootSuffix")
AND (userdn != "ldap:///cn=dsameuser,ou=DSAME Users,$rootSuffix")
AND (userdn != "ldap:///cn=puser,ou=DSAME Users,$rootSuffix"); )

操作：放弃。

此 ACI 保护与 SAML 相关的属性。

-------------------------------------------------------------------------------------------------------------

顶级帮助台管理员角色

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target="ldap:///$rootSuffix")
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix)))
(targetattr = "*")
(version 3.0; acl "S1IS Top-level Help Desk Admin Role access allow";
allow (read,search)
roledn = "ldap:///cn=Top-level Help Desk Admin Role,$rootSuffix";)

操作：放弃。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target="ldap:///$rootSuffix")
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix)))
(targetattr = "userPassword")
(version 3.0; acl "S1IS Top-level Help Desk Admin Role access allow";
allow (write)
roledn = "ldap:///cn=Top-level Help Desk Admin Role,$rootSuffix";)

操作：放弃。

-------------------------------------------------------------------------------------------------------------

顶级策略管理员角色

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
target="ldap:///$rootSuffix")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix))))
(targetattr = "*")
(version 3.0; acl "S1IS Top-level Policy Admin Role access allow";
allow (read,search)
roledn = "ldap:///cn=Top-level Policy Admin Role,$rootSuffix";)

操作：放弃。

此 ACI 适用于顶级策略管理员角色。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target="ldap:///ou=iPlanetAMAuthService,ou=services,*$rootSuffix")
(targetattr = "*")
(version 3.0; acl "S1IS Top-level Policy Admin Role access Auth Service deny";
deny (add,write,delete)
roledn = "ldap:///cn=Top-level Policy Admin Role,$rootSuffix";)

操作：放弃。

此 ACI 适用于顶级策略管理员角色。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target="ldap:///ou=services,*$rootSuffix")
(targetattr = "*")
(version 3.0; acl "S1IS Top-level Policy Admin Role access allow";
allow (all)
roledn = "ldap:///cn=Top-level Policy Admin Role,$rootSuffix";)

操作：放弃。

此 ACI 适用于顶级策略管理员角色。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target="ldap:///$rootSuffix")
(targetfilter="(objectclass=sunismanagedorganization)")
(targetattr = "sunRegisteredServiceName")
(version 3.0; acl "S1IS Top-level Policy Admin Role access allow";
allow (read,write,search)
roledn = "ldap:///cn=Top-level Policy Admin Role,$rootSuffix";)

操作：放弃。

此 ACI 适用于顶级策略管理员角色。

-------------------------------------------------------------------------------------------------------------

AM 自身

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(targetattr = "*")
(version 3.0;
acl "S1IS Deny deleting self";
deny (delete)
userdn ="ldap:///self";)

操作：合并到单个自写入 ACI 中。不需要显式拒绝，因为最终用户不具备删除任何条目（包括其自身）的权限。

这是几个设置自身权限的 ACI 中的一个。显式拒绝可阻止任何条目删除自身。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(targetattr = "objectclass || inetuserstatus || iplanet-am-user-login-status
|| iplanet-am-web-agent-access-allow-list || iplanet-am-domain-url-access-allow
|| iplanet-am-web-agent-access-deny-list || iplanet-am-user-account-life
|| iplanet-am-session-max-session-time || iplanet-am-session-max-idle-time
|| iplanet-am-session-get-valid-sessions || iplanet-am-session-destroy-sessions
|| iplanet-am-session-add-session-listener-on-all-sessions || iplanet-am-user-admin-start-dn
|| iplanet-am-auth-post-login-process-class")
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix)))
(version 3.0; acl "S1IS User status self modification denied";
deny (write)
userdn ="ldap:///self";)

操作：合并到单个自写入 ACI 中。

这是几个设置自写入权限的 ACI 中的一个。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(targetattr != "iplanet-am-static-group-dn || uid || nsroledn || aci || nsLookThroughLimit
|| nsSizeLimit || nsTimeLimit || nsIdleTimeout || memberOf || iplanet-am-web-agent-access-allow-list
|| iplanet-am-domain-url-access-allow || iplanet-am-web-agent-access-deny-list")
(version 3.0; acl "S1IS Allow self entry modification except for nsroledn, aci, and resource limit attributes";
allow (write)
userdn ="ldap:///self";)

