ACI 合并方式分析
本节中的列表显示了在替换 ldif 文件 replacement.acis.ldif(此文件可用于合并目录中的 ACI)中已被合并的 ACI。有关如何替换 ACI 的说明,请参见替换 ACI 的步骤。
ACI 分为若干对。对于每种类别,均先列出原始 ACI,再列出合并后的 ACI:
原始匿名访问权限
aci: (targetattr != “userPassword || passwordHistory || passwordExpirationTime || passwordExpWarned || passwordRetryCount || retryCountResetTime || accountUnlockTime || passwordAllowChangeTime “) (version 3.0; acl “Anonymous access”; allow (read, search, compare) userdn = “ldap:///anyone”;)
aci: (target=”ldap:///cn=Top-level Admin Role,$rootSuffix”) (targetattr=”*”) version 3.0; acl “S1IS Top-level admin delete right denied”; deny (delete) userdn = “ldap:///anyone”; ) aci: (target=”ldap:///$rootSuffix”) (targetfilter=(entrydn=$rootSuffix)) (targetattr=”*”) (version 3.0; acl “S1IS Default Organization delete right denied”; deny (delete) userdn = “ldap:///anyone”; ) aci: (target=”ldap:///ou=services,$rootSuffix”) (targetfilter=(!(objectclass=sunServiceComponent))) (targetattr = “*”) (version 3.0; acl “S1IS Services anonymous access”; allow (read, search, compare) userdn = “ldap:///anyone”;) aci: (target=”ldap:///ou=iPlanetAMAdminConsoleService,*,$rootSuffix”) (targetattr = “*”) (version 3.0; acl “S1IS iPlanetAMAdminConsoleService anonymous access”; allow (read, search, compare) userdn = “ldap:///anyone”;)
合并后的匿名访问权限
aci: (target=”ldap:///$rootSuffix”) (targetfilter=(!(objectclass=sunServiceComponent))) (targetattr != “userPassword||passwordHistory ||passwordExpirationTime||passwordExpWarned||passwordRetryCount ||retryCountResetTime||accountUnlockTime||passwordAllowChangeTime”) (version 3.0; acl “anonymous access rights”; allow (read,search,compare) userdn = “ldap:///anyone”; )
分析:此 ACI 位于根上,它可与原始匿名 ACI 集合授予相同的访问权限。它通过列出一组排除的属性来执行此操作。由于此替换 ACI 清除了目标中的 (*),因此可提高性能。
原始 ACI 自身
aci: (targetattr != “nsroledn || aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry || passwordExpirationTime || passwordExpWarned || passwordRetryCount || retryCountResetTime || accountUnlockTime || passwordHistory || passwordAllowChangeTime”) (version 3.0; acl “Allow self entry modification except for nsroledn, aci, resource limit attributes, passwordPolicySubentry and password policy state attributes”; allow (write) userdn =”ldap:///self”;) aci: (targetattr = “*”) (version 3.0; acl “S1IS Deny deleting self”; deny (delete) userdn =”ldap:///self”;) aci: (targetattr = “objectclass || inetuserstatus || planet-am-web-agent-access-allow-list || iplanet-am-domain-url-access-allow || iplanet-am-web-agent-access-deny-list || iplanet-am-user-account-life || iplanet-am-session-max-session-time || iplanet-am-session-max-idle-time || iplanet-am-session-get-valid-sessions || iplanet-am-session-destroy-sessions || iplanet-am-session-add-session-listener-on-all-sessions || iplanet-am-user-admin-start-dn || iplanet-am-auth-post-login-process-class”) (targetfilter=(!(nsroledn=cn=Top-levelAdmin Role,$rootSuffix))) (version 3.0; acl “S1IS User status self modification denied”; deny (write) userdn =”ldap:///self”;) aci: (targetattr != “iplanet-am-static-group-dn || uid || nsroledn || aci || LookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || memberOf || planet-am-web-agent-access-allow-list || iplanet-am-domain-url-access-allow || planet-am-web-agent-access-deny-list”) (version 3.0; acl “S1IS Allow self entry modification except for nsroledn, aci, and resource limit attributes”; allow (write) userdn =”ldap:///self”;) aci: (targetattr != “aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || iplanet-am-domain-url-access-allow”) (version 3.0; acl “S1IS Allow self entry read search except for nsroledn, aci, resource limit and web agent policy attributes”; allow (read,search) userdn =”ldap:///self”;) aci: (targetattr=”uid||ou||owner||mail||mailAlternateAddress ||mailEquivalentaddress||memberOf ||inetuserstatus||mailuserstatus||memberOfManagedGroup||mailQuota ||mailMsgQuota ||inetSubscriberAccountId||dataSource||mailhost||mailAllowedServiceAccess ||pabURI||inetCOS||mailSMTPSubmitChannel||aci”) (targetfilter=(&(objectClass=inetMailUser)(!(nsroledn=cn=Organization Admin role,*)))) (version 3.0; acl “Deny write access to users over Messaging Server protected attributes - product=SOMS,schema 2 support,class=installer,num=3,version=1 “; deny (write) userdn = “ldap:///self”;)
