Sun Java System Communications Services 6 2005Q1 Delegated Administrator ¼³¸í¼ |
ºÎ·Ï D
ACI ÅëÇÕÀÌ ºÎ·ÏÀº ´ÙÀ½ ³»¿ëÀ¸·Î ±¸¼ºµÇ¾î ÀÖ½À´Ï´Ù.
¼Ò°³Messaging Server¿Í ÇÔ²² Access Manager¸¦ ¼³Ä¡ÇÏ°í LDAP Schema 2 µð·ºÅ丮¸¦ »ç¿ëÇÒ °æ¿ì Ãʱ⿡ ¸¹Àº ACI(Access Control Instruction)°¡ µð·ºÅ丮¿¡ ¼³Ä¡µË´Ï´Ù. ±âº» ACI Áß »ó´ç¼ö´Â Messaging Server¿¡¼ ÇÊ¿äÇÏÁö ¾Ê°Å³ª »ç¿ëÇÏÁö ¾Ê½À´Ï´Ù.
·±Å¸ÀÓ ½Ã ÀÌ·¯ÇÑ ACI¸¦ °Ë»çÇØ¾ß ÇÑ´Ù¸é Directory ServerÀÇ ¼º´É¿¡ ¿µÇâÀ» ÁÖ°í, ÀÌ´Â Messaging Server Á¶È¸ ¹× ±âŸ µð·ºÅ丮 ÀÛ¾÷ÀÇ ¼º´É¿¡µµ ¿µÇâÀ» ÁÙ ¼ö ÀÖ½À´Ï´Ù.
µð·ºÅ丮¿¡¼ ±âº» ACI¸¦ ÅëÇÕÇÏ°í ±× ¼ö¸¦ ÁÙÀÌ´Â ¹æ¹ýÀ¸·Î Directory ServerÀÇ ¼º´ÉÀ» ³ôÀÏ ¼ö ÀÖ½À´Ï´Ù. ¶ÇÇÑ ACI¸¦ ÅëÇÕÇÏ¸é °ü¸®ÇϱⰡ ´õ ½¬¿öÁý´Ï´Ù.
ACI¸¦ ÁÙÀÌ´Â ¹æ¹ýÀº ´ÙÀ½°ú °°½À´Ï´Ù.
ÀÌ ºÎ·Ï¿¡¼´Â ¸ÕÀú ldif ÆÄÀÏ(replacment.acis.ldif)À» »ç¿ëÇÏ¿© ·çÆ® Á¢¹Ì¾î¿¡¼ ACI¸¦ ÅëÇÕÇÏ°í »ç¿ëÇÏÁö ¾Ê´Â ACI¸¦ µð·ºÅ丮¿¡¼ Á¦°ÅÇÏ´Â ¹æ¹ý¿¡ ´ëÇØ ¼³¸íÇÕ´Ï´Ù. ÀÚ¼¼ÇÑ ³»¿ëÀº ¾Æ·¡ ACI ÅëÇÕ ¹× Á¦°Å¸¦ ÂüÁ¶ÇϽʽÿÀ.
±× ´ÙÀ½¿¡´Â °¢ ACI¸¦ ºÐ¼®ÇÏ°í, À̸¦ ó¸®, Á¦°ÅÇÏ´Â ¹æ¹ý ¶Ç´Â È¿À²¼ºÀ» ³ôÀ̱â À§ÇØ °³Á¤Çϰųª ´Ù½Ã ÀÛ¼ºÇÏ´Â ¹æ¹ýÀ» Á¦¾ÈÇÕ´Ï´Ù.
ÀÌ ±ÇÀå¾È¿¡´Â ´ÙÀ½°ú °°ÀÌ ¸î °¡Áö Á¦¾à Á¶°ÇÀÌ ÀÖ½À´Ï´Ù.
ÀÌ Á¦¾à Á¶°Ç ÇÏ¿¡ ACI ÅëÇÕ ¹× Á¦°Å¿¡ ldif ÆÄÀÏÀ» »ç¿ëÇÒ °ÍÀÎÁö ¶Ç´Â ÀϺΠACI´Â ÇöÀç µð·ºÅ丮¿¡ Á¸ÀçÇÏ´Â ´ë·Î ³²°ÜµÎ¾î¾ß ÇÏ´ÂÁö (¼³Ä¡ ȯ°æÀÇ ¿ä±¸ »çÇ׿¡ µû¶ó) ½º½º·Î °áÁ¤ÇØ¾ß ÇÕ´Ï´Ù.
ÀÚ¼¼ÇÑ ³»¿ëÀº ÀÌ ºÎ·ÏÀÇ µÞºÎºÐ¿¡ ³ª¿À´Â ±âÁ¸ ACI ºÐ¼®À» ÂüÁ¶ÇϽʽÿÀ.
±× ´ÙÀ½À¸·Î´Â replacement.acis.ldif ÆÄÀÏ¿¡¼ ÅëÇÕÇÏ´Â ACI¿¡ ´ëÇØ ¼³¸íÇÕ´Ï´Ù. ÅëÇÕ ÀÌÀü¿¡ Á¸ÀçÇÏ´Â ACI¿Í ÅëÇÕ ÀÌÈÄ ¼öÁ¤µÈ ACI¸¦ ³ª¿ÇÕ´Ï´Ù. ÀÚ¼¼ÇÑ ³»¿ëÀº ÀÌ ºÎ·ÏÀÇ µÞºÎºÐ¿¡ ³ª¿À´Â ACI ÅëÇÕ ¹æ¹ý ºÐ¼®À» ÂüÁ¶ÇϽʽÿÀ.
¸¶Áö¸·À¸·Î ÀÌ ºÎ·Ï¿¡¼´Â replacement.acis.ldif¿¡ ÀÇÇØ ¹ö·ÁÁö´Â ACI¸¦ ³ª¿ÇÕ´Ï´Ù. ÀÚ¼¼ÇÑ ³»¿ëÀº ÀÌ ºÎ·ÏÀÇ µÞºÎºÐ¿¡ ³ª¿À´Â »ç¿ëÇÏÁö ¾Ê¾Æ »èÁ¦ÇÒ ACI ¸ñ·ÏÀ» ÂüÁ¶ÇϽʽÿÀ.
ACI ÅëÇÕ ¹× Á¦°ÅÀÌ Àý¿¡ ³ª¿µÈ ldif ÆÄÀÏ, Áï replacement.acis.ldif´Â ·çÆ® Á¢¹Ì¾î¿¡¼ ÅëÇÕµÈ ACI¸¦ ¼³Ä¡ÇÏ°í »ç¿ëÇÏÁö ¾Ê´Â ACI¸¦ µð·ºÅ丮¿¡¼ »èÁ¦ÇÕ´Ï´Ù. ÀÌ ldif ÆÄÀÏÀº Delegated Administrator¿¡¼ Á¦°øÇÏ¸ç ´ÙÀ½ µð·ºÅ丮¿¡ À§Ä¡ÇÕ´Ï´Ù.
da_base/lib/config-templates
replacement.acis.ldif ÆÄÀÏÀ» µð·ºÅ丮¿¡ Àû¿ëÇϸé(ldapmodify »ç¿ë) ldapmodify ¸í·ÉÀº ·çÆ® Á¢¹Ì¾î¿¡ ÀÖ´Â aci ¼Ó¼ºÀÇ ¸ðµç ÀνºÅϽº¸¦ Á¦°ÅÇÏ°í ÀÌ ACI¸¦ replacement.acis.ldif ÆÄÀÏ¿¡ ÀÖ´Â ACI·Î ¹Ù²ß´Ï´Ù.
