|
| |
| Sun Java System Communications Services 6 2005Q1 Delegated Administrator 指南 | |
附錄 D
ACI 合併計算本附錄描述下列主題:
簡介當您同時安裝有 Messaging Server 和 Access Manager,並使用 LDAP Schema 2 目錄時,目錄中已初始安裝了數量龐大的存取控制指令 (ACI)。Messaging Server 不需要或者不使用許多的預設 ACI。
在執行階段檢查這些 ACI 的需要會影響 Directory Server 的效能,相對的,Directory Server 的效能又會影響 Messaging Server 查詢和其他目錄作業的效能。
您可以合併計算或減少目錄中預設 ACI 的數量,以增進 Directory Server 的效能。合併計算 ACI 也能夠使它們更容易管理。
減少 ACI 的方法如下:
本附錄首先描述如何使用 ldif 檔案 (replacment.acis.ldif) 來合併計算根尾碼上的 ACI 和從目錄移除未使用的 ACI。如需詳細資訊,請參閱下面的「合併計算和移除 ACI」。
接下來,此附錄分析每一個 ACI 並建議一個處理它的方法:移除、修訂以使其更有效率或重寫。
請注意這些建議中的下列限制:
有了這些限制,您必須自己決定 (根據安裝需求) 是否可以使用 ldif 檔案來合併計算和移除 ACI,或是否必需保留某些現在存在於目錄中的 ACI。
如需詳細資訊,請參閱此附錄後面的「分析現有的 ACI」。
接下來,此附錄描述由 replacement.acis.ldif 檔案合併計算的 ACI。它列出合併計算前現有的 ACI 和合併計算後已經修改的 ACI。如需詳細資訊,請參閱此附錄後面的「分析如何合併計算 ACI」。
最後,本附錄列出 replacement.acis.ldif 所捨棄的 ACI。如需詳細資訊,請參閱此附錄後面的「捨棄之未使用的 ACI 清單」。
合併計算和移除 ACI本節中列出的 ldif 檔案 replacement.acis.ldif 會在根尾碼上安裝合併計算的 ACI,並從目錄刪除未使用的 ACI。此 ldif 檔案是由 Delegated Administrator 所提供,位於下列目錄中:
da_base/lib/config-templates
當您套用 replacement.acis.ldif 檔案到目錄上 (用 ldapmodify),ldapmodify 指令會移除在根尾碼上 aci 屬性的全部實例,並以 replacement.acis.ldif 檔案中的 ACI 替代這些 ACI。
因此,初始此程式會從根尾碼移除全部 ACI,然後以下列一組 ACI 來替代它們。如果目錄包含另一個應用程式 (如 Portal Server) 所產生的 ACI,您應該將那些 ACI 儲存到一個檔案,然後在套用 replacement.acis.ldif 檔案後再將它們重新套用至目錄上。
如需使用此 ldif 檔案來清除您的 ACI 的說明,請參閱本節後面的「替代 ACI 之步驟」。
replacement.acis.ldif 檔案
dn: $rootSuffix
changetype: modify
replace: aci
aci: (targetattr = “*”)(version 3.0; acl “Configuration Administrator”;
allow (all)
userdn=”ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,
o=NetscapeRoot”;)
aci: (target=”“ldap:///$rootSuffix”)
(targetfilter=(!(objectclass=sunServiceComponent)))
(targetattr != “userPassword||passwordHistory
||passwordExpirationTime||passwordExpWarned||passwordRetryCount
||retryCountResetTime||accountUnlockTime||passwordAllowChangeTime”)
(version 3.0; acl “anonymous access rights”;
allow (read,search,compare)
userdn = “ldap:///anyone”; )
aci: (targetattr != “nsroledn||aci||nsLookThroughLimit||nsSizeLimit
||nsTimeLimit||nsIdleTimeout||passwordPolicySubentry||passwordExpiration Time
||passwordExpWarned||passwordRetryCount||retryCountResetTime
||accountUnlockTime||passwordHistory||passwordAllowChangeTime||uid||memb erOf
||objectclass||inetuserstatus||ou||owner||mail||mailuserstatus
||memberOfManagedGroup||mailQuota||mailMsgQuota||mailhost
||mailAllowedServiceAccess||inetCOS||mailSMTPSubmitChannel”)
(version 3.0; acl “Allow self entry modification”;
allow (write)
userdn =”ldap:///self”;)
aci: (targetattr != “ aci || nsLookThroughLimit || nsSizeLimit
|| nsTimeLimit|| nsIdleTimeout”)
(version 3.0; acl “Allow self entry read search”;
allow(write)
userdn =”ldap:///self”;)
|aci: (target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Proxy user rights”;
allow (proxy)
userdn = “ldap:///cn=puser,ou=DSAME Users,
$rootSuffix”; )
aci: (target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS special dsame user rights for all under the root suffix”;
allow (all)
userdn = “ldap:///cn=dsameuser,ou=DSAME Users,
$rootSuffix”; )
aci: (target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS special ldap auth user rights”;
allow (read,search)
userdn = “ldap:///cn=amldapuser,ou=DSAME Users,
$rootSuffix”; )
aci: (target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Top-level admin rights”;
allow (all)
roledn = “ldap:///cn=Top-level Admin Role,
$rootSuffix”; )
aci: (targetattr=”*”)
(version 3.0; acl “Messaging Server End User Administrator Read Only Access”;
allow (read,search)
groupdn=”ldap:///cn=Messaging End User Administrators Group,ou=Groups,
$rootSuffix”;)
aci: (targetattr=”objectclass || mailalternateaddress || Mailautoreplymode ||
mailprogramdeliveryinfo || preferredlanguage || maildeliveryoption
|| mailforwardingaddress || mailAutoReplyTimeout || mailautoreplytextinternal
|| mailautoreplytext || vacationEndDate || vacationStartDate
|| mailautoreplysubject || maxPabEntries || mailMessageStore
|| mailSieveRuleSource || sunUCDateFormat || sunUCDateDeLimiter
|| sunUCTimeFormat || mailuserstatus || maildomainstatus”)
(version 3.0; acl “Messaging Server End User Administrator All Access”;
allow (all)
groupdn = “ldap:///cn=Messaging End User Administrators Group,ou=Groups,
$rootSuffix”;)
aci: (targetattr = “*”)
(version 3.0;acl “Allow Read-Only Access”;
allow (read,search,compare)
groupdn = “ldap:///cn=Read-Only,ou=Groups,
$rootSuffix”;)
aci: (target=”ldap:///cn=Organization Admin Role,($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Organization Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Organization Admin Role,($dn),
$rootSuffix”;)
aci: (target=”ldap:///($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “Organization Admin Role access allow read”;
allow(read,search)
