統合した ACI の分析

この項では、置換用 ldif ファイル replacement.acis.ldif で統合された ACI を示します。 このファイルは、ディレクトリで ACI を統合するために使用します。ACI を置き換える方法については、「ACI を置き換える手順」を参照してください。

以下の ACI は、対になっています。分類ごとに、まず元の ACI を、次に統合した ACI を示します。

• 「元の Anonymous Access Rights」

• 「統合した Anonymous Access Rights」

• 「元の自己 ACI」

• 「統合した自己 ACI」

• 「元の Messaging Server ACI」

• 「統合した Messaging Server ACI」

• 「元の Organization Admin ACI」

• 「統合した Organization Admin ACI」

元の Anonymous Access Rights

aci:
(targetattr != “userPassword || passwordHistory || passwordExpirationTime
|| passwordExpWarned || passwordRetryCount || retryCountResetTime ||
accountUnlockTime || passwordAllowChangeTime “)
(version 3.0; acl “Anonymous access”;
allow (read, search, compare)
userdn = “ldap:///anyone”;)

aci:
(target=”ldap:///cn=Top-level Admin Role,$rootSuffix”)
(targetattr=”*”)
version 3.0; acl “S1IS Top-level admin delete right denied”;
deny (delete)
userdn = “ldap:///anyone”; )


aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(entrydn=$rootSuffix))
(targetattr=”*”)
(version 3.0; acl “S1IS Default Organization delete right denied”;
deny (delete)
userdn = “ldap:///anyone”; )


aci:
(target=”ldap:///ou=services,$rootSuffix”)
(targetfilter=(!(objectclass=sunServiceComponent)))
(targetattr = “*”)
(version 3.0; acl “S1IS Services anonymous access”;
allow (read, search, compare)
userdn = “ldap:///anyone”;)


aci:
(target=”ldap:///ou=iPlanetAMAdminConsoleService,*,$rootSuffix”)
(targetattr = “*”)
(version 3.0; acl “S1IS iPlanetAMAdminConsoleService anonymous access”;
allow (read, search, compare)
userdn = “ldap:///anyone”;)

統合した Anonymous Access Rights

aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(objectclass=sunServiceComponent)))
(targetattr != “userPassword||passwordHistory
||passwordExpirationTime||passwordExpWarned||passwordRetryCount
||retryCountResetTime||accountUnlockTime||passwordAllowChangeTime”)
(version 3.0; acl “anonymous access rights”;
allow (read,search,compare)
userdn = “ldap:///anyone”; )

分析: この ACI はルート上にあり、元の匿名 ACI と同様のアクセスを許可します。これは、除外属性をリストすることで行われます。この置換 ACI により、ターゲットから (*) が削除されるため、パフォーマンスが向上します。

元の自己 ACI

aci:
(targetattr != “nsroledn || aci || nsLookThroughLimit || nsSizeLimit ||
nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ||
passwordExpirationTime
|| passwordExpWarned || passwordRetryCount || retryCountResetTime ||
accountUnlockTime || passwordHistory || passwordAllowChangeTime”)
(version 3.0; acl “Allow self entry modification except for nsroledn, aci,
resource limit attributes, passwordPolicySubentry and password policy
state attributes”;
allow (write)
userdn =”ldap:///self”;) 


aci:
(targetattr = “*”)
(version 3.0; acl “S1IS Deny deleting self”;
deny (delete)
userdn =”ldap:///self”;) 


aci:
(targetattr = “objectclass || inetuserstatus ||
planet-am-web-agent-access-allow-list
|| iplanet-am-domain-url-access-allow 
|| iplanet-am-web-agent-access-deny-list
|| iplanet-am-user-account-life || iplanet-am-session-max-session-time
|| iplanet-am-session-max-idle-time 
|| iplanet-am-session-get-valid-sessions
|| iplanet-am-session-destroy-sessions 
|| iplanet-am-session-add-session-listener-on-all-sessions
|| iplanet-am-user-admin-start-dn 
|| iplanet-am-auth-post-login-process-class”)
(targetfilter=(!(nsroledn=cn=Top-levelAdmin Role,$rootSuffix)))
(version 3.0; acl “S1IS User status self modification denied”;
deny (write)
userdn =”ldap:///self”;) 