Áï, ÀÌ ÀýÂ÷¿¡¼´Â ¸Ç óÀ½ ·çÆ® Á¢¹Ì¾î¿¡¼ ¸ðµç ACI¸¦ Á¦°ÅÇÑ ´ÙÀ½ ¾Æ·¡¿¡ ³ª¿µÇ´Â ACIÀÇ ÁýÇÕÀ¸·Î ¹Ù²ß´Ï´Ù. µð·ºÅ丮¿¡ Portal Server¿Í °°Àº ´Ù¸¥ ÀÀ¿ë ÇÁ·Î±×·¥¿¡¼ »ý¼ºÇÑ ACI°¡ ÀÖ´Ù¸é ±× ACI¸¦ ÆÄÀÏ¿¡ ÀúÀåÇسõ°í replacement.acis.ldif ÆÄÀÏÀ» Àû¿ëÇÑ ´ÙÀ½¿¡ ±× ÆÄÀÏÀ» µð·ºÅ丮¿¡ ´Ù½Ã Àû¿ëÇØ¾ß ÇÕ´Ï´Ù.
ACI Á¦°Å¿¡ ÀÌ ldif ÆÄÀÏÀ» »ç¿ëÇÏ´Â °Í¿¡ ´ëÇÑ ÁöħÀº ÀÌ ÀýÀÇ µÞºÎºÐ¿¡ ³ª¿À´Â ACI ±³Ã¼ ´Ü°è¸¦ ÂüÁ¶ÇϽʽÿÀ.
replacement.acis.ldif ÆÄÀÏ
dn: $rootSuffix
changetype: modify
replace: aci
aci: (targetattr = “*”)(version 3.0; acl “Configuration Administrator”;
allow (all)
userdn=”ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,
o=NetscapeRoot”;)
aci: (target=”“ldap:///$rootSuffix”)
(targetfilter=(!(objectclass=sunServiceComponent)))
(targetattr != “userPassword||passwordHistory
||passwordExpirationTime||passwordExpWarned||passwordRetryCount
||retryCountResetTime||accountUnlockTime||passwordAllowChangeTime”)
(version 3.0; acl “anonymous access rights”;
allow (read,search,compare)
userdn = “ldap:///anyone”; )
aci: (targetattr != “nsroledn||aci||nsLookThroughLimit||nsSizeLimit
||nsTimeLimit||nsIdleTimeout||passwordPolicySubentry||passwordExpirationTime
||passwordExpWarned||passwordRetryCount||retryCountResetTime
||accountUnlockTime||passwordHistory||passwordAllowChangeTime||uid||memberOf
||objectclass||inetuserstatus||ou||owner||mail||mailuserstatus
||memberOfManagedGroup||mailQuota||mailMsgQuota||mailhost
||mailAllowedServiceAccess||inetCOS||mailSMTPSubmitChannel”)
(version 3.0; acl “Allow self entry modification”;
allow(write)
userdn =”ldap:///self”;)
aci: (targetattr != “ aci || nsLookThroughLimit || nsSizeLimit
|| nsTimeLimit|| nsIdleTimeout”)
(version 3.0; acl “Allow self entry read search”;
allow(write)
userdn =”ldap:///self”;)
|aci: (target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Proxy user rights”;
allow (proxy)
userdn = “ldap:///cn=puser,ou=DSAME Users,
$rootSuffix”; )
aci: (target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS special dsame user rights for all under the root suffix”;
allow (all)
userdn = “ldap:///cn=dsameuser,ou=DSAME Users,
$rootSuffix”; )
aci: (target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS special ldap auth user rights”;
allow (read,search)
userdn = “ldap:///cn=amldapuser,ou=DSAME Users,
$rootSuffix”; )
aci: (target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Top-level admin rights”;
allow (all)
roledn = “ldap:///cn=Top-level Admin Role,
$rootSuffix”; )
aci: (targetattr=”*”)
(version 3.0; acl “Messaging Server End User Administrator Read Only Access”;
allow (read,search)
groupdn=”ldap:///cn=Messaging End User Administrators Group,ou=Groups,
$rootSuffix”;)
aci: (targetattr=”objectclass || mailalternateaddress || Mailautoreplymode ||
mailprogramdeliveryinfo || preferredlanguage || maildeliveryoption
|| mailforwardingaddress || mailAutoReplyTimeout || mailautoreplytextinternal
|| mailautoreplytext || vacationEndDate || vacationStartDate
|| mailautoreplysubject || maxPabEntries || mailMessageStore
|| mailSieveRuleSource || sunUCDateFormat || sunUCDateDeLimiter
|| sunUCTimeFormat || mailuserstatus || maildomainstatus”)
(version 3.0; acl “Messaging Server End User Administrator All Access”;
allow (all)
groupdn = “ldap:///cn=Messaging End User Administrators Group,ou=Groups,
$rootSuffix”;)
aci: (targetattr = “*”)
(version 3.0;acl “Allow Read-Only Access”;
allow (read,search,compare)
groupdn = “ldap:///cn=Read-Only,ou=Groups,
$rootSuffix”;)
aci: (target=”ldap:///cn=Organization Admin Role,($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Organization Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Organization Admin Role,($dn),
$rootSuffix”;)
aci: (target=”ldap:///($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “Organization Admin Role access allow read”;
allow(read,search)
roledn = “ldap:///cn=Organization Admin Role,[$dn],
$rootSuffix” ;)
aci: (target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(entrydn=($dn),$rootSuffix))))
( targetattr = “*”)
(version 3.0; acl “S1IS Organization Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Organization Admin Role,[$dn],
$rootSuffix”;)ACI ±³Ã¼ ´Ü°è
½ÃÀÛÇϱâ Àü¿¡
ÀÌ ÀýÂ÷¸¦ ½ÃÀÛÇϱâ Àü¿¡ µð·ºÅ丮ÀÇ ±âÁ¸ ACI¸¦ °Ë»çÇÏ´Â °ÍÀÌ ÁÁ½À´Ï´Ù. ÀÌ ÀýÂ÷¿¡¼ »èÁ¦ÇÒ ACI°¡ º¸Á¸µÉ ÇÊ¿ä°¡ ÀÖ´ÂÁö °áÁ¤ÇØ¾ß ÇÕ´Ï´Ù.
ÀÌ ÀýÂ÷¿¡¼´Â ¸ÕÀú ·çÆ® Á¢¹Ì¾î¿¡¼ ¸ðµç ACI¸¦ Á¦°ÅÇÑ ´ÙÀ½ À̸¦ ¾Æ·¡ ³ª¿µÇ´Â ACIÀÇ ÁýÇÕÀ¸·Î ¹Ù²ß´Ï´Ù. µð·ºÅ丮¿¡ Messaging Server ÀÌ¿ÜÀÇ ÀÀ¿ë ÇÁ·Î±×·¥¿¡¼ »ý¼ºÇÑ ACI°¡ ÀÖ´Ù¸é ÀÌ ACI¸¦ ÆÄÀÏ¿¡ ÀúÀåÇصξú´Ù°¡ replacement.acis.ldif ÆÄÀÏ Àû¿ë ÈÄ ´Ù½Ã µð·ºÅ丮¿¡ Àû¿ëÇØ¾ß ÇÕ´Ï´Ù.
Access Manager ¹× Messaging Server¿¡¼ »ý¼ºÇÑ ±âÁ¸ ACI¸¦ ºÐ¼®ÇÏ´Â µ¥ µµ¿òÀÌ µÇµµ·Ï ÀÌ ºÎ·ÏÀÇ µÞºÎºÐ¿¡ ³ª¿À´Â ´ÙÀ½ ÀýÀ» ÂüÁ¶ÇϽʽÿÀ.
ACI ¹Ù²Ù±â
·çÆ® Á¢¹Ì¾î¿¡¼ ACI¸¦ ÅëÇÕÇÏ°í »ç¿ëÇÏÁö ¾Ê´Â ACI¸¦ Á¦°ÅÇÏ·Á¸é ´ÙÀ½ ´Ü°è¸¦ ¼öÇàÇÕ´Ï´Ù.
- ÇöÀç ·çÆ® Á¢¹Ì¾î¿¡ ÀÖ´Â ±âÁ¸ ACI¸¦ ÀúÀåÇÕ´Ï´Ù. ´ÙÀ½ ¿¹¿Í °°ÀÌ ldapsearch ¸í·ÉÀ» »ç¿ëÇÒ ¼ö ÀÖ½À´Ï´Ù.
ldapsearch -D “cn=Directory Manager” -w <password>
-s base -b <$rootSuffix> aci=* aci ><filename>¿©±â¼
<password>´Â Directory Server °ü¸®ÀÚÀÇ ºñ¹Ð¹øÈ£ÀÔ´Ï´Ù.