roledn = “ldap:///cn=Organization Admin Role,[$dn],
$rootSuffix” ;)
aci: (target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(entrydn=($dn),$rootSuffix))))
( targetattr = “*”)
(version 3.0; acl “S1IS Organization Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Organization Admin Role,[$dn],
$rootSuffix”;)替代 ACI 之步驟
在您開始之前
在您開始此程式之前,我們建議您檢查在目錄中現有的 ACI。您應該決定您是否要保存此程式將刪除的任何 ACI。
初始此程式會從根尾碼移除全部 ACI,然後以下列一組 ACI 來替代它們。如果目錄包含 Messaging Server 以外的應用程式所產生的 ACI,您應該將那些 ACI 儲存到一個檔案,然後在套用 replacement.acis.ldif 檔案後再將它們重新套用至目錄上。
為了幫助您分析 Access Manager 和 Messaging Server 所產生的現有 ACI,請參閱在此附錄後面部分的下列各節。
替代 ACI
若要合併計算根尾碼上的 ACI 和移除未使用的 ACI,請採取下列步驟:
- 儲存目前在根尾碼上現有的 ACI。您可以使用 ldapsearch 指令,如下列範例:
ldapsearch -D “cn=Directory Manager” -w <password>
-s base -b <$rootSuffix> aci=* aci ><filename>其中
<password> 是 Directory Server 管理員的密碼。
<$rootSuffix> 是您的根尾碼,如 o=usergroup。
<filename> 是會寫入儲存的 ACI 的檔案名稱。
- 複製並重新命名 replacement.acis.ldif 檔案。
當您安裝 Delegated Administrator 時,replacement.acis.ldif 檔案安裝在下列目錄中:
da_base/lib/config-templates
- 在您的 replacement.acis.ldif 檔案複本中編輯 $rootSuffix 項目。
變更根尾碼參數 $rootSuffix 成您的根尾碼 (如 o=usergroup)。$rootSuffix 參數在 ldif 檔案中顯示多次;每一個實例都必需被替代。
- 使用 LDAP 目錄工具 ldapmodify 來替代 ACI。
例如,您可以執行下列指令:
ldapmodify -D <directory manager> -w <password>
-f <replacement.acis.finished.ldif>其中
<directory manager> 是 Directory Server 管理員的名稱。
<password> 是 Directory Server 管理員的密碼。
<replacement.acis.finished.ldif> 是合併計算及移除目錄中的 ACI 的已編輯過的 ldif 檔案名稱。
消除動態社團組織 ACI
當您使用 Delegated Administrator 主控台來建立社團組織時,社團組織節點上建立了一個 ACI 群組。
在上述程式中安裝的替代 ACI 會消除這些每個社團組織 ACI 的需要。您可以使用 Access Manager 主控台來防止建立每個社團組織的 ACI。採取下列步驟:
分析現有的 ACI本節中的清單顯示當安裝 Access Manager 和 Messaging Server 時安裝到目錄中的 ACI。它也描述每個 ACI 的功能並建議某個 ACI 是否能夠保留、合併計算或捨棄。
ACI 分為下列種類:
根尾碼
-------------------------------------------------------------------------------------------------------------
dn: $rootSuffix
#
# consolidate
#
aci:
(targetattr != “nsroledn || aci || nsLookThroughLimit || nsSizeLimit ||
nsTimeLimit || nsIdleTimeout || passwordPolicySubentry || passwordExpirationTime
|| passwordExpWarned || passwordRetryCount || retryCountResetTime
|| accountUnlockTime || passwordHistory || passwordAllowChangeTime”)
(version 3.0; acl “Allow self entry modification except for nsroledn, aci, resource limit attributes, passwordPolicySubentry and password policy state attributes”;
allow (write)
userdn =”ldap:///self”;)
動作:合併計算。
沒有對此尾碼自身存取的需求。這是重複的 ACI;它可以與根尾碼上的自身 ACI 合併。
------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# retain
#
aci:
(targetattr = “*”)
(version 3.0; acl “Configuration Administrator”;
allow (all)
userdn = “ldap:///uid=admin, ou=Administrators, ou=TopologyManagement,o=NetscapeRoot”;)
動作:保留。
這是透過「通過認證」認證 slapd-config 實例的「admin」使用者。如果全部的配置都是以 Directory Manager 執行,使用指令行公用程式,則不需要這個 ACI。若有人可能需要以此使用者認證主控台,則此 ACI 可以保留在這裡。相似的 ACI 可以移除。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(targetattr =”*”)
(version 3.0;acl “Configuration Administrators Group”;
allow (all)
(groupdn = “ldap:///cn=Configuration Administrators, ou=Groups, ou=TopologyManagement, o=NetscapeRoot”);)
動作:捨棄全部 DB 後端。
若使用主控台來委託伺服器管理權限,則這是將得到權限的「配置管理員」群組。
------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(targetattr =”*”)
(version 3.0;acl “Directory Administrators Group”;
allow (all)
(groupdn = “ldap:///cn=Directory Administrators, $rootSuffix”);)
動作:捨棄全部 DB 後端。
這是一般「目錄管理員」群組的權限定義。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(targetattr = “*”)
(version 3.0; acl “SIE Group”;
allow (all)
groupdn = “ldap:///cn=slapd-whater, cn=Sun ONE Directory Server, cn=Server Group, cn=whater.red.iplanet.com, ou=red.iplanet.com, o=NetscapeRoot”;)
動作:捨棄全部 DB 後端。
這是主控台/管理伺服器相關群組的權限定義。
-------------------------------------------------------------------------------------------------------------
Access Manager
-------------------------------------------------------------------------------------------------------------
# retain
#
aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Proxy user rights”;
allow (proxy)
userdn = “ldap:///cn=puser,ou=DSAME Users,$rootSuffix”; )
動作:保留。
此 ACI 授予系統使用者存取 Access Manager 的權限。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# retain
#
aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS special dsame user rights for all under the root suffix”;
allow (all)
userdn = “ldap:///cn=dsameuser,ou=DSAME Users,$rootSuffix”; )
動作:保留。
此 ACI 授予系統使用者存取 Access Manager 的權限。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# retain
#
aci:
(target=”ldap:///$rootSuffix”)(targetattr=”*”)|
(version 3.0;acl “S1IS special ldap auth user rights”;
allow (read,search)
userdn = “ldap:///cn=amldapuser,ou=DSAME Users,$rootSuffix”; )
動作:保留。
此 ACI 授予系統使用者存取 Access Manager 的權限。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(target=”ldap:///cn=amldapuser,ou=DSAME Users,$rootSuffix”)
