Sun Java System Directory Server Enterprise Edition 6.3 Administration Guide

Defining Access Control on Virtual Data Views

ACIs on virtual data views can be stored in an LDAP directory or in an LDIF file. For information about how virtual ACIs work, see Access Control On Virtual Data Views in Sun Java System Directory Server Enterprise Edition 6.3 Reference.

When you create a Directory Proxy Server instance, the following default configuration for virtual access controls is defined:

ProcedureTo Define a New ACI Storage Repository

If you do not want to use the default ACI configuration described previously, you can define a different storage repository.

You cannot use DSCC to perform this task. Use the command line, as described in this procedure.

  1. Create a data view for the repository in which the virtual ACIs will be stored.

  2. Specify the name of the data view created in the previous step as the ACI data view.

    $ dpconf set-virtual-aci-prop -h host -p port aci-data-view:data-view-name
    
  3. If the ACI repository is an LDAP directory, define the credentials required to access the ACI data view.

    $ dpconf set-virtual-aci-prop -h host -p port aci-manager-bind-dn:bind-dn
    $ dpconf set-virtual-aci-prop -h host -p port aci-manager-bind-pwd-file:filename
    

ProcedureTo Configure Virtual Access Controls

Regardless of the ACI repository that you use, you must configure the virtual access controls.


Note –

Only the Proxy Manager can create a pool of ACIs and manage ACIs directly through the ACI data view. If the ACI repository is an LDAP directory, you must modify the schema of that directory to include the aciSource object class and the dpsaci attribute. For more information about customizing the schema, see Extending Directory Server Schema.


You cannot use DSCC to perform this task. Use the command line, as described in this procedure.

  1. Create a pool of ACIs in the ACI repository, and set up global ACIs.

    For information about global ACIs, see Global ACIs in Sun Java System Directory Server Enterprise Edition 6.3 Reference. To set up global ACIs, add an aciSource entry under the view base of the ACI data view. For example:


    % ldapmodify -p port -D "cn=proxy manager" -w -
    dn: cn=aci-source-name,cn=virtual access controls
    changetype: add
    objectclass: aciSource
    dpsaci: (targetattr="*") (target="ldap:///ou=people,o=virtual") (version 3.0; 
     acl "perm1"; allow(all) groupdn="ldap:///cn=virtualGroup1,o=groups,o=virtual";)
    cn: data-source-name
    
  2. Configure one or more connection handlers to use this pool of ACIs.


    % dpconf set-connection-handler-prop -h host -p port connection-handler \
    aci-source:aci-source-name
    
  3. Add the required ACIs to the data.

    To do this, create a virtual entry that contains the ACIs. For example:


    % ldapmodify -p port -D "cn=virtual application,ou=application users,dc=com" -w -
    dn: ou=people,o=virtual
    changetype: modify
    add: dpsaci
    dpsaci: (targetattr="*")(version 3.0; acl "perm1"; allow(all) userdn="ldap:///self";)
    dpsaci: (targetattr="*")(version 3.0; acl "perm1"; allow(search, read, compare) 
     userdn ="ldap:///anyone";)

    Note –

    Any user with the appropriate access rights can add and retrieve virtual ACIs through the data view.