<$rootSuffix>´Â ·çÆ® Á¢¹Ì¾î(¿¹: o=usergroup)ÀÔ´Ï´Ù.
<filename>Àº ÀúÀåµÈ ACI°¡ ±â·ÏµÇ´Â ÆÄÀÏÀÇ À̸§ÀÔ´Ï´Ù.
- replacement.acis.ldif ÆÄÀÏÀ» º¹»çÇÏ°í À̸§À» º¯°æÇÕ´Ï´Ù.
Delegated Administrator ¼³Ä¡ ½Ã replacement.acis.ldif ÆÄÀÏÀÌ ´ÙÀ½ µð·ºÅ丮¿¡ ¼³Ä¡µË´Ï´Ù.
da_base/lib/config-templates
- replacement.acis.ldif ÆÄÀÏÀÇ º¹»çº»¿¡¼ $rootSuffix Ç׸ñÀ» ÆíÁýÇÕ´Ï´Ù.
·çÆ® Á¢¹Ì¾î ¸Å°³ º¯¼ö $rootSuffix¸¦ ·çÆ® Á¢¹Ì¾î(¿¹: o=usergroup)·Î º¯°æÇÕ´Ï´Ù. $rootSuffix ¸Å°³ º¯¼ö´Â ldif ÆÄÀÏ¿¡¼ ¿©·¯ Â÷·Ê ³ªÅ¸³ª¹Ç·Î °¢ ÀνºÅϽº¸¦ ¹Ù²ã¾ß ÇÕ´Ï´Ù.
- LDAP µð·ºÅ丮 µµ±¸ ldapmodify¸¦ »ç¿ëÇÏ¿© ACI¸¦ ¹Ù²ß´Ï´Ù.
¿¹¸¦ µé¾î, ´ÙÀ½ ¸í·ÉÀ» ½ÇÇàÇÒ ¼ö ÀÖ½À´Ï´Ù.
ldapmodify -D <directory manager> -w <password>
-f <replacement.acis.finished.ldif>¿©±â¼
<directory manager>´Â Directory Server °ü¸®ÀÚÀÇ À̸§ÀÔ´Ï´Ù.
<password>´Â µð·ºÅ丮 ¼ºñ½º °ü¸®ÀÚÀÇ ºñ¹Ð¹øÈ£ÀÔ´Ï´Ù.
<replacement.acis.finished.ldif>´Â µð·ºÅ丮¿¡¼ ACI¸¦ ÅëÇÕÇÏ°í Á¦°ÅÇϵµ·Ï ÆíÁýµÈ ldif ÆÄÀÏÀÇ À̸§ÀÔ´Ï´Ù.
µ¿Àû Á¶Á÷ ACI Á¦°Å
Delegated Administrator ÄܼÖÀ» »ç¿ëÇÏ¿© Á¶Á÷À» ¸¸µé °æ¿ì Á¶Á÷ ³ëµå¿¡ ACI ±×·ì Çϳª°¡ ¸¸µé¾îÁý´Ï´Ù.
¾Õ ÀýÂ÷¿¡¼ ¼³Ä¡µÈ ±³Ã¼ ACI ´öºÐ¿¡ ÀÌ Á¶Á÷º° ACI´Â ´õ ÀÌ»ó ÇÊ¿äÇÏÁö ¾Ê½À´Ï´Ù. Access Manager ÄܼÖÀ» »ç¿ëÇÏ¿© Á¶Á÷º° ACI°¡ »ý¼ºµÇÁö ¾Ê°Ô ÇÒ ¼ö ÀÖ½À´Ï´Ù. ´ÙÀ½ ´Ü°è¸¦ ¼öÇàÇÕ´Ï´Ù.
- amAdminÀ¸·Î AM Äֿܼ¡ ·Î±×ÀÎÇÕ´Ï´Ù. AM ÄܼÖÀº ´ÙÀ½ URL¿¡ À§Ä¡ÇÕ´Ï´Ù.
http://<machine name>:<port>/amconsole
¿©±â¼
<machine name>Àº Access Manager°¡ ½ÇÇà ÁßÀÎ ½Ã½ºÅÛÀÔ´Ï´Ù.
<port>´Â Æ÷Æ®ÀÔ´Ï´Ù.
- ¼ºñ½º ±¸¼º ÅÇÀ» ¼±ÅÃÇÕ´Ï´Ù.
±âº»ÀûÀ¸·Î °ü¸® ±¸¼º ÆäÀÌÁö°¡ Ç¥½ÃµË´Ï´Ù.
- ÄܼÖÀÇ ¿À¸¥ÂÊ¿¡¼ µ¿Àû °ü¸® ¿ªÇÒ ACI±îÁö ¾Æ·¡·Î ½ºÅ©·ÑÇÕ´Ï´Ù.
- µ¿Àû °ü¸® ¿ªÇÒ ACI ÅؽºÆ® »óÀÚ¿¡¼ ¸ðµç ACI¸¦ ¼±ÅÃÇÏ¿© »èÁ¦ÇÕ´Ï´Ù.
- ÆíÁýµÈ ¼³Á¤À» ÀúÀåÇÕ´Ï´Ù.
±âÁ¸ ACI ºÐ¼®ÀÌ ÀýÀÇ ¸ñ·Ï¿¡¼´Â Access Manager ¹× Messaging Server ¼³Ä¡ ½Ã µð·ºÅ丮¿¡ ¼³Ä¡µÈ ACI¸¦ º¸¿© ÁÝ´Ï´Ù. ¶ÇÇÑ °¢ ACIÀÇ ±â´ÉÀ» ¼³¸íÇÏ°í ÇØ´ç ACI¸¦ º¸Á¸, ÅëÇÕÇÒ °ÍÀÎÁö ¾Æ´Ï¸é ¹ö¸± °ÍÀÎÁö Á¦¾ÈÇÕ´Ï´Ù.
ACI´Â ´ÙÀ½ ¹üÁÖ·Î ³ª´¹´Ï´Ù.
·çÆ® Á¢¹Ì¾î
-------------------------------------------------------------------------------------------------------------
dn: $rootSuffix
#
# consolidate
#
aci:
(targetattr != “nsroledn || aci || nsLookThroughLimit || nsSizeLimit ||
nsTimeLimit || nsIdleTimeout || passwordPolicySubentry || passwordExpirationTime
|| passwordExpWarned || passwordRetryCount || retryCountResetTime
|| accountUnlockTime || passwordHistory || passwordAllowChangeTime”)
(version 3.0; acl “Allow self entry modification except for nsroledn, aci, resource limit attributes, passwordPolicySubentry and password policy state attributes”;
allow(write)
userdn =”ldap:///self”;)
ÀÛ¾÷: ÅëÇÕ
ÀÌ Á¢¹Ì¾î¿¡ ÀÚüÀûÀ¸·Î ¾×¼¼½ºÇÒ ÇÊ¿ä´Â ¾ø½À´Ï´Ù. ÀÌ ACIÀº º¹Á¦µË´Ï´Ù. ·çÆ® Á¢¹Ì¾îÀÇ ÀÚü ACI¿¡ ÅëÇÕµÉ ¼ö ÀÖ½À´Ï´Ù.