(targetattr = “*”)
(version 3.0;
acl “S1IS special ldap auth user modify right”;
deny (write)
roledn != “ldap:///cn=Top-level Admin Role,$rootSuffix”;)
動作:捨棄。
此 ACI 防止頂層管理員 (TLA) 修改 amldapuser 帳號。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# retain
#
aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Top-level admin rights”;
allow (all)
roledn = “ldap:///cn=Top-level Admin Role,$rootSuffix”; )
動作:保留。
此 ACI 授予頂層管理員角色存取權限。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(targetattr=”iplanet-am-saml-user || iplanet-am-saml-password”)(targetfilter=”(objectclass=iplanet-am-saml-serv ice)”)
(version 3.0; acl “S1IS Right to modify saml user and password”;
deny (all)
(roledn != “ldap:///cn=Top-level Admin Role,$rootSuffix”)
AND (userdn != “ldap:///cn=dsameuser,ou=DSAME Users,$rootSuffix”)
AND (userdn != “ldap:///cn=puser,ou=DSAME Users,$rootSuffix”); )
動作:捨棄。
此 ACI 保護 SAML 相關屬性。
-------------------------------------------------------------------------------------------------------------
頂層服務台管理員角色
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix)))
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Help Desk Admin Role access allow”;
allow (read,search)
roledn = “ldap:///cn=Top-level Help Desk Admin Role,$rootSuffix”;)
動作:捨棄。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix)))
(targetattr = “userPassword”)
(version 3.0; acl “S1IS Top-level Help Desk Admin Role access allow”;
allow (write)
roledn = “ldap:///cn=Top-level Help Desk Admin Role,$rootSuffix”;)
動作:捨棄。
-------------------------------------------------------------------------------------------------------------
頂層策略管理員角色
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
target=”ldap:///$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix))))
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access allow”;
allow (read,search)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)
動作:捨棄。
此 ACI 屬於頂層策略管理員角色。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(target=”ldap:///ou=iPlanetAMAuthService,ou=services,*$rootSuffix”)
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access Auth Service deny”;
deny (add,write,delete)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)
動作:捨棄。
此 ACI 屬於頂層策略管理員角色。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(target=”ldap:///ou=services,*$rootSuffix”)
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)
動作:捨棄。
此 ACI 屬於頂層策略管理員角色。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=”(objectclass=sunismanagedorganization)”)
(targetattr = “sunRegisteredServiceName”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access allow”;
allow (read,write,search)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)
動作:捨棄。
此 ACI 屬於頂層策略管理員角色。
-------------------------------------------------------------------------------------------------------------
AM 自身
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci:
(targetattr = “*”)
(version 3.0;
acl “S1IS Deny deleting self”;
deny (delete)
userdn =”ldap:///self”;)
動作:合併計算成單一自我寫入 ACI。由於一般使用者沒有權限刪除任何項目 (包括他們自己),因此不需要明確的拒絕。
這是多個設定自我權限的 ACI 其中之一。此明確的拒絕可防止任何項目刪除自己。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci:
(targetattr = “objectclass || inetuserstatus || iplanet-am-user-login-status
|| iplanet-am-web-agent-access-allow-list || iplanet-am-domain-url-access-allow
|| iplanet-am-web-agent-access-deny-list || iplanet-am-user-account-life
|| iplanet-am-session-max-session-time || iplanet-am-session-max-idle-time
|| iplanet-am-session-get-valid-sessions || iplanet-am-session-destroy-sessions
|| iplanet-am-session-add-session-listener-on-all-sessions || iplanet-am-user-admin-start-dn
|| iplanet-am-auth-post-login-process-class”)
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix)))
(version 3.0; acl “S1IS User status self modification denied”;
deny (write)
userdn =”ldap:///self”;)
動作:合併計算成單一自我寫入 ACI。
這是多個設定自我寫入權限的 ACI 其中之一。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci:
(targetattr != “iplanet-am-static-group-dn || uid || nsroledn || aci || nsLookThroughLimit
|| nsSizeLimit || nsTimeLimit || nsIdleTimeout || memberOf || iplanet-am-web-agent-access-allow-list
|| iplanet-am-domain-url-access-allow || iplanet-am-web-agent-access-deny-list”)
(version 3.0; acl “S1IS Allow self entry modification except for nsroledn, aci, and resource limit attributes”;
allow (write)
userdn =”ldap:///self”;)
動作:合併計算成單一自我寫入 ACI。
這是多個設定權限的 ACI 其中之一。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci:
(targetattr != “aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit
|| nsIdleTimeout || iplanet-am-domain-url-access-allow”)
(version 3.0; acl “S1IS Allow self entry read search except for nsroledn, aci, resource limit and
web agent policy attributes”;
allow (read,search)
