Sun Java System Delegated Administrator 6.4 Administration Guide


When you install Access Manager with Messaging Server and use an LDAP Schema 2 directory, a large number of Access Control Instructions (ACIs) initially are installed in the directory. Many default ACIs are not needed or used by Messaging Server.

The need to check these ACIs at runtime can affect the performance of Directory Server, which can, in turn, affect the performance of Messaging Server look-ups and other directory operations.

You can improve the performance of the Directory Server by consolidating and reducing the number of default ACIs in the directory. Consolidating the ACIs also makes them easier to manage.

The approach to reducing ACIs is as follows:

This appendix first describes how to use an ldif file (replacment.acis.ldif) to consolidate ACIs at the root suffix and remove unused ACIs from the directory. For details, see Consolidating and Removing ACIs, below.

Next, the appendix analyzes each ACI and recommends a method for handling it: removing it, revising it to make it more efficient, or rewriting it.

Note the following constraints in these recommendations:

Given these constraints, you must determine for yourself (according to the requirements of your installation) whether you can use the ldif file to consolidate and remove ACIs, or whether you need to retain certain ACIs as they now exist in the directory.

For more information, see Analysis of the Existing ACIs, later in this appendix.

Next, this appendix describes the ACIs that are consolidated by the replacement.acis.ldif file. It lists the existing ACIs before they are consolidated and the modified ACIs after they are consolidated. For more information, see Analysis of How ACIs Are Consolidated, later in this appendix.

Finally, the appendix lists the ACIs discarded by the replacement.acis.ldif. For more information, see List of Unused ACIs to be Discarded, later in this appendix.