------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# retain
#
aci:
(targetattr = “*”)
(version 3.0; acl “Configuration Administrator”;
allow (all)
userdn = “ldap:///uid=admin, ou=Administrators, ou=TopologyManagement,o=NetscapeRoot”;)
ÀÛ¾÷: À¯Áö
slapd-config ÀνºÅϽº¿¡ ´ëÇÑ Pass-Through AuthenticationÀ» ÅëÇØ ÀÎÁõµÇ´Â “admin” »ç¿ëÀÚÀÔ´Ï´Ù. ¸ðµç ±¸¼ºÀÌ ¸í·ÉÁÙ À¯Æ¿¸®Æ¼¸¦ »ç¿ëÇÏ¿© Directory Manager·Î ¼öÇàµÉ °æ¿ì ÀÌ ACI´Â ÇÊ¿äÇÏÁö ¾Ê½À´Ï´Ù. ÀÌ »ç¿ëÀÚ·Î Äֿܼ¡ ´ëÇØ ÀÎÁõÇØ¾ß ÇÏ´Â °æ¿ì¶ó¸é ÀÌ ACI¸¦ ¿©±â¿¡ º¸°üÇÒ ¼ö ÀÖ½À´Ï´Ù. ºñ½ÁÇÑ ACI¸¦ Á¦°ÅÇÒ ¼ö ÀÖ½À´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(targetattr =”*”)
(version 3.0;acl “Configuration Administrators Group”;
allow (all)
(groupdn = “ldap:///cn=Configuration Administrators, ou=Groups, ou=TopologyManagement, o=NetscapeRoot”);)
ÀÛ¾÷: ¸ðµç DB ¹é ¿£µå¿¡¼ »èÁ¦
¼¹ö °ü¸® ±ÇÇÑ À§ÀÓ¿¡ ÄܼÖÀÌ »ç¿ëµÇ´Â °æ¿ì¿¡ ±ÇÇÑÀ» °®´Â “Configuration Administrators” ±×·ìÀÔ´Ï´Ù.
------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(targetattr =”*”)
(version 3.0;acl “Directory Administrators Group”;
allow (all)
(groupdn = “ldap:///cn=Directory Administrators, $rootSuffix”);)
ÀÛ¾÷: ¸ðµç DB ¹é ¿£µå¿¡¼ »èÁ¦
ÀϹÝÀûÀÎ “Directory Administrators” ±×·ì ±ÇÇÑ Á¤ÀÇÀÔ´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(targetattr = “*”)
(version 3.0; acl “SIE Group”;
allow (all)
groupdn = “ldap:///cn=slapd-whater, cn=Sun ONE Directory Server, cn=Server Group, cn=whater.red.iplanet.com, ou=red.iplanet.com, o=NetscapeRoot”;)
ÀÛ¾÷: ¸ðµç DB ¹é ¿£µå¿¡¼ »èÁ¦
ÄܼÖ/°ü¸® ¼¹ö °ü·Ã ±×·ì ±ÇÇÑ Á¤ÀÇÀÔ´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
Access Manager
-------------------------------------------------------------------------------------------------------------
# retain
#
aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Proxy user rights”;
allow (proxy)
userdn = “ldap:///cn=puser,ou=DSAME Users,$rootSuffix”; )
ÀÛ¾÷: À¯Áö
ÀÌ ACI´Â Access Manager ½Ã½ºÅÛ »ç¿ëÀÚ¿¡ ´ëÇÑ ¾×¼¼½º ±ÇÇÑÀ» ºÎ¿©ÇÕ´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# retain
#
aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS special dsame user rights for all under the root suffix”;
allow (all)
userdn = “ldap:///cn=dsameuser,ou=DSAME Users,$rootSuffix”; )
ÀÛ¾÷: À¯Áö
ÀÌ ACI´Â Access Manager ½Ã½ºÅÛ »ç¿ëÀÚ¿¡ ´ëÇÑ ¾×¼¼½º ±ÇÇÑÀ» ºÎ¿©ÇÕ´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# retain
#
aci:
(target=”ldap:///$rootSuffix”)(targetattr=”*”)|
(version 3.0;acl “S1IS special ldap auth user rights”;
allow (read,search)
userdn = “ldap:///cn=amldapuser,ou=DSAME Users,$rootSuffix”; )
ÀÛ¾÷: À¯Áö
ÀÌ ACI´Â Access Manager ½Ã½ºÅÛ »ç¿ëÀÚ¿¡ ´ëÇÑ ¾×¼¼½º ±ÇÇÑÀ» ºÎ¿©ÇÕ´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(target=”ldap:///cn=amldapuser,ou=DSAME Users,$rootSuffix”)
(targetattr = “*”)
(version 3.0;
acl “S1IS special ldap auth user modify right”;
allow (write)
roledn != “ldap:///cn=Top-level Admin Role,$rootSuffix”;)
ÀÛ¾÷: »èÁ¦
ÀÌ ACI´Â ÃÖ»óÀ§ °ü¸®ÀÚ(TLA)°¡ amldapuser °èÁ¤À» ¼öÁ¤ÇÒ ¼ö ¾ø°Ô ÇÕ´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# retain
#
aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Top-level admin rights”;
allow (all)
roledn = “ldap:///cn=Top-level Admin Role,$rootSuffix”; )
ÀÛ¾÷: À¯Áö
ÀÌ ACI´Â TLA ¿ªÇÒ¿¡°Ô ¾×¼¼½º ±ÇÇÑÀ» ºÎ¿©ÇÕ´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(targetattr=”iplanet-am-saml-user || iplanet-am-saml-password”)(targetfilter=”(objectclass=iplanet-am-saml-service)”)
(version 3.0; acl “S1IS Right to modify saml user and password”;
deny (all)
(roledn != “ldap:///cn=Top-level Admin Role,$rootSuffix”)
AND (userdn != “ldap:///cn=dsameuser,ou=DSAME Users,$rootSuffix”)
AND (userdn != “ldap:///cn=puser,ou=DSAME Users,$rootSuffix”); )
ÀÛ¾÷: »èÁ¦
ÀÌ ACI´Â SAML °ü·Ã ¼Ó¼ºÀ» º¸È£ÇÕ´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
ÃÖ»óÀ§ ÇïÇÁ µ¥½ºÅ© °ü¸® ¿ªÇÒ
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix)))
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Help Desk Admin Role access allow”;
allow (read,search)
roledn = “ldap:///cn=Top-level Help Desk Admin Role,$rootSuffix”;)
ÀÛ¾÷: »èÁ¦
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix)))
(targetattr = “userPassword”)
(version 3.0; acl “S1IS Top-level Help Desk Admin Role access allow”;
allow (write)
roledn = “ldap:///cn=Top-level Help Desk Admin Role,$rootSuffix”;)
ÀÛ¾÷: »èÁ¦
-------------------------------------------------------------------------------------------------------------
ÃÖ»óÀ§ Á¤Ã¥ °ü¸® ¿ªÇÒ
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
target=”ldap:///$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix))))
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access allow”;
allow (read,search)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)
ÀÛ¾÷: »èÁ¦
ÀÌ ACI´Â ÃÖ»óÀ§ Á¤Ã¥ °ü¸® ¿ªÇÒ°ú °ü·ÃÀÌ ÀÖ½À´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(target=”ldap:///ou=iPlanetAMAuthService,ou=services,*$rootSuffix”)
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access Auth Service deny”;
deny (add,write,delete)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)
ÀÛ¾÷: »èÁ¦
ÀÌ ACI´Â ÃÖ»óÀ§ Á¤Ã¥ °ü¸® ¿ªÇÒ°ú °ü·ÃÀÌ ÀÖ½À´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(target=”ldap:///ou=services,*$rootSuffix”)
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)
ÀÛ¾÷: »èÁ¦
ÀÌ ACI´Â ÃÖ»óÀ§ Á¤Ã¥ °ü¸® ¿ªÇÒ°ú °ü·ÃÀÌ ÀÖ½À´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=”(objectclass=sunismanagedorganization)”)
(targetattr = “sunRegisteredServiceName”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access allow”;
allow (read,write,search)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)
ÀÛ¾÷: »èÁ¦
ÀÌ ACI´Â ÃÖ»óÀ§ Á¤Ã¥ °ü¸® ¿ªÇÒ°ú °ü·ÃÀÌ ÀÖ½À´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
AM ÀÚü
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci:
(targetattr = “*”)
(version 3.0;
acl “S1IS Deny deleting self”;
deny (delete)
userdn =”ldap:///self”;)
ÀÛ¾÷: ´ÜÀÏ ÀÚü ¾²±â ACI·Î ÅëÇÕ. ÃÖÁ¾ »ç¿ëÀÚ´Â ÀÚ½ÅÀ» ºñ·ÔÇÏ¿© ¾î¶² Ç׸ñµµ »èÁ¦ÇÒ ±ÇÇÑÀÌ ¾øÀ¸¹Ç·Î ¸í½ÃÀû °ÅºÎ´Â ÇÊ¿äÇÏÁö ¾Ê½À´Ï´Ù.