userdn =”ldap:///self”;)
動作:合併計算成單一自我寫入 ACI。
這是多個設定自我寫入權限的 ACI 其中之一。
-------------------------------------------------------------------------------------------------------------
匿名 AM
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci:
(target=”ldap:///ou=services,$rootSuffix”)
(targetfilter=(!(objectclass=sunServiceComponent)))
(targetattr = “*”)
(version 3.0; acl “S1IS Services anonymous access”;
allow (read, search, compare)
userdn = “ldap:///anyone”;)
動作:合併計算成單一匿名 ACI。
這是多個授予匿名權限的 ACI 其中之一。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci:
(target=”ldap:///ou=iPlanetAMAdminConsoleService,*,$rootSuffix”)
(targetattr = “*”)
(version 3.0; acl “S1IS iPlanetAMAdminConsoleService anonymous access”;
allow (read, search, compare)
userdn = “ldap:///anyone”;)
動作:合併計算成單一匿名 ACI。
這是多個授予匿名權限的 ACI 其中之一。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(entrydn=$rootSuffix))
(targetattr=”*”)
(version 3.0; acl “S1IS Default Organization delete right denied”;
deny (delete)
userdn = “ldap:///anyone”; )
動作:捨棄。
此 ACI 防止任何使用者 (除了 rootdn 之外) 刪除預設的社團組織。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(target=”ldap:///cn=Top-level Admin Role,$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Top-level admin delete right denied”;
deny(delete)
userdn = “ldap:///anyone”; )
動作:捨棄。
此 ACI 防止任何使用者 (除了 rootdn 之外) 刪除頂層管理員角色。
-------------------------------------------------------------------------------------------------------------
AM 拒絕寫入存取
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(targetattr = “*”)
(version 3.0; acl “S1IS Deny write to anonymous user”;
deny (add,write,delete)
roledn =”ldap:///cn=Deny Write Access,$rootSuffix”;)
動作:捨棄。
此 ACI 屬於拒絕寫入存取角色。
-------------------------------------------------------------------------------------------------------------
AM 容器管理員角色
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “S1IS Container Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Container Admin Role,[$dn],$rootSuffix”;)
動作:捨棄。
此 ACI 屬於容器管理員角色。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(target=”ldap:///cn=Container Admin Role,($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Container Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Container Admin Role,($dn),$rootSuffix”;)
動作:捨棄。
此 ACI 屬於容器管理員角色。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix)
(nsroledn=cn=Container Admin Role,$rootSuffix))))
(targetattr != “iplanet-am-web-agent-access-allow-list || iplanet-am-domain-url-access-allow
|| iplanet-am-web-agent-access-deny-list || nsroledn”)
(version 3.0; acl “S1IS Group and people container admin role”;
allow (all)
roledn = “ldap:///cn=ou=People_dc=red_dc=iplanet_dc=com,$rootSuffix”;)
動作:捨棄。
此 ACI 屬於群組和人物容器管理員角色。
-------------------------------------------------------------------------------------------------------------
社團組織服務台
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci: (extra verses dreambig)
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix))))
(targetattr = “*”)
(version 3.0; acl “S1IS Organization Help Desk Admin Role access allow”;
allow (read,search)
roledn = “ldap:///cn=Organization Help Desk Admin Role,$rootSuffix”;)
動作:捨棄。
此 ACI 屬於社團組織服務台管理員角色。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix))))
(targetattr = “userPassword”)
(version 3.0; acl “S1IS Organization Help Desk Admin Role access allow”;
allow (write)
roledn = “ldap:///cn=Organization Help Desk Admin Role,$rootSuffix”;)
動作:捨棄。
此 ACI 屬於社團組織服務台管理員角色。
-------------------------------------------------------------------------------------------------------------
AM 社團組織管理員角色
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci: (different name - “allow all” instead of “allow”)
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “S1IS Organization Admin Role access allow all”;
allow (all)
roledn =”ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;)
動作:合併計算。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci:
(target=”ldap:///cn=Organization Admin Role,($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Organization Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix”;)
動作:合併計算。
此 ACI 屬於社團組織管理員角色。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci: (missing)
(target=”ldap:///($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “Organization Admin Role access allow read to org node”;
allow (read,search)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix” ;)
動作:合併計算。
此 ACI 屬於社團組織管理員角色。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “Organization Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;)
動作:合併計算。
此 ACI 屬於社團組織管理員角色。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetattr!=”businessCategory || description || facsimileTelephoneNumber
|| postalAddress || preferredLanguage || searchGuide || postOfficeBox ||