操作：合并到单个自写入 ACI 中。

这是几个设置权限的 ACI 中的一个。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(targetattr != "aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit
|| nsIdleTimeout || iplanet-am-domain-url-access-allow")
(version 3.0; acl "S1IS Allow self entry read search except for nsroledn, aci, resource limit and
web agent policy attributes";
allow (read,search)
userdn ="ldap:///self";)

操作：合并到单个自写入 ACI 中。

这是几个设置自写入权限的 ACI 中的一个。

-------------------------------------------------------------------------------------------------------------

AM 匿名

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(target="ldap:///ou=services,$rootSuffix")
(targetfilter=(!(objectclass=sunServiceComponent)))
(targetattr = "*")
(version 3.0; acl "S1IS Services anonymous access";
allow (read, search, compare)
userdn = "ldap:///anyone";)

操作：合并到单个匿名 ACI 中。

这是几个授予匿名权限的 ACI 中的一个。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(target="ldap:///ou=iPlanetAMAdminConsoleService,*,$rootSuffix")
(targetattr = "*")
(version 3.0; acl "S1IS iPlanetAMAdminConsoleService anonymous access";
allow (read, search, compare)
userdn = "ldap:///anyone";)

操作：合并到单个匿名 ACI 中。

这是几个授予匿名权限的 ACI 中的一个。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target="ldap:///$rootSuffix")
(targetfilter=(entrydn=$rootSuffix))
(targetattr="*")
(version 3.0; acl "S1IS Default Organization delete right denied";
deny (delete)
userdn = "ldap:///anyone"; )

操作：放弃。

此 ACI 将阻止任何用户（rootdn 除外）删除缺省组织。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target="ldap:///cn=Top-level Admin Role,$rootSuffix")
(targetattr="*")
(version 3.0; acl "S1IS Top-level admin delete right denied";
deny(delete)
userdn = "ldap:///anyone"; )

操作：放弃。

此 ACI 将阻止任何用户（rootdn 除外）删除顶级管理员角色。

-------------------------------------------------------------------------------------------------------------

AM 拒绝写入访问权限

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(targetattr = "*")
(version 3.0; acl "S1IS Deny write to anonymous user";
deny (add,write,delete)
roledn ="ldap:///cn=Deny Write Access,$rootSuffix";)

操作：放弃。

此 ACI 适用于拒绝写入访问角色。

-------------------------------------------------------------------------------------------------------------

AM 容器管理员角色

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target="ldap:///($dn),$rootSuffix")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix))))
(targetattr != "nsroledn")
(version 3.0; acl "S1IS Container Admin Role access allow";
allow (all)
roledn = "ldap:///cn=Container Admin Role,[$dn],$rootSuffix";)

操作：放弃。

此 ACI 适用于容器管理员角色。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target="ldap:///cn=Container Admin Role,($dn),$rootSuffix")
(targetattr="*")
(version 3.0; acl "S1IS Container Admin Role access deny";
deny (write,add,delete,compare,proxy)
roledn = "ldap:///cn=Container Admin Role,($dn),$rootSuffix";)

操作：放弃。

此 ACI 适用于容器管理员角色。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target="ldap:///ou=People,$rootSuffix")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix)
(nsroledn=cn=Container Admin Role,$rootSuffix))))
(targetattr != "iplanet-am-web-agent-access-allow-list || iplanet-am-domain-url-access-allow
|| iplanet-am-web-agent-access-deny-list || nsroledn")
(version 3.0; acl "S1IS Group and people container admin role";
allow (all)
roledn = "ldap:///cn=ou=People_dc=red_dc=iplanet_dc=com,$rootSuffix";)

操作：放弃。

此 ACI 适用于组和用户容器管理员角色。

-------------------------------------------------------------------------------------------------------------

组织帮助台

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:(extra verses dreambig)
(target="ldap:///$rootSuffix")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix))))
(targetattr = "*")
(version 3.0; acl "S1IS Organization Help Desk Admin Role access allow";
allow (read,search)
roledn = "ldap:///cn=Organization Help Desk Admin Role,$rootSuffix";)

操作：放弃。

此 ACI 适用于组织帮助台管理员角色。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target="ldap:///$rootSuffix")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix))))
(targetattr = "userPassword")
(version 3.0; acl "S1IS Organization Help Desk Admin Role access allow";
allow (write)
roledn = "ldap:///cn=Organization Help Desk Admin Role,$rootSuffix";)

操作：放弃。

此 ACI 适用于组织帮助台管理员角色。

-------------------------------------------------------------------------------------------------------------