ÀÚü ±ÇÇÑÀ» ¼³Á¤ÇÏ´Â ACI Áß ÇϳªÀÔ´Ï´Ù. ¸í½ÃÀû °ÅºÎ´Â ÀÓÀÇÀÇ Ç׸ñÀÌ ½º½º·Î¸¦ »èÁ¦ÇÒ ¼ö ¾ø°Ô ÇÕ´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci:
(targetattr = “objectclass || inetuserstatus || iplanet-am-user-login-status
|| iplanet-am-web-agent-access-allow-list || iplanet-am-domain-url-access-allow
|| iplanet-am-web-agent-access-deny-list || iplanet-am-user-account-life
|| iplanet-am-session-max-session-time || iplanet-am-session-max-idle-time
|| iplanet-am-session-get-valid-sessions || iplanet-am-session-destroy-sessions
|| iplanet-am-session-add-session-listener-on-all-sessions || iplanet-am-user-admin-start-dn
|| iplanet-am-auth-post-login-process-class”)
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix)))
(version 3.0; acl “S1IS User status self modification denied”;
deny (write)
userdn =”ldap:///self”;)
ÀÛ¾÷: ´ÜÀÏ ÀÚü ¾²±â ACI·Î ÅëÇÕ
ÀÚü ¾²±â ±ÇÇÑÀ» ¼³Á¤ÇÏ´Â ACI Áß ÇϳªÀÔ´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci:
(targetattr != “iplanet-am-static-group-dn || uid || nsroledn || aci || nsLookThroughLimit
|| nsSizeLimit || nsTimeLimit || nsIdleTimeout || memberOf || iplanet-am-web-agent-access-allow-list
|| iplanet-am-domain-url-access-allow || iplanet-am-web-agent-access-deny-list”)
(version 3.0; acl “S1IS Allow self entry modification except for nsroledn, aci, and resource limit attributes”;
allow(write)
userdn =”ldap:///self”;)
ÀÛ¾÷: ´ÜÀÏ ÀÚü ¾²±â ACI·Î ÅëÇÕ
±ÇÇÑÀ» ¼³Á¤ÇÏ´Â ACI Áß ÇϳªÀÔ´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci:
(targetattr != “aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit
|| nsIdleTimeout || iplanet-am-domain-url-access-allow”)
(version 3.0; acl “S1IS Allow self entry read search except for nsroledn, aci, resource limit and
web agent policy attributes”;
allow (read,search)
userdn =”ldap:///self”;)
ÀÛ¾÷: ´ÜÀÏ ÀÚü ¾²±â ACI·Î ÅëÇÕ
ÀÚü ¾²±â ±ÇÇÑÀ» ¼³Á¤ÇÏ´Â ACI Áß ÇϳªÀÔ´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
AM À͸í
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci:
(target=”ldap:///ou=services,$rootSuffix”)
(targetfilter=(!(objectclass=sunServiceComponent)))
(targetattr = “*”)
(version 3.0; acl “S1IS Services anonymous access”;
allow (read, search, compare)
userdn = “ldap:///anyone”;)
ÀÛ¾÷: ´ÜÀÏ À͸í ACI·Î ÅëÇÕ
ÀÍ¸í ±ÇÇÑÀ» ºÎ¿©ÇÏ´Â ACI Áß ÇϳªÀÔ´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci:
(target=”ldap:///ou=iPlanetAMAdminConsoleService,*,$rootSuffix”)
(targetattr = “*”)
(version 3.0; acl “S1IS iPlanetAMAdminConsoleService anonymous access”;
allow (read, search, compare)
userdn = “ldap:///anyone”;)
ÀÛ¾÷: ´ÜÀÏ À͸í ACI·Î ÅëÇÕ
ÀÍ¸í ±ÇÇÑÀ» ºÎ¿©ÇÏ´Â ACI Áß ÇϳªÀÔ´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(entrydn=$rootSuffix))
(targetattr=”*”)
(version 3.0; acl “S1IS Default Organization delete right denied”;
deny (delete)
userdn = “ldap:///anyone”; )
ÀÛ¾÷: »èÁ¦
ÀÌ ACI´Â (rootdnÀ» Á¦¿ÜÇÑ) ¾î¶² »ç¿ëÀÚ¶óµµ ±âº» Á¶Á÷À» »èÁ¦ÇÒ ¼ö ¾ø°Ô ÇÕ´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(target=”ldap:///cn=Top-level Admin Role,$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Top-level admin delete right denied”;
deny(delete)
userdn = “ldap:///anyone”; )
ÀÛ¾÷: »èÁ¦
ÀÌ ACI´Â (rootdnÀ» Á¦¿ÜÇÑ) ¾î¶² »ç¿ëÀÚ¶óµµ TLA ¿ªÇÒÀ» »èÁ¦ÇÒ ¼ö ¾ø°Ô ÇÕ´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
AM ¾²±â ¾×¼¼½º °ÅºÎ
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(targetattr = “*”)
(version 3.0; acl “S1IS Deny write to anonymous user”;
deny (add,write,delete)
roledn =”ldap:///cn=Deny Write Access,$rootSuffix”;)
ÀÛ¾÷: »èÁ¦
ÀÌ ACI´Â ¾²±â ¾×¼¼½º °ÅºÎ ¿ªÇÒ°ú °ü·ÃÀÌ ÀÖ½À´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
AM ÄÁÅ×ÀÌ³Ê °ü¸® ¿ªÇÒ
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “S1IS Container Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Container Admin Role,[$dn],$rootSuffix”;)
ÀÛ¾÷: »èÁ¦
ÀÌ ACI´Â ÄÁÅ×ÀÌ³Ê °ü¸® ¿ªÇÒ°ú °ü·ÃÀÌ ÀÖ½À´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(target=”ldap:///cn=Container Admin Role,($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Container Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Container Admin Role,($dn),$rootSuffix”;)
ÀÛ¾÷: »èÁ¦
ÀÌ ACI´Â ÄÁÅ×ÀÌ³Ê °ü¸® ¿ªÇÒ°ú °ü·ÃÀÌ ÀÖ½À´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(target=”ldap:///ou=People,$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix)
(nsroledn=cn=Container Admin Role,$rootSuffix))))
(targetattr != “iplanet-am-web-agent-access-allow-list || iplanet-am-domain-url-access-allow
|| iplanet-am-web-agent-access-deny-list || nsroledn”)
(version 3.0; acl “S1IS Group and people container admin role”;
allow (all)
roledn = “ldap:///cn=ou=People_dc=red_dc=iplanet_dc=com,$rootSuffix”;)
ÀÛ¾÷: »èÁ¦
ÀÌ ACI´Â ±×·ì ¹× »ç¶÷ ÄÁÅ×ÀÌ³Ê °ü¸® ¿ªÇÒ°ú °ü·ÃÀÌ ÀÖ½À´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
Á¶Á÷ ÇïÇÁ µ¥½ºÅ©
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci: (extra verses dreambig)
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix))))
(targetattr = “*”)
(version 3.0; acl “S1IS Organization Help Desk Admin Role access allow”;
allow (read,search)
roledn = “ldap:///cn=Organization Help Desk Admin Role,$rootSuffix”;)
ÀÛ¾÷: »èÁ¦
ÀÌ ACI´Â Á¶Á÷ ÇïÇÁ µ¥½ºÅ© °ü¸® ¿ªÇÒ°ú °ü·ÃÀÌ ÀÖ½À´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix))))
(targetattr = “userPassword”)
(version 3.0; acl “S1IS Organization Help Desk Admin Role access allow”;
allow(write)
roledn = “ldap:///cn=Organization Help Desk Admin Role,$rootSuffix”;)
ÀÛ¾÷: »èÁ¦
ÀÌ ACI´Â Á¶Á÷ ÇïÇÁ µ¥½ºÅ© °ü¸® ¿ªÇÒ°ú °ü·ÃÀÌ ÀÖ½À´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
AM Á¶Á÷ °ü¸® ¿ªÇÒ
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci: (different name - “allow all” instead of “allow”)
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “S1IS Organization Admin Role access allow all”;
allow (all)
roledn =”ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;)
ÀÛ¾÷: ÅëÇÕ
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci:
