Technical Note: Sun Java System Access Manager ACI Guide

Running the amtune-directory Script to Remove Unnecessary ACIs in Realm Mode

Overview

If Access Manager 7 2005Q4 is installed in Realm Mode, delegation privileges are used to determine access permissions, and therefore some Directory Server ACIs are not needed. Access Manager 7 2005Q4 patch 5 allows you to remove the unnecessary ACIs by running the amtune-directory script, which is generated by the amtune-prepareDSTuner script. This script read a list of ACIs from the remacis.ldif file and then calls the ldapmodify utility to remove them.

The Access Manager tuning scripts are available in the following directory, depending on your platform:

AccessManager-base is the base installation directory: /opt on Solaris systems and /opt/sun on Linux and HP-UX systems.

On Windows systems, AccessManager-base is javaes-install-directory\AccessManager. For example: C:\Program Files\Sun\AccessManager

Access Manager 7 2005Q4 patch 5 allows you to run the tuning scripts with either a password file or the password string as a command-line argument.

For more information about the Access Manager tuning scripts, see the Sun Java System Access Manager 7 2005Q4 Performance Tuning Guide.

Removing ACIs on Solaris, Linux, and HP-UX Systems

To remove unneeded ACIs on Solaris, Linux, and HP-UX systems in Realm Mode:

  1. On the Access Manager server, login as or become superuser (root).

  2. To ensure that Access Manager is in Realm Mode, check the AM_REALM parameter in the amsamplesilent file . The parameter should be set as follows:

    AM_REALM="enabled"

    The amsamplesilent file is located in the following directory, depending on your platform:

    • Solaris systems: AccessManager-base/SUNWam/bin

    • Linux and HP-UX systems: AccessManager-base/identity/bin

    AccessManager-base is the base installation directory: /opt on Solaris systems and /opt/sun on Linux and HP-UX systems.

  3. Run the amtune-prepareDSTuner script to create the amtune-directory.tar file.

  4. Copy the amtune-directory.tar file to a temporary location on the Directory Server machine and untar the file in the temporary location.

  5. Because he amtune-directory script tunes Directory Server, it is recommended that you first run the script in REVIEW mode. In the amtune-directory script, set REVIEW mode as follows:

    AMTUNE_MODE="REVIEW"

  6. Run the amtune-directory script in REVIEW mode and review the recommended tuning settings for Directory Server in the tuning log file.

  7. If the changes in the debug log file are acceptable for your deployment, modify the amtune-directory script to run in CHANGE mode by setting AMTUNE_MODE as follows:

    AMTUNE_MODE="CHANGE"

  8. Backup the Directory Server data.

  9. Run the amtune-directory script to remove the ACIs.

  10. Check the tuning log file for the results of the run.

Removing ACIs on Windows Systems

On Windows systems, the Access Manager tuning scripts are written in Perl and require Active Perl 5.8.

To remove unneeded ACIs on Windows systems in Realm Mode:

  1. On the Access Manager server, login as an administrator.

  2. To ensure that Access Manager is in Realm Mode, check the AM_REALM parameter in the AMConfigurator.properties file . The parameter should be set as follows:

    AM_REALM="enabled"

    The AMConfigurator.properties file is located in the AccessManager-base\identity\bin directory.

    On Windows systems, AccessManager-base is javaes-install-directory\AccessManager. For example: C:\Program Files\Sun\AccessManager

  3. In the amtune-env.pl file, set $BASEDIR to the Access Manager installation directory.

  4. Run the amtune-prepareDSTuner.pl script to generate the required tuning scripts and files.

  5. Copy the amtune-utils.pl, amtune-directory.pl, remacis.ldif, and amtune-samplepassordfile files from the previous step to a temporary directory on the Directory Server machine.

  6. Because he amtune-directory.pl script tunes Directory Server, it is recommended that you first run the script in REVIEW mode. In the amtune-directory.pl script on the Directory Server machine, set REVIEW mode as follows:

    AMTUNE_MODE="REVIEW"

  7. On the Directory Server machine, run the amtune-directory.pl script in REVIEW mode and review the recommended tuning settings for Directory Server in the tuning log file.

  8. If the changes in the debug log file are acceptable for your deployment, modify the amtune-directory.pl script to run in CHANGE mode by setting AMTUNE_MODE as follows:

    AMTUNE_MODE="CHANGE"

  9. Backup the Directory Server data.

  10. On the Directory Server machine, run the amtune-directory script to remove the ACIs.

  11. Check the tuning log file for the results of the run.

ACIs That are Removed by the amtune-directory Script

The following ACIs in the remacis.ldif file are removed by the amtune-directory script when Access Manager is installed in Realm Mode:

ACI 1:

aci: (target="ldap:///ROOT_SUFFIX")
(targetfilter=(entrydn=ORG_ROOT_SUFFIX))(targetattr="*")
(version 3.0; acl "S1IS Default Organization delete right denied";  
deny (delete) userdn = "ldap:///anyone"; )

ACI 2:

aci: (target="ldap:///ROOT_SUFFIX")
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX)))(targetattr = "*") 
(version 3.0; acl "S1IS Top-level Help Desk Admin Role access allow"; 
allow (read,search) roledn = "ldap:///cn=Top-level Help Desk Admin Role,ROOT_SUFFIX";)

ACI 3:

aci: (target="ldap:///ROOT_SUFFIX")
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX)))
(targetattr = "userPassword") (version 3.0; 
acl "S1IS Top-level Help Desk Admin Role access allow"; allow (write) 
roledn = "ldap:///cn=Top-level Help Desk Admin Role,ROOT_SUFFIX";)