AM 组织管理员角色

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci: (different name - "allow all" instead of "allow")
(target="ldap:///($dn),$rootSuffix")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix))))
(targetattr != "nsroledn")
(version 3.0; acl "S1IS Organization Admin Role access allow all";
allow (all)
roledn ="ldap:///cn=Organization Admin Role,[$dn],$rootSuffix";)

操作：合并。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(target="ldap:///cn=Organization Admin Role,($dn),$rootSuffix")
(targetattr="*")
(version 3.0; acl "S1IS Organization Admin Role access deny";
deny (write,add,delete,compare,proxy)
roledn = "ldap:///cn=Organization Admin Role,($dn),$rootSuffix";)

操作：合并。

此 ACI 适用于组织管理员角色。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:(missing)
(target="ldap:///($dn),$rootSuffix")
(targetattr="*")
(version 3.0; acl "Organization Admin Role access allow read to org node";
allow (read,search)
roledn = "ldap:///cn=Organization Admin Role,($dn),$rootSuffix" ;)

操作：合并。

此 ACI 适用于组织管理员角色。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(target="ldap:///($dn),$rootSuffix")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix))))
(targetattr != "nsroledn")
(version 3.0; acl "Organization Admin Role access allow";
allow (all)
roledn = "ldap:///cn=Organization Admin Role,[$dn],$rootSuffix";)

操作：合并。

此 ACI 适用于组织管理员角色。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(target="ldap:///($dn),$rootSuffix")
(targetattr!="businessCategory || description || facsimileTelephoneNumber
|| postalAddress || preferredLanguage || searchGuide || postOfficeBox ||
postalCode
|| registeredaddress || street || l || st || telephonenumber ||maildomainreportaddress
|| maildomainwelcomemessage || preferredlanguage || sunenablegab")
(version 3.0; acl "Organization Admin Role access deny to org node";
deny (write,add,delete)
roledn = "ldap:///cn=Organization Admin Role,($dn),$rootSuffix" ;)

操作：合并。

此 ACI 适用于组织管理员角色。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(target="ldap:///($dn),$rootSuffix")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix))))
(targetattr != "nsroledn")
(version 3.0; acl "S1IS Organization Admin Role access allow all";
allow (all)
roledn = "ldap:///cn=Organization Admin Role,[$dn],$rootSuffix";)

操作：合并。

-------------------------------------------------------------------------------------------------------------

AM 杂项

-------------------------------------------------------------------------------------------------------------

#
#
# discard

#
aci:
(target="ldap:///$rootSuffix")
(targetattr!="nsroledn")
(version 3.0; acl "S1IS Group admin’s right to the users he creates";
allow (all)
userattr = "iplanet-am-modifiable-by#ROLEDN";)

操作：放弃。

放弃此 ACI 将禁用与属性 iplanet-am-modifiable-by 关联的权限。

-------------------------------------------------------------------------------------------------------------

Messaging Server

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(target="ldap:///$rootSuffix")
(targetattr="*")
(version 3.0; acl "Messaging Server End User Administrator Read Access Rights -
product=SOMS,schema 2 support,class=installer,num=1,version=1";
allow (read,search)
groupdn="ldap:///cn=Messaging End User Administrators Group, ou=Groups,
$rootSuffix";)

操作：合并。

此 ACI 将权限授予邮件最终用户管理员组。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(target="ldap:///$rootSuffix")
(targetattr="objectclass||mailalternateaddress||mailautoreplymode
||mailprogramdeliveryinfo||nswmextendeduserprefs||preferredlanguage
||maildeliveryoption||mailforwardingaddress
||mailAutoReplyTimeout||mailautoreplytextinternal||mailautoreplytext
||vacationEndDate||vacationStartDate||mailautoreplysubject||pabURI
||maxPabEntries||mailMessageStore||mailSieveRuleSource||sunUCDateFormat
||sunUCDateDeLimiter||sunUCTimeFormat")
(version 3.0; acl "Messaging Server End User Adminstrator Write Access Rights -
product=SOMS,schema 2 support,class=installer,num=2,version=1";
allow (all)
groupdn="ldap:///cn=Messaging End User Administrators Group, ou=Groups,
$rootSuffix";)