postalCode
|| registeredaddress || street || l || st || telephonenumber ||maildomainreportaddress
|| maildomainwelcomemessage || preferredlanguage || sunenablegab”)
(version 3.0; acl “Organization Admin Role access deny to org node”;
deny (write,add,delete)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix” ;)
動作:合併計算。
此 ACI 屬於社團組織管理員角色。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “S1IS Organization Admin Role access allow all”;
allow (all)
roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;)
動作:合併計算。
-------------------------------------------------------------------------------------------------------------
AM 其他
-------------------------------------------------------------------------------------------------------------
#
#
# discard#
aci:
(target=”ldap:///$rootSuffix”)
(targetattr!=”nsroledn”)
(version 3.0; acl “S1IS Group admin’s right to the users he creates”;
allow (all)
userattr = “iplanet-am-modifiable-by#ROLEDN”;)
動作:捨棄。
捨棄此 ACI 會停用 iplanet-am-modifiable-by 屬性相關權限。
-------------------------------------------------------------------------------------------------------------
Messaging Server
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “Messaging Server End User Administrator Read Access Rights -
product=SOMS,schema 2 support,class=installer,num=1,version=1”;
allow (read,search)
groupdn=”ldap:///cn=Messaging End User Administrators Group, ou=Groups,
$rootSuffix”;)
動作:合併計算。
此 ACI 授予傳訊一般使用者管理員群組權限。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”objectclass||mailalternateaddress||mailautoreplymode
||mailprogramdeliveryinfo||nswmextendeduserprefs||preferredlanguage
||maildeliveryoption||mailforwardingaddress
||mailAutoReplyTimeout||mailautoreplytextinternal||mailautoreplytext
||vacationEndDate||vacationStartDate||mailautoreplysubject||pabURI
||maxPabEntries||mailMessageStore||mailSieveRuleSource||sunUCDateFormat
||sunUCDateDeLimiter||sunUCTimeFormat”)
(version 3.0; acl “Messaging Server End User Adminstrator Write Access Rights -
product=SOMS,schema 2 support,class=installer,num=2,version=1”;
allow (all)
groupdn=”ldap:///cn=Messaging End User Administrators Group, ou=Groups,
$rootSuffix”;)
動作:合併計算。
此 ACI 授予傳訊一般使用者管理員群組權限。
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci:
(targetattr=”uid||ou||owner||mail||mailAlternateAddress
||mailEquivalentAddress||memberOf
||inetuserstatus||mailuserstatus||memberOfManagedGroup||mailQuota
||mailMsgQuota||inetSubscriberAccountId||dataSource||mailhost
||mailAllowedServiceAcces||pabURI||inetCOS||mailSMTPSubmitChannel
||aci”)
(targetfilter=(&(objectClass=inetMailUser)(!(nsroledn=cn=Organization Admin Role,*))))
(version 3.0; acl “Deny write access to users over Messaging Server protected attributes -
product=SOMS,schema 2 support,class=installer,num=3,version=1 “;
deny (write)
userdn = “ldap:///self”;)
動作:合併計算。
這是多個設定自我權限的 ACI 其中之一。
-------------------------------------------------------------------------------------------------------------
分析如何合併計算 ACI本節中的清單顯示在替代 ldif 檔案 (replacement.acis.ldif) 中合併計算的 ACI,您可以使用此檔案合併計算目錄中的 ACI。如需如何替代 ACI 的說明,請參閱「替代 ACI 之步驟」。
ACI 分為幾組。每一個類別中,先列出原始 ACI,然後是合併計算後的 ACI:
原始匿名存取權限
aci:
(targetattr != “userPassword || passwordHistory || passwordExpirationTime
|| passwordExpWarned || passwordRetryCount || retryCountResetTime ||
accountUnlockTime || passwordAllowChangeTime “)
(version 3.0; acl “Anonymous access”;
allow (read, search, compare)
userdn = “ldap:///anyone”;)
aci:
(target=”ldap:///cn=Top-level Admin Role,$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Top-level admin delete right denied”;
deny (delete)
userdn = “ldap:///anyone”; )
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(entrydn=$rootSuffix))
(targetattr=”*”)
(version 3.0; acl “S1IS Default Organization delete right denied”;
deny (delete)
userdn = “ldap:///anyone”; )
aci:
(target=”ldap:///ou=services,$rootSuffix”)
(targetfilter=(!(objectclass=sunServiceComponent)))
(targetattr = “*”)
(version 3.0; acl “S1IS Services anonymous access”;
allow (read, search, compare)
userdn = “ldap:///anyone”;)
aci:
(target=”ldap:///ou=iPlanetAMAdminConsoleService,*,$rootSuffix”)
(targetattr = “*”)
(version 3.0; acl “S1IS iPlanetAMAdminConsoleService anonymous access”;
allow (read, search, compare)
userdn = “ldap:///anyone”;)
合併計算的匿名存取權限
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(objectclass=sunServiceComponent)))
(targetattr != “userPassword||passwordHistory
||passwordExpirationTime||passwordExpWarned||passwordRetryCount
||retryCountResetTime||accountUnlockTime||passwordAllowChangeTime”)
(version 3.0; acl “anonymous access rights”;
allow (read,search,compare)
userdn = “ldap:///anyone”; )
分析:可匿名存取根,此根允許相同項並排除 aci 屬性。Access Manager 的這個替代會消除目標中昂貴的 (*),因為它允許尾碼的匿名存取。
原始自身 ACI
aci:
(targetattr != “nsroledn || aci || nsLookThroughLimit || nsSizeLimit ||
nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ||
asswordExpirationTime
|| passwordExpWarned || passwordRetryCount || retryCountResetTime ||
accountUnlockTime || passwordHistory || passwordAllowChangeTime”)
(version 3.0; acl “Allow self entry modification except for nsroledn, aci, resource
limit attributes, passwordPolicySubentry and password policy state attributes”;
allow (write)
userdn =”ldap:///self”;)
aci:
(targetattr = “*”)
(version 3.0; acl “S1IS Deny deleting self”;
deny (delete)
userdn =”ldap:///self”;)
aci:
(targetattr = “objectclass || inetuserstatus ||
planet-am-web-agent-access-allow-list
|| iplanet-am-domain-url-access-allow || iplanet-am-web-agent-access-deny-list
|| iplanet-am-user-account-life || iplanet-am-session-max-session-time
|| iplanet-am-session-max-idle-time || iplanet-am-session-get-valid-sessions
|| iplanet-am-session-destroy-sessions ||
iplanet-am-session-add-session-listener-on-all-sessions
|| iplanet-am-user-admin-start-dn || iplanet-am-auth-post-login-process-class”)
(targetfilter=(!(nsroledn=cn=Top-levelAdmin Role,$rootSuffix)))
(version 3.0; acl “S1IS User status self modification denied”;
deny (write)
userdn =”ldap:///self”;)
aci:
(targetattr != “iplanet-am-static-group-dn || uid || nsroledn || aci ||
sLookThroughLimit
|| nsSizeLimit || nsTimeLimit || nsIdleTimeout || memberOf ||
planet-am-web-agent-access-allow-list
|| iplanet-am-domain-url-access-allow ||
planet-am-web-agent-access-deny-list”)
(version 3.0; acl “S1IS Allow self entry modification except for nsroledn, aci,
and resource limit attributes”;
allow (write)
userdn =”ldap:///self”;)
aci:
(targetattr != “aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit
|| nsIdleTimeout || iplanet-am-domain-url-access-allow”)
(version 3.0; acl “S1IS Allow self entry read search except for nsroledn, aci, resource
limit and web agent policy attributes”;
allow (read,search)
userdn =”ldap:///self”;)
aci:
(targetattr=”uid||ou||owner||mail||mailAlternateAddress||mailEquivalent
address||memberOf
||inetuserstatus||mailuserstatus||memberOfManagedGroup||mailQuota
||mailMsgQuota
||inetSubscriberAccountId||dataSource||mailhost||mailAllowedServiceAccess
||pabURI||inetCOS||mailSMTPSubmitChannel||aci”)
(targetfilter=(&(objectClass=inetMailUser)(!(nsroledn=cn=Organization Admin
ole,*))))
(version 3.0; acl “Deny write access to users over Messaging Server protected
attributes -
product=SOMS,schema 2 support,class=installer,num=3,version=1 “;
deny (write)
userdn = “ldap:///self”;)
合併計算自身 ACI
aci:
(targetattr != “nsroledn || aci || nsLookThroughLimit || nsSizeLimit
|| nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ||
asswordExpirationTime
|| passwordExpWarned || passwordRetryCount || retryCountResetTime
|| accountUnlockTime || passwordHistory || passwordAllowChangeTime ||
id || memberOf
|| objectclass || inetuserstatus || ou || owner || mail || mailuserstatus
|| memberOfManagedGroup ||mailQuota || mailMsgQuota || mailhost
|| mailAllowedServiceAccess || inetCOS || mailSMTPSubmitChannel”)
(version 3.0; acl “Allow self entry modification”;
allow (write)
userdn =”ldap:///self”;)
aci:
(targetattr != “ aci || nsLookThroughLimit || nsSizeLimit
|| nsTimeLimit|| nsIdleTimeout”)
(version 3.0; acl “Allow self entry read search”;
allow(read,search)
userdn =”ldap:///self”;)
分析:缺少全部的 iplanet-am-* 屬性。既然 deny 是沒有 ACI 時的預設值,那麼全部 deny ACI 都會移除。允許 write 的 ACI 都被合併計算成一個 ACI。
原始 Messaging Server ACI
aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “Messaging Server End User Administrator Read Access Rights -
product=SOMS,schema 2 support,class=installer,num=1,version=1”;
allow (read,search)
groupdn=”ldap:///cn=Messaging End User Administrators Group, ou=Groups,
rootSuffix”;)
aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”objectclass||mailalternateaddress||mailautoreplymode||
mailprogramdeliveryinfo
||nswmextendeduserprefs||preferredlanguage||maildeliveryoption||
mailforwardingaddress
||mailAutoReplyTimeout||mailautoreplytextinternal||mailautoreplytext||
vacationEndDate
||vacationStartDate||mailautoreplysubject||pabURI||maxPabEntries||
mailMessageStore
||mailSieveRuleSource||sunUCDateFormat||sunUCDateDeLimiter||
sunUCTimeFormat”)
(version 3.0; acl “Messaging Server End User Adminstrator Write Access Rights -
product=SOMS,schema 2 support,class=installer,num=2,version=1”;
allow (all)
groupdn=”ldap:///cn=Messaging End User Administrators Group, ou=Groups,
rootSuffix”;)
aci:
(targetattr=”uid||ou||owner||mail||mailAlternateAddress||
mailEquivalentAddress||memberOf
||inetuserstatus||mailuserstatus||memberOfManagedGroup||mailQuota||
mailMsgQuota
||inetSubscriberAccountId||dataSource||mailhost||mailAllowedServiceAccess
||pabURI||inetCOS||mailSMTPSubmitChannel||aci”)