ACI 4:

aci: (target="ldap:///ROOT_SUFFIX")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX))))(targetattr = "*") 
(version 3.0; acl "S1IS Top-level Policy Admin Role access allow"; 
allow (read,search) roledn = "ldap:///cn=Top-level Policy Admin Role,ROOT_SUFFIX";)

ACI 5:

aci: (target="ldap:///ou=iPlanetAMAuthService,ou=services,*ROOT_SUFFIX")
(targetattr = "*") (version 3.0; 
acl "S1IS Top-level Policy Admin Role access Auth Servi ce deny"; 
deny (add,write,delete) roledn = "ldap:///cn=Top-level Policy Admin Role,ROOT_SUFFIX";)

ACI 6:

aci: (target="ldap:///ou=services,*ROOT_SUFFIX")
(targetattr = "*") (version 3.0; acl "S1IS Top-level Policy Admin Role access allow"; 
allow (all) roledn = "ldap:///cn=Top-level Policy Admin Role,ROOT_SUFFIX";)

ACI 7:

aci: (target="ldap:///ROOT_SUFFIX")
(targetfilter="(objectclass=ORG_OBJECT_CLASS)")
(targetattr = "sunRegisteredServiceName") (version 3.0; 
acl "S1IS Top-level Policy Admin Role access allow"; allow (read,write,search) 
roledn = "ldap:///cn=Top-level Policy Admin Role,ROOT_SUFFIX";)

ACI 8:

aci: (targetattr != "aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit 
|| nsIdleTimeout || iplanet-am-domain-url-access-allow") (version 3.0; 
acl "S1IS Allow self entry read search except for nsroledn, aci, resource limit 
and web agent policy attributes"; allow (read,search)userdn ="ldap:///self";)

ACI 9:

aci: (target="ldap:///ou=iPlanetAMAdminConsoleService,*,ROOT_SUFFIX")
(targetattr = "*")(version 3.0; 
acl "S1IS iPlanetAMAdminConsoleService anonymous access"; 
allow (read, search, compare) userdn = "ldap:///anyone";) 

ACI 10:

aci: (target="ldap:///($dn),ROOT_SUFFIX")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Help Desk Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Policy Admin Role,ROOT_SUFFIX))))
(targetattr != "nsroledn")(version 3.0; 
acl "S1IS Organization Admin Role access allow all"; 
allow (all) roledn = "ldap:///cn=Organization Admin Role,[$dn],ORG_ROOT_SUFFIX";)

ACI 11:

aci: (target="ldap:///cn=Organization Admin Role,($dn),ORG_ROOT_SUFFIX")
(targetattr="*")(version 3.0; acl "S1IS Organization Admin Role access deny"; 
deny (write,add,delete,compare,proxy) roledn = "ldap:///cn=Organization Admin Role,
($dn),ORG_ROOT_SUFFIX";)

ACI 12:

aci: (target="ldap:///($dn),ROOT_SUFFIX")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Help Desk Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Policy Admin Role,ROOT_SUFFIX))))
(targetattr != "nsroledn")(version 3.0; acl "S1IS Container Admin Role access allow"; 
allow (all) roledn = "ldap:///cn=Container Admin Role,[$dn],ORG_ROOT_SUFFIX";)

ACI 13.

aci: (target="ldap:///cn=Container Admin Role,($dn),ORG_ROOT_SUFFIX")
(targetattr="*")(version 3.0; acl "S1IS Container Admin Role access deny"; 
deny (write,add,delete,compare,proxy) 
roledn = "ldap:///cn=Container Admin Role,($dn),ORG_ROOT_SUFFIX";)

ACI 14:

aci: (target="ldap:///ROOT_SUFFIX")
(targetattr!="nsroledn")(version 3.0; 
acl "S1IS Group admin's right to the users he creates"; 
allow (all) userattr = "iplanet-am-modifiable-by#ROLEDN";)

ACI 15:

aci: (target="ldap:///ROOT_SUFFIX")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Help Desk Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Policy Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Organization Admin Role,ORG_ROOT_SUFFIX))))(targetattr = "*") 
(version 3.0; acl "S1IS Organization Help Desk Admin Role access allow"; 
allow (read,search) 
roledn = "ldap:///cn=Organization Help Desk Admin Role,ORG_ROOT_SUFFIX";)

ACI 16:

aci: (target="ldap:///ROOT_SUFFIX")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Help Desk Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Policy Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Organization Admin Role,ORG_ROOT_SUFFIX))))
(targetattr = "userPassword") (version 3.0; 
acl "S1IS Organization Help Desk Admin Role access allow"; 
allow (write) roledn = "ldap:///cn=Organization Help Desk Admin Role,ORG_ROOT_SUFFIX";)

ACI 17:

aci: (target="ldap:///ou=People,ORG_ROOT_SUFFIX")
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Help Desk Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Top-level Policy Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Organization Admin Role,ROOT_SUFFIX)
(nsroledn=cn=Container Admin Role,ORG_ROOT_SUFFIX))))
(targetattr != "iplanet-am-web-agent-access-allow-list 
|| iplanet-am-domain-url-access-allow || iplanet-am-web-agent-access-deny-list 
|| nsroledn") (version 3.0; acl "S1IS Group and people container admin role"; 
allow (all) roledn = "ldap:///cn=ou=People_NM_ORG_ROOT_SUFFIX,ORG_ROOT_SUFFIX";)