操作：合并。

此 ACI 将权限授予邮件最终用户管理员组。

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(targetattr="uid||ou||owner||mail||mailAlternateAddress
||mailEquivalentAddress||memberOf
||inetuserstatus||mailuserstatus||memberOfManagedGroup||mailQuota
||mailMsgQuota||inetSubscriberAccountId||dataSource||mailhost
||mailAllowedServiceAcces||pabURI||inetCOS||mailSMTPSubmitChannel
||aci")
(targetfilter=(&(objectClass=inetMailUser)(!(nsroledn=cn=Organization Admin Role,*))))
(version 3.0; acl "Deny write access to users over Messaging Server protected attributes -
product=SOMS,schema 2 support,class=installer,num=3,version=1 ";
deny (write)
userdn = "ldap:///self";)

操作：合并。

这是几个设置自身权限的 ACI 中的一个。

-------------------------------------------------------------------------------------------------------------

---

分析 ACI 的合并方式

本部分中的列表显示了已在替换文件 ldif (replacement.acis.ldif) 中合并的 ACI，使用 ldif 文件可以合并目录中的 ACI。有关如何替换 ACI 的说明，请参见替换 ACI 的步骤。

可以将 ACI 划分为几对。对于每个类别，首先列出最初的 ACI，然后列出合并的 ACI：

最初的匿名访问权限
合并的匿名访问权限
最初的自身 ACI
合并的自身 ACI
最初的 Messaging Server ACI
合并的 Messaging Server ACI
最初的组织管理 ACI
合并的组织管理 ACI

最初的匿名访问权限

aci:
(targetattr != "userPassword || passwordHistory || passwordExpirationTime
|| passwordExpWarned || passwordRetryCount || retryCountResetTime ||
accountUnlockTime || passwordAllowChangeTime ")
(version 3.0; acl "Anonymous access";
allow (read, search, compare)
userdn = "ldap:///anyone";)

aci:
(target="ldap:///cn=Top-level Admin Role,$rootSuffix")
(targetattr="*")
(version 3.0; acl "S1IS Top-level admin delete right denied";
deny (delete)
userdn = "ldap:///anyone"; )

aci:
(target="ldap:///$rootSuffix")
(targetfilter=(entrydn=$rootSuffix))
(targetattr="*")
(version 3.0; acl "S1IS Default Organization delete right denied";
deny (delete)
userdn = "ldap:///anyone"; )

aci:
(target="ldap:///ou=services,$rootSuffix")
(targetfilter=(!(objectclass=sunServiceComponent)))
(targetattr = "*")
(version 3.0; acl "S1IS Services anonymous access";
allow (read, search, compare)
userdn = "ldap:///anyone";)

aci:
(target="ldap:///ou=iPlanetAMAdminConsoleService,*,$rootSuffix")
(targetattr = "*")
(version 3.0; acl "S1IS iPlanetAMAdminConsoleService anonymous access";
allow (read, search, compare)
userdn = "ldap:///anyone";)

合并的匿名访问权限

aci:
(target="ldap:///$rootSuffix")
(targetfilter=(!(objectclass=sunServiceComponent)))
(targetattr != "userPassword||passwordHistory
||passwordExpirationTime||passwordExpWarned||passwordRetryCount
||retryCountResetTime||accountUnlockTime||passwordAllowChangeTime")
(version 3.0; acl "anonymous access rights";
allow (read,search,compare)
userdn = "ldap:///anyone"; )

分析：可以对根进行匿名访问，这允许存在相同项，并排除了 aci 属性。Access Manager 的此替换项删除了开销很大的目标中的 (*)，因为它允许对后缀进行匿名访问。

最初的自身 ACI

aci:
(targetattr != "nsroledn || aci || nsLookThroughLimit || nsSizeLimit ||
nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ||
asswordExpirationTime
|| passwordExpWarned || passwordRetryCount || retryCountResetTime ||
accountUnlockTime || passwordHistory || passwordAllowChangeTime")
(version 3.0; acl "Allow self entry modification except for nsroledn, aci, resource
limit attributes, passwordPolicySubentry and password policy state attributes";
allow (write)
userdn ="ldap:///self";)

aci:
(targetattr = "*")
(version 3.0; acl "S1IS Deny deleting self";
deny (delete)
userdn ="ldap:///self";)

aci:
(targetattr = "objectclass || inetuserstatus ||
planet-am-web-agent-access-allow-list
|| iplanet-am-domain-url-access-allow || iplanet-am-web-agent-access-deny-list
|| iplanet-am-user-account-life || iplanet-am-session-max-session-time
|| iplanet-am-session-max-idle-time || iplanet-am-session-get-valid-sessions
|| iplanet-am-session-destroy-sessions ||
iplanet-am-session-add-session-listener-on-all-sessions
|| iplanet-am-user-admin-start-dn || iplanet-am-auth-post-login-process-class")
(targetfilter=(!(nsroledn=cn=Top-levelAdmin Role,$rootSuffix)))
(version 3.0; acl "S1IS User status self modification denied";
deny (write)
userdn ="ldap:///self";)