aci:
(targetattr != “iplanet-am-static-group-dn || uid || nsroledn || aci 
|| LookThroughLimit
|| nsSizeLimit || nsTimeLimit || nsIdleTimeout || memberOf ||
planet-am-web-agent-access-allow-list
|| iplanet-am-domain-url-access-allow ||
planet-am-web-agent-access-deny-list”)
(version 3.0; acl “S1IS Allow self entry modification except 
for nsroledn, aci, and resource limit attributes”;
allow (write)
userdn =”ldap:///self”;) 


aci:
(targetattr != “aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit
|| nsIdleTimeout || iplanet-am-domain-url-access-allow”)
(version 3.0; acl “S1IS Allow self entry read search except for 
nsroledn, aci, resource limit and web agent policy attributes”;
allow (read,search)
userdn =”ldap:///self”;) 


aci:
(targetattr=”uid||ou||owner||mail||mailAlternateAddress
||mailEquivalentaddress||memberOf
||inetuserstatus||mailuserstatus||memberOfManagedGroup||mailQuota
||mailMsgQuota
||inetSubscriberAccountId||dataSource||mailhost||mailAllowedServiceAccess
||pabURI||inetCOS||mailSMTPSubmitChannel||aci”)
(targetfilter=(&(objectClass=inetMailUser)(!(nsroledn=cn=Organization Admin
role,*))))
(version 3.0; acl “Deny write access to users over Messaging Server 
protected attributes -
product=SOMS,schema 2 support,class=installer,num=3,version=1 “;
deny (write)
userdn = “ldap:///self”;)

統合した自己 ACI

aci:
(targetattr != “nsroledn || aci || nsLookThroughLimit || nsSizeLimit
|| nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ||
asswordExpirationTime
|| passwordExpWarned || passwordRetryCount || retryCountResetTime
|| accountUnlockTime || passwordHistory || passwordAllowChangeTime ||
id || memberOf
|| objectclass || inetuserstatus || ou || owner || mail || mailuserstatus
|| memberOfManagedGroup ||mailQuota || mailMsgQuota || mailhost
|| mailAllowedServiceAccess || inetCOS || mailSMTPSubmitChannel”)
(version 3.0; acl “Allow self entry modification”;
allow (write)
userdn =”ldap:///self”;) 


aci:
(targetattr != “ aci || nsLookThroughLimit || nsSizeLimit
|| nsTimeLimit|| nsIdleTimeout”)
(version 3.0; acl “Allow self entry read search”;
allow(read,search)
userdn =”ldap:///self”;)

分析: すべての iplanet-am-* 属性が削除されています。ACI が存在しない場合は deny がデフォルトとなるので、すべての deny ACI が削除されています。write を許可するものは、1 つの ACI に統合されています。

元の Messaging Server ACI

aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “Messaging Server End User Administrator Read 
Access Rights -
product=SOMS,schema 2 support,class=installer,num=1,version=1”;
allow (read,search)
groupdn=”ldap:///cn=Messaging End User Administrators Group, ou=Groups,
rootSuffix”;) 


aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”objectclass||mailalternateaddress||mailautoreplymode||
mailprogramdeliveryinfo
||nswmextendeduserprefs||preferredlanguage||maildeliveryoption||
mailforwardingaddress
||mailAutoReplyTimeout||mailautoreplytextinternal||mailautoreplytext||
vacationEndDate
||vacationStartDate||mailautoreplysubject||pabURI||maxPabEntries||
mailMessageStore
||mailSieveRuleSource||sunUCDateFormat||sunUCDateDeLimiter||
sunUCTimeFormat”)
(version 3.0; acl “Messaging Server End User Adminstrator Write 
Access Rights -
product=SOMS,schema 2 support,class=installer,num=2,version=1”;
allow (all)
groupdn=”ldap:///cn=Messaging End User Administrators Group, ou=Groups,
rootSuffix”;) 


aci:
(targetattr=”uid||ou||owner||mail||mailAlternateAddress||
mailEquivalentAddress||memberOf
||inetuserstatus||mailuserstatus||memberOfManagedGroup||mailQuota||
mailMsgQuota
||inetSubscriberAccountId||dataSource||mailhost||mailAllowedServiceAccess
||pabURI||inetCOS||mailSMTPSubmitChannel||aci”)
(targetfilter=(&(objectClass=inetMailUser)(!(nsroledn=cn=Organization Admin
Role,*))))
(version 3.0; acl “Deny write access to users over Messaging Server
protected attributes - 
product=SOMS,schema 2 support,class=installer,num=3,version=1 “;
deny (write)
userdn = “ldap:///self”;)