(target=”ldap:///cn=Organization Admin Role,($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Organization Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix”;)
ÀÛ¾÷: ÅëÇÕ
ÀÌ ACI´Â Á¶Á÷ °ü¸® ¿ªÇÒ°ú °ü·ÃÀÌ ÀÖ½À´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci: (missing)
(target=”ldap:///($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “Organization Admin Role access allow read to org node”;
allow (read,search)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix” ;)
ÀÛ¾÷: ÅëÇÕ
ÀÌ ACI´Â Á¶Á÷ °ü¸® ¿ªÇÒ°ú °ü·ÃÀÌ ÀÖ½À´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “Organization Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;)
ÀÛ¾÷: ÅëÇÕ
ÀÌ ACI´Â Á¶Á÷ °ü¸® ¿ªÇÒ°ú °ü·ÃÀÌ ÀÖ½À´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetattr!=”businessCategory || description || facsimileTelephoneNumber
|| postalAddress || preferredLanguage || searchGuide || postOfficeBox ||
postalCode
|| registeredaddress || street || l || st || telephonenumber ||maildomainreportaddress
|| maildomainwelcomemessage || preferredlanguage || sunenablegab”)
(version 3.0; acl “Organization Admin Role access deny to org node”;
deny (write,add,delete)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix” ;)
ÀÛ¾÷: ÅëÇÕ
ÀÌ ACI´Â Á¶Á÷ °ü¸® ¿ªÇÒ°ú °ü·ÃÀÌ ÀÖ½À´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “S1IS Organization Admin Role access allow all”;
allow (all)
roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;)
ÀÛ¾÷: ÅëÇÕ
-------------------------------------------------------------------------------------------------------------
AM ±âŸ
-------------------------------------------------------------------------------------------------------------
#
#
# discard#
aci:
(target=”ldap:///$rootSuffix”)
(targetattr!=”nsroledn”)
(version 3.0; acl “S1IS Group admin’s right to the users he creates”;
allow (all)
userattr = “iplanet-am-modifiable-by#ROLEDN”;)
ÀÛ¾÷: »èÁ¦
ÀÌ ACI¸¦ ¾ø¾Ö¸é iplanet-am-modifiable-by ¼Ó¼º°ú °ü·ÃµÈ ±ÇÇÑÀÌ ºñÈ°¼ºÈµË´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
Messaging Server
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “Messaging Server End User Administrator Read Access Rights -
product=SOMS,schema 2 support,class=installer,num=1,version=1”;
allow (read,search)
groupdn=”ldap:///cn=Messaging End User Administrators Group, ou=Groups,
$rootSuffix”;)
ÀÛ¾÷: ÅëÇÕ
ÀÌ ACI´Â ¸Þ½Ã¡ ÃÖÁ¾ »ç¿ëÀÚ °ü¸®ÀÚ ±×·ì¿¡ ´ëÇÑ ±ÇÇÑÀ» ºÎ¿©ÇÕ´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”objectclass||mailalternateaddress||mailautoreplymode
||mailprogramdeliveryinfo||nswmextendeduserprefs||preferredlanguage
||maildeliveryoption||mailforwardingaddress
||mailAutoReplyTimeout||mailautoreplytextinternal||mailautoreplytext
||vacationEndDate||vacationStartDate||mailautoreplysubject||pabURI
||maxPabEntries||mailMessageStore||mailSieveRuleSource||sunUCDateFormat
||sunUCDateDeLimiter||sunUCTimeFormat”)
(version 3.0; acl “Messaging Server End User Adminstrator Write Access Rights -
product=SOMS,schema 2 support,class=installer,num=2,version=1”;
allow (all)
groupdn=”ldap:///cn=Messaging End User Administrators Group, ou=Groups,
$rootSuffix”;)
ÀÛ¾÷: ÅëÇÕ
ÀÌ ACI´Â ¸Þ½Ã¡ ÃÖÁ¾ »ç¿ëÀÚ °ü¸®ÀÚ ±×·ì¿¡ ´ëÇÑ ±ÇÇÑÀ» ºÎ¿©ÇÕ´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------
#
# consolidate
#
aci:
(targetattr=”uid||ou||owner||mail||mailAlternateAddress
||mailEquivalentAddress||memberOf
||inetuserstatus||mailuserstatus||memberOfManagedGroup||mailQuota
||mailMsgQuota||inetSubscriberAccountId||dataSource||mailhost
||mailAllowedServiceAcces||pabURI||inetCOS||mailSMTPSubmitChannel
||aci”)
(targetfilter=(&(objectClass=inetMailUser)(!(nsroledn=cn=Organization Admin Role,*))))
(version 3.0; acl “Deny write access to users over Messaging Server protected attributes -
product=SOMS,schema 2 support,class=installer,num=3,version=1 “;
deny (write)
userdn = “ldap:///self”;)
ÀÛ¾÷: ÅëÇÕ
ÀÚü ±ÇÇÑÀ» ¼³Á¤ÇÏ´Â ACI Áß ÇϳªÀÔ´Ï´Ù.
-------------------------------------------------------------------------------------------------------------
ACI ÅëÇÕ ¹æ¹ý ºÐ¼®ÀÌ ÀýÀÇ ¸ñ·Ï¿¡¼´Â µð·ºÅ丮¿¡¼ ACI ÅëÇÕ¿¡ »ç¿ëÇÒ ¼ö ÀÖ´Â ´ëü ldif ÆÄÀÏ replacement.acis.ldif¿¡¼ ÅëÇÕµÈ ACI¸¦ º¸¿© ÁÝ´Ï´Ù. ACI ±³Ã¼¿¡ ´ëÇÑ ÁöħÀº ACI ±³Ã¼ ´Ü°è¸¦ ÂüÁ¶ÇϽʽÿÀ.
ACI´Â ½ÖÀ¸·Î ³ª´¹´Ï´Ù. ¹üÁÖ¸¶´Ù ¿ø·¡ ACI°¡ ¸ÕÀú Ç¥½ÃµÇ°í ÅëÇÕµÈ ACI°¡ ±× ´ÙÀ½¿¡ Ç¥½ÃµË´Ï´Ù.
¿ø·¡ ÀÍ¸í ¾×¼¼½º ±ÇÇÑ
aci:
(targetattr != “userPassword || passwordHistory || passwordExpirationTime
|| passwordExpWarned || passwordRetryCount || retryCountResetTime ||
accountUnlockTime || passwordAllowChangeTime “)
(version 3.0; acl “Anonymous access”;
allow (read, search, compare)
userdn = “ldap:///anyone”;)
aci:
(target=”ldap:///cn=Top-level Admin Role,$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Top-level admin delete right denied”;
deny (delete)
userdn = “ldap:///anyone”;)
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(entrydn=$rootSuffix))
(targetattr=”*”)
(version 3.0; acl “S1IS Default Organization delete right denied”;
deny (delete)
userdn = “ldap:///anyone”;)
aci:
(target=”ldap:///ou=services,$rootSuffix”)
(targetfilter=(!(objectclass=sunServiceComponent)))
(targetattr = “*”)
(version 3.0; acl “S1IS Services anonymous access”;
allow (read, search, compare)
userdn = “ldap:///anyone”;)
aci:
(target=”ldap:///ou=iPlanetAMAdminConsoleService,*,$rootSuffix”)
(targetattr = “*”)
(version 3.0; acl “S1IS iPlanetAMAdminConsoleService anonymous access”;
allow (read, search, compare)
userdn = “ldap:///anyone”;)
ÅëÇÕ ÀÍ¸í ¾×¼¼½º ±ÇÇÑ
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(objectclass=sunServiceComponent)))
(targetattr != “userPassword||passwordHistory
||passwordExpirationTime||passwordExpWarned||passwordRetryCount
||retryCountResetTime||accountUnlockTime||passwordAllowChangeTime”)
(version 3.0; acl “anonymous access rights”;
allow (read,search,compare)
userdn = “ldap:///anyone”;)
ºÐ¼®: ·çÆ®¿¡¼ µ¿ÀÏÇÏ°Ô Çã¿ëÇÏ°í aci ¼Ó¼ºÀ» Á¦¿Ü½ÃŲ À͸íÀÇ ¾×¼¼½º°¡ ÀÖ½À´Ï´Ù. ÀÌ·¯ÇÑ Access Manager ±³Ã¼´Â ´ë»ó¿¡¼ (*)¸¦ ¾ø¾Ö´Âµ¥, ±×·¸°Ô µÇ¸é Á¢¹Ì¾î¿¡ ´ëÇÑ ÀÍ¸í ¾×¼¼½º°¡ Çã¿ëµÇ¹Ç·Î ºÎ´ãÀÌ Å®´Ï´Ù.