aci:
(targetattr != "iplanet-am-static-group-dn || uid || nsroledn || aci ||
sLookThroughLimit
|| nsSizeLimit || nsTimeLimit || nsIdleTimeout || memberOf ||
planet-am-web-agent-access-allow-list
|| iplanet-am-domain-url-access-allow ||
planet-am-web-agent-access-deny-list")
(version 3.0; acl "S1IS Allow self entry modification except for nsroledn, aci,
and resource limit attributes";
allow (write)
userdn ="ldap:///self";)

aci:
(targetattr != "aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit
|| nsIdleTimeout || iplanet-am-domain-url-access-allow")
(version 3.0; acl "S1IS Allow self entry read search except for nsroledn, aci, resource
limit and web agent policy attributes";
allow (read,search)
userdn ="ldap:///self";)

aci:
(targetattr="uid||ou||owner||mail||mailAlternateAddress||mailEquivalent
address||memberOf
||inetuserstatus||mailuserstatus||memberOfManagedGroup||mailQuota
||mailMsgQuota
||inetSubscriberAccountId||dataSource||mailhost||mailAllowedServiceAccess
||pabURI||inetCOS||mailSMTPSubmitChannel||aci")
(targetfilter=(&(objectClass=inetMailUser)(!(nsroledn=cn=Organization Admin
ole,*))))
(version 3.0; acl "Deny write access to users over Messaging Server protected
attributes -
product=SOMS,schema 2 support,class=installer,num=3,version=1 ";
deny (write)
userdn = "ldap:///self";)

合并的自身 ACI

aci:
(targetattr != "nsroledn || aci || nsLookThroughLimit || nsSizeLimit
|| nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ||
asswordExpirationTime
|| passwordExpWarned || passwordRetryCount || retryCountResetTime
|| accountUnlockTime || passwordHistory || passwordAllowChangeTime ||
id || memberOf
|| objectclass || inetuserstatus || ou || owner || mail || mailuserstatus
|| memberOfManagedGroup ||mailQuota || mailMsgQuota || mailhost
|| mailAllowedServiceAccess || inetCOS || mailSMTPSubmitChannel")
(version 3.0; acl "Allow self entry modification";
allow (write)
userdn ="ldap:///self";)

aci:
(targetattr != " aci || nsLookThroughLimit || nsSizeLimit
|| nsTimeLimit|| nsIdleTimeout")
(version 3.0; acl "Allow self entry read search";
allow(read,search)
userdn ="ldap:///self";)

分析：缺少所有的 iplanet-am-* 属性。由于在 ACI 不存在的情况下 deny 为缺省值，因此删除所有的 deny ACI。将允许写入的 ACI 合并到一个 ACI 中。

最初的 Messaging Server ACI

aci:
(target="ldap:///$rootSuffix")
(targetattr="*")
(version 3.0; acl "Messaging Server End User Administrator Read Access Rights -
product=SOMS,schema 2 support,class=installer,num=1,version=1";
allow (read,search)
groupdn="ldap:///cn=Messaging End User Administrators Group, ou=Groups,
rootSuffix";)

aci:
(target="ldap:///$rootSuffix")
(targetattr="objectclass||mailalternateaddress||mailautoreplymode||
mailprogramdeliveryinfo
||nswmextendeduserprefs||preferredlanguage||maildeliveryoption||
mailforwardingaddress
||mailAutoReplyTimeout||mailautoreplytextinternal||mailautoreplytext||
vacationEndDate
||vacationStartDate||mailautoreplysubject||pabURI||maxPabEntries||
mailMessageStore
||mailSieveRuleSource||sunUCDateFormat||sunUCDateDeLimiter||
sunUCTimeFormat")
(version 3.0; acl "Messaging Server End User Adminstrator Write Access Rights -
product=SOMS,schema 2 support,class=installer,num=2,version=1";
allow (all)
groupdn="ldap:///cn=Messaging End User Administrators Group, ou=Groups,
rootSuffix";)

aci:
(targetattr="uid||ou||owner||mail||mailAlternateAddress||
mailEquivalentAddress||memberOf
||inetuserstatus||mailuserstatus||memberOfManagedGroup||mailQuota||
mailMsgQuota
||inetSubscriberAccountId||dataSource||mailhost||mailAllowedServiceAccess
||pabURI||inetCOS||mailSMTPSubmitChannel||aci")
(targetfilter=(&(objectClass=inetMailUser)(!(nsroledn=cn=Organization Admin
Role,*))))
(version 3.0; acl "Deny write access to users over Messaging Server protected
attributes - product=SOMS,schema 2 support,class=installer,num=3,version=1 ";
deny (write)
userdn = "ldap:///self";)

