Consolidating and Removing ACIs
The ldif file listed in this section, replacement.acis.ldif, installs consolidated ACIs at the root suffix and deletes unused ACIs from the directory. This ldif file is provided by Delegated Administrator, located in the following directory:
da-base/lib/config-templates
When you apply the replacement.acis.ldif file to the directory (with ldapmodify), the ldapmodify command removes all instances of the aci attribute at the root suffix and replaces these ACIs with the ACIs in the replacement.acis.ldif file.
Thus, this procedure will initially remove all ACIs from the root suffix and then replace them with the set of ACIs listed below. If the directory contains ACIs generated by another application such as Portal Server, you should save those ACIs to a file and reapply them to the directory after you apply the replacement.acis.ldif file.
For instructions in using this ldif file to clean up your ACIs, see Steps for Replacing ACIs.
replacement.acis.ldif File
dn: $rootSuffix
changetype: modify
replace: aci
aci: (targetattr = “*”)(version 3.0; acl “Configuration Administrator”;
allow (all)
userdn=”ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,
o=NetscapeRoot”;)
aci: (target=”“ldap:///$rootSuffix”)
(targetfilter=(!(objectclass=sunServiceComponent)))
(targetattr != “userPassword||passwordHistory
||passwordExpirationTime||passwordExpWarned||passwordRetryCount
||retryCountResetTime||accountUnlockTime||passwordAllowChangeTime”)
(version 3.0; acl “anonymous access rights”;
allow (read,search,compare)
userdn = “ldap:///anyone”; )
aci: (targetattr != “nsroledn||aci||nsLookThroughLimit||nsSizeLimit
||nsTimeLimit||nsIdleTimeout||passwordPolicySubentry||passwordExpiration
Time
||passwordExpWarned||passwordRetryCount||retryCountResetTime
||accountUnlockTime||passwordHistory||passwordAllowChangeTime||uid||mem
berOf
||objectclass||inetuserstatus||ou||owner||mail||mailuserstatus
||memberOfManagedGroup||mailQuota||mailMsgQuota||mailhost
||mailAllowedServiceAccess||inetCOS||mailSMTPSubmitChannel”)
(version 3.0; acl “Allow self entry modification”;
allow (write)
userdn =”ldap:///self”;)
aci: (targetattr != “ aci || nsLookThroughLimit || nsSizeLimit
|| nsTimeLimit|| nsIdleTimeout”)
(version 3.0; acl “Allow self entry read search”;
allow(write)
userdn =”ldap:///self”;)
aci: (target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Proxy user rights”;
allow (proxy)
userdn = “ldap:///cn=puser,ou=DSAME Users,
$rootSuffix”; )
aci: (target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS special dsame user rights for all under the root
suffix”;
allow (all)
userdn = “ldap:///cn=dsameuser,ou=DSAME Users,
$rootSuffix”; )
aci: (target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS special ldap auth user rights”;
allow (read,search)
userdn = “ldap:///cn=amldapuser,ou=DSAME Users,
$rootSuffix”; )
aci: (target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Top-level admin rights”;
allow (all)
roledn = “ldap:///cn=Top-level Admin Role,
$rootSuffix”; )
aci: (targetattr=”*”)
(version 3.0; acl “Messaging Server End User Administrator Read Only
Access”;
allow (read,search)
groupdn=”ldap:///cn=Messaging End User Administrators Group,ou=Groups,
$rootSuffix”;)
aci: (targetattr=”objectclass || mailalternateaddress || Mailautoreplymode
|| mailprogramdeliveryinfo || preferredlanguage || maildeliveryoption
|| mailforwardingaddress || mailAutoReplyTimeout
|| mailautoreplytextinternal
|| mailautoreplytext || vacationEndDate || vacationStartDate
|| mailautoreplysubject || maxPabEntries || mailMessageStore
|| mailSieveRuleSource || sunUCDateFormat || sunUCDateDeLimiter
|| sunUCTimeFormat || mailuserstatus || maildomainstatus
|| nswmextendeduserprefs || pabURI”)
(version 3.0; acl “Messaging Server End User Administrator All Access”;
allow (all)
groupdn = “ldap:///cn=Messaging End User Administrators Group,ou=Groups,
$rootSuffix”;)
aci: (targetattr = “*”)
