Sun Java Enterprise System 2005Q1 Technical Note

Sun Java™ Enterprise System Technical Note: Avoiding ACI Problems with Outlook Connector


Part Number 819-2315-10

The Sun Java Enterprise System 2005Q1 Technical Note: Avoiding ACI Problems with Outlook Connector describes how to configure Access Control Instructions (ACIs) for Sun Java™ System Directory Server 5 2005Q1 to enable Sun Java™ System Connector for Microsoft Outlook 7 2005Q1 to perform corporate directory lookups.

The component products affected by this technical note are:

This technical note contain the following sections:

Technical Note Revision History

Table 1  Revision History 


Description of Changes

April 5, 2005

Initial release of this technical note.

Avoiding ACI Problems with Outlook Connector

Sun Java System Connector for Microsoft Outlook provides the ability to browse a corporate directory for a particular user’s email address, as well as for calendar information. The Outlook client browses the corporate directory by using its own internal LDAP browser. You define the configuration for the Microsoft LDAP browser in the Outlook Connector Deployment tool.

Once the Outlook Connector has been successfully deployed to end users, they will quickly find that the default setting of the Directory Server does not show all the necessary information needed for a corporate directory. Missing information includes postal address and telephone numbers. This information is filtered by the Access Control Instructions (ACIs) in the directory’s Organization Tree. ACIs are instructions that grant or deny permissions to entries in the directory.

Authentication to Directory Server for corporate directory lookups is accomplished in two ways: anonymous or authenticated. Anonymous authentication enables any user to authenticate (LDAP BIND) to the directory without having to provide identification, that is, without having to use a Distinguished Name (DN) and password. By default, the Directory Server, when configured for Sun Java™ System Communications Services products, does not allow anonymous authentication. The default is for DN/password authentication, for obvious security reasons.

Should you want to allow anonymous access to the corporate Directory Server, create the following ACI (as the Directory Administrator):

# ldapmodify -D "cn=Directory manager"

dn: dc=red,dc=siroe,dc=com

changetype: modify

add: aci

aci: (targetattr != "userPassword") (version 3.0;acl "Anonymous access"; allow (read,compare,search)(userdn = "ldap:///anyone");)

In the above rule, you would replace dn: dc=red,dc=sirore,dc=com with your own information. This ACI rule enables anyone to access users’ LDAP attributes. The only attribute that is blocked is userPassword, by using the targetattr != “userPassword” rule.

Misused ACI Rules

In many environments, you do not want to grant anonymous access. You must pay attention to the potential security risks involved. For example, the following ACI rules cause a potential security problem by exposing user passwords.

(version 3.0;acl"allowproxy-calmaster";allow(proxy)(user dn="ldap:///uid=uid=*,ou=people,,o=ugdata");)

The lesson here is to use the ACI targetattr rule with caution.

When you implement the above ACI, users’ passwords are now visible. This is confirmed by running the following ldapsearch command:

# ldapsearch -b ou=people,,o=ugdata -D "uid=jhawk,ou=people,,o=ugdata" -w demo "cn=naomi*" |



iplanet-am-modifiable-by=cn=Top-level Admin Role,o=ugdata




cn=Naomi Hawkins






<< remainder of output deleted >>

The highlighted text is the userPassword attribute that you do not want to expose.

Limiting Attributes Expected by the Outlook LDAP Browser

In addition to limiting security risks, you can use ACIs to limit the XML for Portal transmitted back to the Outlook Connector client.

The following ACI rule prevents delivery of the user password and also limits attributes expected by the Outlook LDAP Browser. You set the access rights in the Directory Server console:

aci:(targetattr = "initials || cn || mail || display-name || displayName || sn || co || o || givenName || objectClass || uid || mailnickname || title || company || physicalDeliveryOfficeName || telephoneNumber") (targetfilter = (objectClass=icscalendaruser)) (version 3.0;acl "Allow Calendar users to read and search other users - product=ics,class=admin,num=3,version=1";allow (read,search)(userdn = "ldap:///uid=*,ou=People,, o=ugdata");)

The targetattr indicates the list of attributes that can be returned. All other attributes are blocked. The targetfilter requires that the returned entries must have objectclass=icscalendaruser assigned.

The following ldapsearch command confirms two things: first, the userpassword attribute is no longer visible to end users; second, the returned LDAP attributes are limited to only the attributes expected by Outlook’s LDAP Browser.

# ldapsearch -b ou=people,,o=ugdata -D

"uid=jhawk,ou=people,,o=ugdata" -w demo "cn=naomi*" | more





cn=Naomi Hawkins



















Further Reading

Refer to the following documentation for more information.

Known Issues and Limitations

See the Java Enterprise System Release Notes Collection at the following URL to find out about known problems:

How to Report Problems and Provide Feedback

If you have problems with Sun Java Enterprise System, contact Sun customer support using one of the following mechanisms:

So that we can best assist you in resolving problems, please have the following information available when you contact support:

Sun Welcomes Your Comments

Sun is interested in improving its documentation and welcomes your comments and suggestions.

To share your comments, go to and click Send Comments. In the online form, provide the document title and part number. The part number is a seven-digit or nine-digit number that can be found on the title page of the book or at the top of the document. For example, the title of this book is Sun Java Enterprise System 2005Q1 Technical Note: Avoiding ACI Problems with Outlook Connector, and the part number is 819-2315-10.

Additional Sun Resources

Useful Sun Java System information can be found at the following Internet locations:

Copyright � 2005 Sun Microsystems, Inc. All rights reserved.

Sun Microsystems, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at and one or more additional patents or pending patent applications in the U.S. and in other countries.


U.S. Government Rights - Commercial software. Government users are subject to the Sun Microsystems, Inc. standard license agreement and applicable provisions of the FAR and its supplements.

Use is subject to license terms.

This distribution may include materials developed by third parties.

Portions may be derived from Berkeley BSD systems, licensed from U. of CA.

Sun, Sun Microsystems, the Sun logo, Java and Solaris are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and other countries.

Copyright � 2005 Sun Microsystems, Inc. Tous droits r�serv�s.

Sun Microsystems, Inc. d�tient les droits de propri�t� intellectuels relatifs � la technologie incorpor�e dans le produit qui est d�crit dans ce document. En particulier, et ce sans limitation, ces droits de propri�t� intellectuelle peuvent inclure un ou plusieurs des brevets am�ricains list�s � l'adresse et un ou des brevets suppl�mentaires ou des applications de brevet en attente aux Etats - Unis et dans les autres pays.


L'utilisation est soumise aux termes du contrat de licence.

Cette distribution peut comprendre des composants d�velopp�s par des tierces parties.

Des parties de ce produit pourront �tre d�riv�es des syst�mes Berkeley BSD licenci�s par l'Universit� de Californie.

Sun, Sun Microsystems, le logo Sun, Java et Solaris sont des marques de fabrique ou des marques d�pos�es de Sun Microsystems, Inc. aux Etats-Unis et dans d'autres pays.

Toutes les marques SPARC sont utilis�es sous licence et sont des marques de fabrique ou des marques d�pos�es de SPARC International, Inc. aux Etats-Unis et dans d'autres pays.