Steps for Replacing ACIs

Before You Begin

Before you begin this procedure, we recommend that you examine the existing ACIs in your directory. You should determine whether you might need to keep any ACIs that would be deleted by the procedure.

This procedure will initially remove all ACIs from the root suffix and then replace them with the set of ACIs listed below. If the directory contains ACIs generated by applications other than Messaging Server, you should save those ACIs to a file and reapply them to the directory after you apply the replacement.acis.ldif file.

To help you analyze existing ACIs generated by Access Manager and Messaging Server, see the following sections later in this appendix:

• Analysis of the Existing ACIs

• Analysis of How ACIs Are Consolidated

• List of Unused ACIs to be Discarded

Replacing ACIs

The following procedure describes how to consolidate ACIS in the root suffix and remove unused ACIs.

To replace ACIs

1. Save your existing ACIs currently on the root suffix.

   You can use the ldapsearch command, as in the following example:

   ldapsearch -D “cn=Directory Manager” -w <password> -s base -b <$rootSuffix> aci=* aci ><filename>

   where

   <password> is the password of the Directory Server administrator.

   <$rootSuffix> is your root suffix, such as o=usergroup.

   <filename> is the name of the file into which the saved ACIs will be written.

2. Copy and rename the replacement.acis.ldif file.

   When you install Delegated Administrator, the replacement.acis.ldif file is installed in the following directory:

   da-base/lib/config-templates

3. Edit the $rootSuffix entries in your copy of the replacement.acis.ldif file.

   Change the root suffix parameter, $rootSuffix, to your root suffix (such as o=usergroup). The $rootSuffix parameter appears multiple times in the ldif file; each instance must be replaced.

4. Use the LDAP directory tool ldapmodify to replace the ACIs.

   For example, you could run the following command:

   ldapmodify -D <directory manager> -w <password> -f <replacement.acis.finished.ldif>

   where

   <directory manager> is the name of the Directory Server administrator.

   <password> is the password of the Directory Service administrator.

   <replacement.acis.finished.ldif> is the name of the edited ldif file that consolidates and removes ACIs in the directory.

Eliminating Dynamic Organization ACIs

When you use the Delegated Administrator console to create an organization, a group of ACIs is created on the organization node.

The replacement ACIs installed in the preceding procedure eliminate the need for these per-organization ACIs. You can prevent the creation of the per-organization ACIs by using the Access Manager console.

To eliminate dynamic organization ACIs

1. Log in to the AM console as amadmin.

   The AM console is located at the following url:

   http://<machine name>:<port>/amconsole

   where

   <machine name> is machine where Access Manager is running

   <port> is the port

2. Select the Service Configuration tab.

   By default, the Administration configuration page is displayed.

3. In the right side of the console, scroll down to Dynamic Administrative Role ACIs.

4. Select and delete all ACIs in the text box for Dynamic Administrative Role ACIs.

5. Save the edited settings.