(targetfilter=(&(objectClass=inetMailUser)(!(nsroledn=cn=Organization Admin
Role,*))))
(version 3.0; acl “Deny write access to users over Messaging Server protected
attributes - product=SOMS,schema 2 support,class=installer,num=3,version=1 “;
deny (write)
userdn = “ldap:///self”;)
合併計算 Messaging Server ACI
在自身 ACI 中處理自身 ACI。
aci:
(targetattr=”*”)
(version 3.0; acl “Messaging Server End User Administrator Read Only Access”;
allow (read,search)
groupdn = “ldap:///cn=Messaging End User Administrators
group,ou=Groups,$rootSuffix”; )
aci:
(targetattr=”objectclass || mailalternateaddress || Mailautoreplymode ||
mailprogramdeliveryinfo || preferredlanguage || maildeliveryoption
|| mailforwardingaddress || mailAutoReplyTimeout ||
mailautoreplytextinternal
|| mailautoreplytext || vacationEndDate || vacationStartDate
|| mailautoreplysubject || maxPabEntries || mailMessageStore
|| mailSieveRuleSource || sunUCDateFormat || sunUCDateDeLimiter
|| sunUCTimeFormat || mailuserstatus || maildomainstatus”)
(version 3.0; acl “Messaging Server End User Administrator All Access”;
allow (all)
groupdn = “ldap:///cn=Messaging End User Administrators
group,ou=Groups,$rootSuffix”;)
分析:與原始 ACI 相同。
原始社團組織管理員 ACI
aci: (different name - “allow all” instead of “allow”)
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “S1IS Organization Admin Role access allow all”;
allow (all)
roledn =”ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;)
aci:(missing)
(target=”ldap:///($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “Organization Admin Role access allow read to org node”;
allow (read,search)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix” ;)
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “Organization Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;)
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetattr!=”businessCategory || description || facsimileTelephoneNumber
|| postalAddress || preferredLanguage || searchGuide || postOfficeBox ||
postalCode
|| registeredaddress || street || l || st || telephonenumber ||
maildomainreportaddress
|| maildomainwelcomemessage || preferredlanguage || sunenablegab”)
(version 3.0; acl “Organization Admin Role access deny to org node”;
deny (write,add,delete)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix” ;)
aci:(duplicate of per organization aci)
(target=”ldap:///cn=Organization Admin Role,($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Organization Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix”;)
aci:
(target=”ldap:///cn=Organization Admin
Role,($dn),dc=red,dc=iplanet,dc=com”)
(targetattr=”*”)
(version 3.0; acl “S1IS Organization Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix”;)
aci:
(target=”ldap:///o=fullOrg1,o=VIS,o=siroe.com,o=SharedDomainsRoot,
o=Business,rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,dc=red,dc=iplanet,dc=com))))
(targetattr = “nsroledn”)
(targattrfilters=”add=nsroledn:(nsroledn=*,o=fullOrg1,o=VIS,o=siroe.com,
o=SharedDomainsRoot,o=Business,$rootSuffix),
del=nsroledn:(nsroledn=*,o=fullOrg1,o=VIS,o=siroe.com,o=SharedDomainsRoot,
o=Business,$rootSuffix)”)
(version 3.0;
acl “S1IS Organization Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Organization Admin
Role,o=fullOrg1,o=VIS,o=siroe.com,o=SharedDomainsRoot,o=Business,
$rootSuffix”;)
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “S1IS Organization Admin Role access allow all”;
allow (all)
roledn = “ldap:///cn=Organization Admin
Role,[$dn],dc=red,dc=iplanet,dc=com”;)
合併計算社團組織管理員 ACI
aci:
(target=”ldap:///cn=Organization Admin Role,($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Organization Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix”;)
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “Organization Admin Role access allow read”;
allow(read,search)
roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix” ;)
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(entrydn=($dn),$rootSuffix))))
( targetattr = “*”)
(version 3.0; acl “S1IS Organization Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;)
捨棄之未使用的 ACI 清單本節中的清單顯示當您套用 replacement.acis.ldif 檔案至目錄上時,自此目錄捨棄而未使用的預設 ACI。
捨棄的 ACI 分為下列種類:
尾碼
# discard
#
aci:
(targetattr =”*”)
(version 3.0;acl “Configuration Administrators Group”;
allow (all)
(groupdn = “ldap:///cn=Configuration Administrators, ou=Groups,
ou=TopologyManagement, o=NetscapeRoot”);)
#
# discard
#
aci:
(targetattr =”*”)
(version 3.0;acl “Directory Administrators Group”;
allow (all)
(groupdn = “ldap:///cn=Directory Administrators, $rootSuffix”);)
#
# discard
#
aci:
(targetattr = “*”)
(version 3.0;
acl “SIE Group”;
allow (all)
groupdn = “ldap:///cn=slapd-whater, cn=Sun ONE Directory Server, cn=Server
Group, cn=whater.red.iplanet.com, ou=red.iplanet.com, o=NetscapeRoot”;)