合并的 Messaging Server ACI

在自身 ACI 中处理该自身 ACI。

aci:
(targetattr="*")
(version 3.0; acl "Messaging Server End User Administrator Read Only Access";
allow (read,search)
groupdn = "ldap:///cn=Messaging End User Administrators
group,ou=Groups,$rootSuffix"; )

aci:
(targetattr="objectclass || mailalternateaddress || Mailautoreplymode ||
mailprogramdeliveryinfo || preferredlanguage || maildeliveryoption
|| mailforwardingaddress || mailAutoReplyTimeout ||
mailautoreplytextinternal
|| mailautoreplytext || vacationEndDate || vacationStartDate
|| mailautoreplysubject || maxPabEntries || mailMessageStore
|| mailSieveRuleSource || sunUCDateFormat || sunUCDateDeLimiter
|| sunUCTimeFormat || mailuserstatus || maildomainstatus")
(version 3.0; acl "Messaging Server End User Administrator All Access";
allow (all)
groupdn = "ldap:///cn=Messaging End User Administrators
group,ou=Groups,$rootSuffix";)

分析：与最初的 ACI 相同。

最初的组织管理 ACI

aci: (different name - "allow all" instead of "allow")
(target="ldap:///($dn),$rootSuffix")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix))))
(targetattr != "nsroledn")
(version 3.0; acl "S1IS Organization Admin Role access allow all";
allow (all)
roledn ="ldap:///cn=Organization Admin Role,[$dn],$rootSuffix";)

aci:(missing)
(target="ldap:///($dn),$rootSuffix")
(targetattr="*")
(version 3.0; acl "Organization Admin Role access allow read to org node";
allow (read,search)
roledn = "ldap:///cn=Organization Admin Role,($dn),$rootSuffix" ;)

aci:
(target="ldap:///($dn),$rootSuffix")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix))))
(targetattr != "nsroledn")
(version 3.0; acl "Organization Admin Role access allow";
allow (all)
roledn = "ldap:///cn=Organization Admin Role,[$dn],$rootSuffix";)

aci:
(target="ldap:///($dn),$rootSuffix")
(targetattr!="businessCategory || description || facsimileTelephoneNumber
|| postalAddress || preferredLanguage || searchGuide || postOfficeBox ||
postalCode
|| registeredaddress || street || l || st || telephonenumber ||
maildomainreportaddress
|| maildomainwelcomemessage || preferredlanguage || sunenablegab")
(version 3.0; acl "Organization Admin Role access deny to org node";
deny (write,add,delete)
roledn = "ldap:///cn=Organization Admin Role,($dn),$rootSuffix" ;)

aci:(duplicate of per organization aci)
(target="ldap:///cn=Organization Admin Role,($dn),$rootSuffix")
(targetattr="*")
(version 3.0; acl "S1IS Organization Admin Role access deny";
deny (write,add,delete,compare,proxy)
roledn = "ldap:///cn=Organization Admin Role,($dn),$rootSuffix";)

aci:
(target="ldap:///cn=Organization Admin
Role,($dn),dc=red,dc=iplanet,dc=com")
(targetattr="*")
(version 3.0; acl "S1IS Organization Admin Role access deny";
deny (write,add,delete,compare,proxy)
roledn = "ldap:///cn=Organization Admin Role,($dn),$rootSuffix";)

aci:
(target="ldap:///o=fullOrg1,o=VIS,o=siroe.com,o=SharedDomainsRoot,
o=Business,rootSuffix")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,dc=red,dc=iplanet,dc=com))))
(targetattr = "nsroledn")
(targattrfilters="add=nsroledn:(nsroledn=*,o=fullOrg1,o=VIS,o=siroe.com,
o=SharedDomainsRoot,o=Business,$rootSuffix),
del=nsroledn:(nsroledn=*,o=fullOrg1,o=VIS,o=siroe.com,o=SharedDomainsRoot,
o=Business,$rootSuffix)")
(version 3.0;
acl "S1IS Organization Admin Role access allow";
allow (all)
roledn = "ldap:///cn=Organization Admin
Role,o=fullOrg1,o=VIS,o=siroe.com,o=SharedDomainsRoot,o=Business,
$rootSuffix";)

aci:
(target="ldap:///($dn),$rootSuffix")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix))))
(targetattr != "nsroledn")
(version 3.0; acl "S1IS Organization Admin Role access allow all";
allow (all)
roledn = "ldap:///cn=Organization Admin
Role,[$dn],dc=red,dc=iplanet,dc=com";)