統合した Messaging Server ACI

自己 ACI は、自己 ACI の中で取り扱われます。

aci:
(targetattr=”*”)
(version 3.0; acl “Messaging Server End User Administrator 
Read Only Access”;
allow (read,search)
groupdn = “ldap:///cn=Messaging End User Administrators
group,ou=Groups,$rootSuffix”; ) 


aci:
(targetattr=”objectclass || mailalternateaddress || Mailautoreplymode 
|| mailprogramdeliveryinfo || preferredlanguage || maildeliveryoption
|| mailforwardingaddress || mailAutoReplyTimeout 
|| mailautoreplytextinternal
|| mailautoreplytext || vacationEndDate || vacationStartDate
|| mailautoreplysubject || maxPabEntries || mailMessageStore
|| mailSieveRuleSource || sunUCDateFormat || sunUCDateDeLimiter
|| sunUCTimeFormat || mailuserstatus || maildomainstatus”)
(version 3.0; acl “Messaging Server End User Administrator All Access”;
allow (all)
groupdn = “ldap:///cn=Messaging End User Administrators
group,ou=Groups,$rootSuffix”;)

分析: 元の ACI と同じです。

元の Organization Admin ACI

aci: (different name - “allow all” instead of “allow”)
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “S1IS Organization Admin Role access allow all”;
allow (all)
roledn =”ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;) 


aci: (missing)
(target=”ldap:///($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “Organization Admin Role access allow read to org node”;
allow (read,search)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix” ;) 


aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “Organization Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;) 


aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetattr!=”businessCategory || description || facsimileTelephoneNumber
|| postalAddress || preferredLanguage || searchGuide || postOfficeBox 
|| postalCode
|| registeredaddress || street || l || st || telephonenumber 
|| maildomainreportaddress
|| maildomainwelcomemessage || preferredlanguage || sunenablegab”)
(version 3.0; acl “Organization Admin Role access deny to org node”;
deny (write,add,delete)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix” ;) 


aci: (duplicate of per organization aci)
(target=”ldap:///cn=Organization Admin Role,($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Organization Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix”;)


aci:
(target=”ldap:///cn=Organization Admin
Role,($dn),dc=red,dc=iplanet,dc=com”)
(targetattr=”*”)
(version 3.0; acl “S1IS Organization Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix”;)


aci:
(target=”ldap:///o=fullOrg1,o=VIS,o=siroe.com,o=SharedDomainsRoot,
o=Business,rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,dc=red,dc=iplanet,dc=com))))
(targetattr = “nsroledn”)
(targattrfilters=”add=nsroledn:(nsroledn=*,o=fullOrg1,o=VIS,o=siroe.com,
o=SharedDomainsRoot,o=Business,$rootSuffix),
del=nsroledn:(nsroledn=*,o=fullOrg1,o=VIS,o=siroe.com,o=SharedDomainsRoot,
o=Business,$rootSuffix)”)
(version 3.0;
acl “S1IS Organization Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Organization Admin
Role,o=fullOrg1,o=VIS,o=siroe.com,o=SharedDomainsRoot,o=Business,
$rootSuffix”;)


aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “S1IS Organization Admin Role access allow all”;
allow (all)
roledn = “ldap:///cn=Organization Admin
Role,[$dn],dc=red,dc=iplanet,dc=com”;)

統合した Organization Admin ACI

aci:
(target=”ldap:///cn=Organization Admin Role,($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Organization Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix”;)


aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “Organization Admin Role access allow read”;
allow(read,search)
roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix” ;)


aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(entrydn=($dn),$rootSuffix))))
( targetattr = “*”)
(version 3.0; acl “S1IS Organization Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;)