合并后的 ACI 自身
aci: (targetattr != “nsroledn || aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry || asswordExpirationTime || passwordExpWarned || passwordRetryCount || retryCountResetTime || accountUnlockTime || passwordHistory || passwordAllowChangeTime || id || memberOf || objectclass || inetuserstatus || ou || owner || mail || mailuserstatus || memberOfManagedGroup ||mailQuota || mailMsgQuota || mailhost || mailAllowedServiceAccess || inetCOS || mailSMTPSubmitChannel”) (version 3.0; acl “Allow self entry modification”; allow (write) userdn =”ldap:///self”;) aci: (targetattr != “ aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit|| nsIdleTimeout”) (version 3.0; acl “Allow self entry read search”; allow(read,search) userdn =”ldap:///self”;)
分析:不具有全部 iplanet-am-* 属性。由于在 ACI 不存在的情况下默认值为 deny,因此所有 deny ACI 都被删除。允许 write 的各个 ACI 将被合并为单个 ACI。
原始 Messaging Server ACI
aci: (target=”ldap:///$rootSuffix”) (targetattr=”*”) (version 3.0; acl “Messaging Server End User Administrator Read Access Rights - product=SOMS,schema 2 support,class=installer,num=1,version=1”; allow (read,search) groupdn=”ldap:///cn=Messaging End User Administrators Group, ou=Groups, rootSuffix”;) aci: (target=”ldap:///$rootSuffix”) (targetattr=”objectclass||mailalternateaddress||mailautoreplymode|| mailprogramdeliveryinfo ||nswmextendeduserprefs||preferredlanguage||maildeliveryoption|| mailforwardingaddress ||mailAutoReplyTimeout||mailautoreplytextinternal||mailautoreplytext|| vacationEndDate ||vacationStartDate||mailautoreplysubject||pabURI||maxPabEntries|| mailMessageStore ||mailSieveRuleSource||sunUCDateFormat||sunUCDateDeLimiter|| sunUCTimeFormat”) (version 3.0; acl “Messaging Server End User Adminstrator Write Access Rights - product=SOMS,schema 2 support,class=installer,num=2,version=1”; allow (all) groupdn=”ldap:///cn=Messaging End User Administrators Group, ou=Groups, rootSuffix”;) aci: (targetattr=”uid||ou||owner||mail||mailAlternateAddress|| mailEquivalentAddress||memberOf ||inetuserstatus||mailuserstatus||memberOfManagedGroup||mailQuota|| mailMsgQuota ||inetSubscriberAccountId||dataSource||mailhost||mailAllowedServiceAccess ||pabURI||inetCOS||mailSMTPSubmitChannel||aci”) (targetfilter=(&(objectClass=inetMailUser)(!(nsroledn=cn=Organization Admin Role,*)))) (version 3.0; acl “Deny write access to users over Messaging Server protected attributes - product=SOMS,schema 2 support,class=installer,num=3,version=1 “; deny (write) userdn = “ldap:///self”;)
合并后的 Messaging Server ACI
ACI 自身在多个 ACI 自身中处理。
aci: (targetattr=”*”) (version 3.0; acl “Messaging Server End User Administrator Read Only Access”; allow (read,search) groupdn = “ldap:///cn=Messaging End User Administrators group,ou=Groups,$rootSuffix”; ) aci: (targetattr=”objectclass || mailalternateaddress || Mailautoreplymode || mailprogramdeliveryinfo || preferredlanguage || maildeliveryoption || mailforwardingaddress || mailAutoReplyTimeout || mailautoreplytextinternal || mailautoreplytext || vacationEndDate || vacationStartDate || mailautoreplysubject || maxPabEntries || mailMessageStore || mailSieveRuleSource || sunUCDateFormat || sunUCDateDeLimiter || sunUCTimeFormat || mailuserstatus || maildomainstatus”) (version 3.0; acl “Messaging Server End User Administrator All Access”; allow (all) groupdn = “ldap:///cn=Messaging End User Administrators group,ou=Groups,$rootSuffix”;)
分析:与原始 ACI 相同。
原始组织管理 ACI