¿ø·¡ÀÇ ÀÚü ACI
aci:
(targetattr != “nsroledn || aci || nsLookThroughLimit || nsSizeLimit ||
nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ||
asswordExpirationTime
|| passwordExpWarned || passwordRetryCount || retryCountResetTime ||
accountUnlockTime || passwordHistory || passwordAllowChangeTime”)
(version 3.0; acl “Allow self entry modification except for nsroledn, aci, resource
limit attributes, passwordPolicySubentry and password policy state attributes”;
allow(write)
userdn =”ldap:///self”;)
aci:
(targetattr = “*”)
(version 3.0; acl “S1IS Deny deleting self”;
deny (delete)
userdn =”ldap:///self”;)
aci:
(targetattr = “objectclass || inetuserstatus ||
planet-am-web-agent-access-allow-list
|| iplanet-am-domain-url-access-allow || iplanet-am-web-agent-access-deny-list
|| iplanet-am-user-account-life || iplanet-am-session-max-session-time
|| iplanet-am-session-max-idle-time || iplanet-am-session-get-valid-sessions
|| iplanet-am-session-destroy-sessions ||
iplanet-am-session-add-session-listener-on-all-sessions
|| iplanet-am-user-admin-start-dn || iplanet-am-auth-post-login-process-class”)
(targetfilter=(!(nsroledn=cn=Top-levelAdmin Role,$rootSuffix)))
(version 3.0; acl “S1IS User status self modification denied”;
deny (write)
userdn =”ldap:///self”;)
aci:
(targetattr != “iplanet-am-static-group-dn || uid || nsroledn || aci ||
sLookThroughLimit
|| nsSizeLimit || nsTimeLimit || nsIdleTimeout || memberOf ||
planet-am-web-agent-access-allow-list
|| iplanet-am-domain-url-access-allow ||
planet-am-web-agent-access-deny-list”)
(version 3.0; acl “S1IS Allow self entry modification except for nsroledn, aci,
and resource limit attributes”;
allow(write)
userdn =”ldap:///self”;)
aci:
(targetattr != “aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit
|| nsIdleTimeout || iplanet-am-domain-url-access-allow”)
(version 3.0; acl “S1IS Allow self entry read search except for nsroledn, aci, resource
limit and web agent policy attributes”;
allow (read,search)
userdn =”ldap:///self”;)
aci:
(targetattr=”uid||ou||owner||mail||mailAlternateAddress||mailEquivalent
address||memberOf
||inetuserstatus||mailuserstatus||memberOfManagedGroup||mailQuota
||mailMsgQuota
||inetSubscriberAccountId||dataSource||mailhost||mailAllowedServiceAccess
||pabURI||inetCOS||mailSMTPSubmitChannel||aci”)
(targetfilter=(&(objectClass=inetMailUser)(!(nsroledn=cn=Organization Admin
ole,*))))
(version 3.0; acl “Deny write access to users over Messaging Server protected
attributes -
product=SOMS,schema 2 support,class=installer,num=3,version=1 “;
deny (write)
userdn =”ldap:///self”;)
ÅëÇÕ ÀÚü ACI
aci:
(targetattr != “nsroledn || aci || nsLookThroughLimit || nsSizeLimit
|| nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ||
asswordExpirationTime
|| passwordExpWarned || passwordRetryCount || retryCountResetTime
|| accountUnlockTime || passwordHistory || passwordAllowChangeTime ||
id || memberOf
|| objectclass || inetuserstatus || ou || owner || mail || mailuserstatus
|| memberOfManagedGroup ||mailQuota || mailMsgQuota || mailhost
|| mailAllowedServiceAccess || inetCOS || mailSMTPSubmitChannel”)
(version 3.0; acl “Allow self entry modification”;
allow(write)
userdn =”ldap:///self”;)
aci:
(targetattr != “ aci || nsLookThroughLimit || nsSizeLimit
|| nsTimeLimit|| nsIdleTimeout”)
(version 3.0; acl “Allow self entry read search”;
allow(read,search)
userdn =”ldap:///self”;)
ºÐ¼®: ¸ðµç iplanet-am-* ¼Ó¼º ´©¶ô. ACI°¡ Á¸ÀçÇÏÁö ¾ÊÀ» °æ¿ì deny°¡ ±âº»°ªÀ̹ǷΠ¸ðµç deny ACI°¡ Á¦°ÅµË´Ï´Ù. write¸¦ Çã¿ëÇÏ´Â ACI´Â ÇϳªÀÇ ACI·Î ÅëÇյ˴ϴÙ.
¿ø·¡ Messaging Server ACI
aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “Messaging Server End User Administrator Read Access Rights -
product=SOMS,schema 2 support,class=installer,num=1,version=1”;
allow (read,search)
groupdn=”ldap:///cn=Messaging End User Administrators Group, ou=Groups,
rootSuffix”;)
aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”objectclass||mailalternateaddress||mailautoreplymode||
mailprogramdeliveryinfo
||nswmextendeduserprefs||preferredlanguage||maildeliveryoption||
mailforwardingaddress
||mailAutoReplyTimeout||mailautoreplytextinternal||mailautoreplytext||
vacationEndDate
||vacationStartDate||mailautoreplysubject||pabURI||maxPabEntries||
mailMessageStore
||mailSieveRuleSource||sunUCDateFormat||sunUCDateDeLimiter||
sunUCTimeFormat”)
(version 3.0; acl “Messaging Server End User Adminstrator Write Access Rights -
product=SOMS,schema 2 support,class=installer,num=2,version=1”;
allow (all)
groupdn=”ldap:///cn=Messaging End User Administrators Group, ou=Groups,
rootSuffix”;)
aci:
(targetattr=”uid||ou||owner||mail||mailAlternateAddress||
mailEquivalentAddress||memberOf
||inetuserstatus||mailuserstatus||memberOfManagedGroup||mailQuota||
mailMsgQuota
||inetSubscriberAccountId||dataSource||mailhost||mailAllowedServiceAccess
||pabURI||inetCOS||mailSMTPSubmitChannel||aci”)
(targetfilter=(&(objectClass=inetMailUser)(!(nsroledn=cn=Organization Admin
Role,*))))
(version 3.0; acl “Deny write access to users over Messaging Server protected
attributes - product=SOMS,schema 2 support,class=installer,num=3,version=1 “;
deny (write)
userdn =”ldap:///self”;)
ÅëÇÕ Messaging Server ACI
ÀÚü ACI´Â ÀÚü ACI¿¡¼ 󸮵˴ϴÙ.