合并的组织管理 ACI

aci:
(target="ldap:///cn=Organization Admin Role,($dn),$rootSuffix")
(targetattr="*")
(version 3.0; acl "S1IS Organization Admin Role access deny";
deny (write,add,delete,compare,proxy)
roledn = "ldap:///cn=Organization Admin Role,($dn),$rootSuffix";)

aci:
(target="ldap:///($dn),$rootSuffix")
(targetattr="*")
(version 3.0; acl "Organization Admin Role access allow read";
allow(read,search)
roledn = "ldap:///cn=Organization Admin Role,[$dn],$rootSuffix" ;)

aci:
(target="ldap:///($dn),$rootSuffix")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(entrydn=($dn),$rootSuffix))))
( targetattr = "*")
(version 3.0; acl "S1IS Organization Admin Role access allow";
allow (all)
roledn = "ldap:///cn=Organization Admin Role,[$dn],$rootSuffix";)

---

要放弃的未使用 ACI 的列表

本部分中的列表显示了未使用的缺省 ACI，将 replacement.acis.ldif 文件应用于目录时，将从该目录中放弃这些 ACI。

要放弃的 ACI 可划分为以下几类：

后缀
顶级帮助台管理员角色
顶级策略管理员角色
Access Manager 匿名
Access Manager 拒绝写入访问权限
Access Manager 容器管理员角色
组织帮助台
Access Manager 杂项

后缀

# discard
#
aci:
(targetattr ="*")
(version 3.0;acl "Configuration Administrators Group";
allow (all)
(groupdn = "ldap:///cn=Configuration Administrators, ou=Groups,
ou=TopologyManagement, o=NetscapeRoot");)

#
# discard
#
aci:
(targetattr ="*")
(version 3.0;acl "Directory Administrators Group";
allow (all)
(groupdn = "ldap:///cn=Directory Administrators, $rootSuffix");)

#
# discard
#
aci:
(targetattr = "*")
(version 3.0;
acl "SIE Group";
allow (all)
groupdn = "ldap:///cn=slapd-whater, cn=Sun ONE Directory Server, cn=Server
Group, cn=whater.red.iplanet.com, ou=red.iplanet.com, o=NetscapeRoot";)

#
# discard - prevents TLA from modifying the amldapuser account.
#
aci:
(target="ldap:///cn=amldapuser,ou=DSAME Users,$rootSuffix")
(targetattr = "*")
(version 3.0;
acl "S1IS special ldap auth user modify right";
deny (write)
roledn != "ldap:///cn=Top-level Admin Role,$rootSuffix";)

#
# discard - protects SAML related attributes
#
aci:
(targetattr="iplanet-am-saml-user || iplanet-am-saml-password")
(targetfilter="(objectclass=iplanet-am-saml-service)")
(version 3.0; acl "S1IS Right to modify saml user and password";
deny (all)
(roledn != "ldap:///cn=Top-level Admin Role,$rootSuffix")
AND (userdn != "ldap:///cn=dsameuser,ou=DSAME Users,$rootSuffix")
AND (userdn != "ldap:///cn=puser,ou=DSAME Users,$rootSuffix"); )

顶级帮助台管理员角色

#
# discard
#
aci:
(target="ldap:///$rootSuffix")
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix)))
(targetattr = "*")
(version 3.0; acl "S1IS Top-level Help Desk Admin Role access allow";
allow (read,search)
roledn = "ldap:///cn=Top-level Help Desk Admin Role,$rootSuffix";)

#
# discard
#
aci:
(target="ldap:///$rootSuffix")
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix)))
(targetattr = "userPassword")
(version 3.0; acl "S1IS Top-level Help Desk Admin Role access allow";
allow (write)
roledn = "ldap:///cn=Top-level Help Desk Admin Role,$rootSuffix";)

顶级策略管理员角色

#
# discard
#
aci:
(target="ldap:///$rootSuffix")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix))))
(targetattr = "*")
(version 3.0; acl "S1IS Top-level Policy Admin Role access allow";
allow (read,search)
roledn = "ldap:///cn=Top-level Policy Admin Role,$rootSuffix";)