#
# discard - prevents TLA from modifying the amldapuser account.
#
aci:
(target=”ldap:///cn=amldapuser,ou=DSAME Users,$rootSuffix”)
(targetattr = “*”)
(version 3.0;
acl “S1IS special ldap auth user modify right”;
deny (write)
roledn != “ldap:///cn=Top-level Admin Role,$rootSuffix”;)
#
# discard - protects SAML related attributes
#
aci:
(targetattr=”iplanet-am-saml-user || iplanet-am-saml-password”)
(targetfilter=”(objectclass=iplanet-am-saml-service)”)
(version 3.0; acl “S1IS Right to modify saml user and password”;
deny (all)
(roledn != “ldap:///cn=Top-level Admin Role,$rootSuffix”)
AND (userdn != “ldap:///cn=dsameuser,ou=DSAME Users,$rootSuffix”)
AND (userdn != “ldap:///cn=puser,ou=DSAME Users,$rootSuffix”); )
頂層服務台管理員角色
#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix)))
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Help Desk Admin Role access allow”;
allow (read,search)
roledn = “ldap:///cn=Top-level Help Desk Admin Role,$rootSuffix”;)
#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix)))
(targetattr = “userPassword”)
(version 3.0; acl “S1IS Top-level Help Desk Admin Role access allow”;
allow (write)
roledn = “ldap:///cn=Top-level Help Desk Admin Role,$rootSuffix”;)
頂層策略管理員角色
#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix))))
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access allow”;
allow (read,search)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)
#
# discard
#
aci:
(target=”ldap:///ou=iPlanetAMAuthService,ou=services,*$rootSuffix”)
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access Auth Service deny”;
deny (add,write,delete)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)
#
# discard
#
aci:
(target=”ldap:///ou=services,*$rootSuffix”)
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)
#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=”(objectclass=sunismanagedorganization)”)
(targetattr = “sunRegisteredServiceName”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access allow”;
allow (read,write,search)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)
Access Manager 匿名
#
# discard - prevents anyone other than rootdn from deleting default organization.
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(entrydn=$rootSuffix))
(targetattr=”*”)
(version 3.0; acl “S1IS Default Organization delete right denied”;
deny (delete)
userdn = “ldap:///anyone”; )
#
# discard - prevents any user other than rootdn from deleting the TLA admin role.
#
aci:
(target=”ldap:///cn=Top-level Admin Role,$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Top-level admin delete right denied”;
deny(delete)
userdn = “ldap:///anyone”; )
Access Manager 拒絕寫入存取
#
# discard
#
aci:
(targetattr = “*”)
(version 3.0; acl “S1IS Deny write to anonymous user”;
deny (add,write,delete)
roledn =”ldap:///cn=Deny Write Access,$rootSuffix”;)
Access Manager 容器管理員角色
#
# discard
#
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “S1IS Container Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Container Admin Role,[$dn],$rootSuffix”;)
#
# discard
#
aci:
(target=”ldap:///cn=Container Admin Role,($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Container Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Container Admin Role,($dn),$rootSuffix”;)
#
# discard
#
aci:
(target=”ldap:///ou=People,$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix)
(nsroledn=cn=Container Admin Role,$rootSuffix))))
(targetattr != “iplanet-am-web-agent-access-allow-list ||
iplanet-am-domain-url-access-allow
|| iplanet-am-web-agent-access-deny-list || nsroledn”)
(version 3.0; acl “S1IS Group and people container admin role”;
allow (all)
roledn = “ldap:///cn=ou=People_dc=red_dc=iplanet_dc=com,$rootSuffix”;)
社團組織服務台
#
# discard
#
aci:(extra verses dreambig)
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix))))
(targetattr = “*”)
(version 3.0; acl “S1IS Organization Help Desk Admin Role access allow”;
allow (read,search)
roledn = “ldap:///cn=Organization Help Desk Admin Role,$rootSuffix”;)
#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix))))
(targetattr = “userPassword”)
(version 3.0; acl “S1IS Organization Help Desk Admin Role access allow”;
allow (write)
roledn = “ldap:///cn=Organization Help Desk Admin Role,$rootSuffix”;)
Access Manager 其他
#
# discard - Removal disables the associated privileges to the attribute
iplanetam-modifiable-by
#
aci:
(target=”ldap:///$rootSuffix”)
(targetattr!=”nsroledn”)
(version 3.0; acl “S1IS Group admin’s right to the users he creates”;
allow (all)
userattr = “iplanet-am-modifiable-by#ROLEDN”;)