aci: (different name - “allow all” instead of “allow”) (target=”ldap:///($dn),$rootSuffix”) (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix) (nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix) (nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)))) (targetattr != “nsroledn”) (version 3.0; acl “S1IS Organization Admin Role access allow all”; allow (all) roledn =”ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;) aci: (missing) (target=”ldap:///($dn),$rootSuffix”) (targetattr=”*”) (version 3.0; acl “Organization Admin Role access allow read to org node”; allow (read,search) roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix” ;) aci: (target=”ldap:///($dn),$rootSuffix”) (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix) (nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)))) (targetattr != “nsroledn”) (version 3.0; acl “Organization Admin Role access allow”; allow (all) roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;) aci: (target=”ldap:///($dn),$rootSuffix”) (targetattr!=”businessCategory || description || facsimileTelephoneNumber || postalAddress || preferredLanguage || searchGuide || postOfficeBox || postalCode || registeredaddress || street || l || st || telephonenumber || maildomainreportaddress || maildomainwelcomemessage || preferredlanguage || sunenablegab”) (version 3.0; acl “Organization Admin Role access deny to org node”; deny (write,add,delete) roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix” ;) aci: (duplicate of per organization aci) (target=”ldap:///cn=Organization Admin Role,($dn),$rootSuffix”) (targetattr=”*”) (version 3.0; acl “S1IS Organization Admin Role access deny”; deny (write,add,delete,compare,proxy) roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix”;) aci: (target=”ldap:///cn=Organization Admin Role,($dn),dc=red,dc=iplanet,dc=com”) (targetattr=”*”) (version 3.0; acl “S1IS Organization Admin Role access deny”; deny (write,add,delete,compare,proxy) roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix”;) aci: (target=”ldap:///o=fullOrg1,o=VIS,o=siroe.com,o=SharedDomainsRoot, o=Business,rootSuffix”) (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix) (nsroledn=cn=Top-level Help Desk Admin Role,dc=red,dc=iplanet,dc=com)))) (targetattr = “nsroledn”) (targattrfilters=”add=nsroledn:(nsroledn=*,o=fullOrg1,o=VIS,o=siroe.com, o=SharedDomainsRoot,o=Business,$rootSuffix), del=nsroledn:(nsroledn=*,o=fullOrg1,o=VIS,o=siroe.com,o=SharedDomainsRoot, o=Business,$rootSuffix)”) (version 3.0; acl “S1IS Organization Admin Role access allow”; allow (all) roledn = “ldap:///cn=Organization Admin Role,o=fullOrg1,o=VIS,o=siroe.com,o=SharedDomainsRoot,o=Business, $rootSuffix”;) aci: (target=”ldap:///($dn),$rootSuffix”) (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix) (nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)))) (targetattr != “nsroledn”) (version 3.0; acl “S1IS Organization Admin Role access allow all”; allow (all) roledn = “ldap:///cn=Organization Admin Role,[$dn],dc=red,dc=iplanet,dc=com”;)
合并后的组织管理 ACI
aci: (target=”ldap:///cn=Organization Admin Role,($dn),$rootSuffix”) (targetattr=”*”) (version 3.0; acl “S1IS Organization Admin Role access deny”; deny (write,add,delete,compare,proxy) roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix”;) aci: (target=”ldap:///($dn),$rootSuffix”) (targetattr=”*”) (version 3.0; acl “Organization Admin Role access allow read”; allow(read,search) roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix” ;) aci: (target=”ldap:///($dn),$rootSuffix”) (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix) (entrydn=($dn),$rootSuffix)))) ( targetattr = “*”) (version 3.0; acl “S1IS Organization Admin Role access allow”; allow (all) roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;)
- © 2010, Oracle Corporation and/or its affiliates