To Configure Virtual Access Controls
Regardless of the ACI repository that you use, you must configure the virtual access controls.
Note –
Only the Proxy Manager can create a pool of ACIs and manage ACIs directly through the ACI data view. If the ACI repository is an LDAP directory, you must modify the schema of that directory to include the aciSource object class and the dpsaci attribute. For more information about customizing the schema, see Extending Directory Server Schema.
You cannot use DSCC to perform this task. Use the command line, as described in this procedure.
-
Create a pool of ACIs in the ACI repository, and set up global ACIs.
For information about global ACIs, see Global ACIs in Sun Java System Directory Server Enterprise Edition 6.3 Reference. To set up global ACIs, add an aciSource entry under the view base of the ACI data view. For example:
% ldapmodify -p port -D "cn=proxy manager" -w - dn: cn=aci-source-name,cn=virtual access controls changetype: add objectclass: aciSource dpsaci: (targetattr="*") (target="ldap:///ou=people,o=virtual") (version 3.0; acl "perm1"; allow(all) groupdn="ldap:///cn=virtualGroup1,o=groups,o=virtual";) cn: data-source-name
-
Configure one or more connection handlers to use this pool of ACIs.
% dpconf set-connection-handler-prop -h host -p port connection-handler \ aci-source:aci-source-name
-
Add the required ACIs to the data.
To do this, create a virtual entry that contains the ACIs. For example:
% ldapmodify -p port -D "cn=virtual application,ou=application users,dc=com" -w - dn: ou=people,o=virtual changetype: modify add: dpsaci dpsaci: (targetattr="*")(version 3.0; acl "perm1"; allow(all) userdn="ldap:///self";) dpsaci: (targetattr="*")(version 3.0; acl "perm1"; allow(search, read, compare) userdn ="ldap:///anyone";)
Note –Any user with the appropriate access rights can add and retrieve virtual ACIs through the data view.
- © 2010, Oracle Corporation and/or its affiliates