#
# discard
#
aci:
(target="ldap:///ou=iPlanetAMAuthService,ou=services,*$rootSuffix")
(targetattr = "*")
(version 3.0; acl "S1IS Top-level Policy Admin Role access Auth Service deny";
deny (add,write,delete)
roledn = "ldap:///cn=Top-level Policy Admin Role,$rootSuffix";)

#
# discard
#
aci:
(target="ldap:///ou=services,*$rootSuffix")
(targetattr = "*")
(version 3.0; acl "S1IS Top-level Policy Admin Role access allow";
allow (all)
roledn = "ldap:///cn=Top-level Policy Admin Role,$rootSuffix";)

#
# discard
#
aci:
(target="ldap:///$rootSuffix")
(targetfilter="(objectclass=sunismanagedorganization)")
(targetattr = "sunRegisteredServiceName")
(version 3.0; acl "S1IS Top-level Policy Admin Role access allow";
allow (read,write,search)
roledn = "ldap:///cn=Top-level Policy Admin Role,$rootSuffix";)

Access Manager 匿名

#
# discard - prevents anyone other than rootdn from deleting default organization.
#
aci:
(target="ldap:///$rootSuffix")
(targetfilter=(entrydn=$rootSuffix))
(targetattr="*")
(version 3.0; acl "S1IS Default Organization delete right denied";
deny (delete)
userdn = "ldap:///anyone"; )

#
# discard - prevents any user other than rootdn from deleting the TLA admin role.
#
aci:
(target="ldap:///cn=Top-level Admin Role,$rootSuffix")
(targetattr="*")
(version 3.0; acl "S1IS Top-level admin delete right denied";
deny(delete)
userdn = "ldap:///anyone"; )

Access Manager 拒绝写入访问权限

#
# discard
#
aci:
(targetattr = "*")
(version 3.0; acl "S1IS Deny write to anonymous user";
deny (add,write,delete)
roledn ="ldap:///cn=Deny Write Access,$rootSuffix";)

Access Manager 容器管理员角色

#
# discard
#
aci:
(target="ldap:///($dn),$rootSuffix")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix))))
(targetattr != "nsroledn")
(version 3.0; acl "S1IS Container Admin Role access allow";
allow (all)
roledn = "ldap:///cn=Container Admin Role,[$dn],$rootSuffix";)

#
# discard
#
aci:
(target="ldap:///cn=Container Admin Role,($dn),$rootSuffix")
(targetattr="*")
(version 3.0; acl "S1IS Container Admin Role access deny";
deny (write,add,delete,compare,proxy)
roledn = "ldap:///cn=Container Admin Role,($dn),$rootSuffix";)

#
# discard
#
aci:
(target="ldap:///ou=People,$rootSuffix")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix)
(nsroledn=cn=Container Admin Role,$rootSuffix))))
(targetattr != "iplanet-am-web-agent-access-allow-list ||
iplanet-am-domain-url-access-allow
|| iplanet-am-web-agent-access-deny-list || nsroledn")
(version 3.0; acl "S1IS Group and people container admin role";
allow (all)
roledn = "ldap:///cn=ou=People_dc=red_dc=iplanet_dc=com,$rootSuffix";)

组织帮助台

#
# discard
#
aci:(extra verses dreambig)
(target="ldap:///$rootSuffix")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix))))
(targetattr = "*")
(version 3.0; acl "S1IS Organization Help Desk Admin Role access allow";
allow (read,search)
roledn = "ldap:///cn=Organization Help Desk Admin Role,$rootSuffix";)

#
# discard
#
aci:
(target="ldap:///$rootSuffix")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix))))
(targetattr = "userPassword")
(version 3.0; acl "S1IS Organization Help Desk Admin Role access allow";
allow (write)
roledn = "ldap:///cn=Organization Help Desk Admin Role,$rootSuffix";)

Access Manager 杂项

#
# discard - Removal disables the associated privileges to the attribute
iplanetam-modifiable-by
#
aci:
(target="ldap:///$rootSuffix")
(targetattr!="nsroledn")
(version 3.0; acl "S1IS Group admin’s right to the users he creates";
allow (all)
userattr = "iplanet-am-modifiable-by#ROLEDN";)

上一页      目录      索引      下一页

---

文件号码：819-1103。  版权所有 2005 Sun Microsystems, Inc. 保留所有权利。