(version 3.0;acl “Allow Read-Only Access”;
allow (read,search,compare)
groupdn = “ldap:///cn=Read-Only,ou=Groups,
$rootSuffix”;)
aci: (target=”ldap:///cn=Organization Admin Role,($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Organization Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Organization Admin Role,($dn),
$rootSuffix”;)
aci: (target=”ldap:///($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “Organization Admin Role access allow read”;
allow(read,search)
roledn = “ldap:///cn=Organization Admin Role,[$dn],
$rootSuffix” ;)
aci: (target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(entrydn=($dn),$rootSuffix))))
( targetattr = “*”)
(version 3.0; acl “S1IS Organization Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Organization Admin Role,[$dn],
$rootSuffix”;)
Steps for Replacing ACIs
Before You Begin
Before you begin this procedure, we recommend that you examine the existing ACIs in your directory. You should determine whether you might need to keep any ACIs that would be deleted by the procedure.
This procedure will initially remove all ACIs from the root suffix and then replace them with the set of ACIs listed below. If the directory contains ACIs generated by applications other than Messaging Server, you should save those ACIs to a file and reapply them to the directory after you apply the replacement.acis.ldif file.
To help you analyze existing ACIs generated by Access Manager and Messaging Server, see the following sections later in this appendix:
Replacing ACIs
The following procedure describes how to consolidate ACIS in the root suffix and remove unused ACIs.
To replace ACIs
-
Save your existing ACIs currently on the root suffix.
You can use the ldapsearch command, as in the following example:
ldapsearch -D “cn=Directory Manager” -w <password> -s base -b <$rootSuffix> aci=* aci ><filename>
where
<password> is the password of the Directory Server administrator.
<$rootSuffix> is your root suffix, such as o=usergroup.
<filename> is the name of the file into which the saved ACIs will be written.
-
Copy and rename the replacement.acis.ldif file.
When you install Delegated Administrator, the replacement.acis.ldif file is installed in the following directory:
da-base/lib/config-templates
-
Edit the $rootSuffix entries in your copy of the replacement.acis.ldif file.
Change the root suffix parameter, $rootSuffix, to your root suffix (such as o=usergroup). The $rootSuffix parameter appears multiple times in the ldif file; each instance must be replaced.
-
Use the LDAP directory tool ldapmodify to replace the ACIs.
For example, you could run the following command:
ldapmodify -D <directory manager> -w <password> -f <replacement.acis.finished.ldif>
where
<directory manager> is the name of the Directory Server administrator.
<password> is the password of the Directory Service administrator.
<replacement.acis.finished.ldif> is the name of the edited ldif file that consolidates and removes ACIs in the directory.
Eliminating Dynamic Organization ACIs
When you use the Delegated Administrator console to create an organization, a group of ACIs is created on the organization node.
The replacement ACIs installed in the preceding procedure eliminate the need for these per-organization ACIs. You can prevent the creation of the per-organization ACIs by using the Access Manager console.
To eliminate dynamic organization ACIs
-
Log in to the AM console as amadmin.
The AM console is located at the following url:
http://<machine name>:<port>/amconsole
where
<machine name> is machine where Access Manager is running
<port> is the port
-
Select the Service Configuration tab.
By default, the Administration configuration page is displayed.
-
In the right side of the console, scroll down to Dynamic Administrative Role ACIs.
-
Select and delete all ACIs in the text box for Dynamic Administrative Role ACIs.
-
Save the edited settings.
- © 2010, Oracle Corporation and/or its affiliates