aci:
(targetattr=”*”)
(version 3.0; acl “Messaging Server End User Administrator Read Only Access”;
allow (read,search)
groupdn = “ldap:///cn=Messaging End User Administrators
group,ou=Groups,$rootSuffix”; )
aci:
(targetattr=”objectclass || mailalternateaddress || Mailautoreplymode ||
mailprogramdeliveryinfo || preferredlanguage || maildeliveryoption
|| mailforwardingaddress || mailAutoReplyTimeout ||
mailautoreplytextinternal
|| mailautoreplytext || vacationEndDate || vacationStartDate
|| mailautoreplysubject || maxPabEntries || mailMessageStore
|| mailSieveRuleSource || sunUCDateFormat || sunUCDateDeLimiter
|| sunUCTimeFormat || mailuserstatus || maildomainstatus”)
(version 3.0; acl “Messaging Server End User Administrator All Access”;
allow (all)
groupdn = “ldap:///cn=Messaging End User Administrators
group,ou=Groups,$rootSuffix”;)
ºÐ¼®: ¿ø·¡ ACI¿Í µ¿ÀÏ
¿ø·¡ Á¶Á÷ °ü¸® ACI
aci: (different name - “allow all” instead of “allow”)
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “S1IS Organization Admin Role access allow all”;
allow (all)
roledn =”ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;)
aci: (missing)
(target=”ldap:///($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “Organization Admin Role access allow read to org node”;
allow (read,search)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix” ;)
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “Organization Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;)
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetattr!=”businessCategory || description || facsimileTelephoneNumber
|| postalAddress || preferredLanguage || searchGuide || postOfficeBox ||
postalCode
|| registeredaddress || street || l || st || telephonenumber ||
maildomainreportaddress
|| maildomainwelcomemessage || preferredlanguage || sunenablegab”)
(version 3.0; acl “Organization Admin Role access deny to org node”;
deny (write,add,delete)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix” ;)
aci: (duplicate of per organization aci)
(target=”ldap:///cn=Organization Admin Role,($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Organization Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix”;)
aci:
(target=”ldap:///cn=Organization Admin
Role,($dn),dc=red,dc=iplanet,dc=com”)
(targetattr=”*”)
(version 3.0; acl “S1IS Organization Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix”;)
aci:
(target=”ldap:///o=fullOrg1,o=VIS,o=siroe.com,o=SharedDomainsRoot,
o=Business,rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,dc=red,dc=iplanet,dc=com))))
(targetattr = “nsroledn”)
(targattrfilters=”add=nsroledn:(nsroledn=*,o=fullOrg1,o=VIS,o=siroe.com,
o=SharedDomainsRoot,o=Business,$rootSuffix),
del=nsroledn:(nsroledn=*,o=fullOrg1,o=VIS,o=siroe.com,o=SharedDomainsRoot,
o=Business,$rootSuffix)”)
(version 3.0;
acl “S1IS Organization Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Organization Admin
Role,o=fullOrg1,o=VIS,o=siroe.com,o=SharedDomainsRoot,o=Business,
$rootSuffix”;)
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “S1IS Organization Admin Role access allow all”;
allow (all)
roledn = “ldap:///cn=Organization Admin
Role,[$dn],dc=red,dc=iplanet,dc=com”;)
ÅëÇÕ Á¶Á÷ °ü¸® ACI
aci:
(target=”ldap:///cn=Organization Admin Role,($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Organization Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix”;)
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “Organization Admin Role access allow read”;
allow(read,search)
roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix” ;)
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(entrydn=($dn),$rootSuffix))))
( targetattr = “*”)
(version 3.0; acl “S1IS Organization Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;)
»ç¿ëÇÏÁö ¾Ê¾Æ »èÁ¦ÇÒ ACI ¸ñ·ÏÀÌ ÀýÀÇ ¸ñ·Ï¿¡¼´Â »ç¿ëÇÏÁö ¾Ê±â ¶§¹®¿¡ replacement.acis.ldif ÆÄÀÏÀÌ µð·ºÅ丮¿¡ Àû¿ëµÉ ¶§ µð·ºÅ丮¿¡¼ »èÁ¦ÇÒ ±âº» ACI¸¦ º¸¿© ÁÝ´Ï´Ù.
¾ø¾Ù ACI´Â ´ÙÀ½ ¹üÁÖ·Î ³ª´¹´Ï´Ù.
Á¢¹Ì¾î
# discard
#
aci:
(targetattr =”*”)
(version 3.0;acl “Configuration Administrators Group”;
allow (all)
(groupdn = “ldap:///cn=Configuration Administrators, ou=Groups,
ou=TopologyManagement, o=NetscapeRoot”);)
#
# discard
#
aci:
(targetattr =”*”)
(version 3.0;acl “Directory Administrators Group”;
allow (all)
(groupdn = “ldap:///cn=Directory Administrators, $rootSuffix”);)
#
# discard
#
aci:
(targetattr = “*”)
(version 3.0;
acl “SIE Group”;
allow (all)
groupdn = “ldap:///cn=slapd-whater, cn=Sun ONE Directory Server, cn=Server
Group, cn=whater.red.iplanet.com, ou=red.iplanet.com, o=NetscapeRoot”;)
#
# discard - prevents TLA from modifying the amldapuser account
#
aci:
(target=”ldap:///cn=amldapuser,ou=DSAME Users,$rootSuffix”)
(targetattr = “*”)
(version 3.0;
acl “S1IS special ldap auth user modify right”;
deny (write)
roledn != “ldap:///cn=Top-level Admin Role,$rootSuffix”;)
#
# discard - protects SAML related attributes
#
aci:
(targetattr=”iplanet-am-saml-user || iplanet-am-saml-password”)
(targetfilter=”(objectclass=iplanet-am-saml-service)”)
(version 3.0; acl “S1IS Right to modify saml user and password”;
deny (all)
(roledn != “ldap:///cn=Top-level Admin Role,$rootSuffix”)
AND (userdn != “ldap:///cn=dsameuser,ou=DSAME Users,$rootSuffix”)
AND (userdn != “ldap:///cn=puser,ou=DSAME Users,$rootSuffix”); )
ÃÖ»óÀ§ ÇïÇÁ µ¥½ºÅ© °ü¸® ¿ªÇÒ
#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix)))
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Help Desk Admin Role access allow”;
allow (read,search)
roledn = “ldap:///cn=Top-level Help Desk Admin Role,$rootSuffix”;)
#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix)))
(targetattr = “userPassword”)
(version 3.0; acl “S1IS Top-level Help Desk Admin Role access allow”;
allow(write)
roledn = “ldap:///cn=Top-level Help Desk Admin Role,$rootSuffix”;)
ÃÖ»óÀ§ Á¤Ã¥ °ü¸® ¿ªÇÒ
#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix))))
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access allow”;
allow (read,search)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)
#
# discard
#
aci:
(target=”ldap:///ou=iPlanetAMAuthService,ou=services,*$rootSuffix”)
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access Auth Service deny”;
deny (add,write,delete)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)
#
# discard
#
aci:
(target=”ldap:///ou=services,*$rootSuffix”)
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)
#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=”(objectclass=sunismanagedorganization)”)
(targetattr = “sunRegisteredServiceName”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access allow”;
allow (read,write,search)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)
Access Manager À͸í
#
# discard - prevents anyone other than rootdn from deleting default
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(entrydn=$rootSuffix))
(targetattr=”*”)
(version 3.0; acl “S1IS Default Organization delete right denied”;
deny (delete)
userdn = “ldap:///anyone”;)
#
# discard - prevents any user other than rootdn from deleting the TLA admin role
#
aci:
(target=”ldap:///cn=Top-level Admin Role,$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Top-level admin delete right denied”;
deny(delete)
userdn = “ldap:///anyone”;)
Access Manager ¾²±â ¾×¼¼½º °ÅºÎ
#
# discard
#
aci:
(targetattr = “*”)
(version 3.0; acl “S1IS Deny write to anonymous user”;
deny (add,write,delete)
roledn =”ldap:///cn=Deny Write Access,$rootSuffix”;)
Access Manager ÄÁÅ×ÀÌ³Ê °ü¸® ¿ªÇÒ
#
# discard
#
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “S1IS Container Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Container Admin Role,[$dn],$rootSuffix”;)
#
# discard
#
aci:
(target=”ldap:///cn=Container Admin Role,($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Container Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Container Admin Role,($dn),$rootSuffix”;)
#
# discard
#
aci:
(target=”ldap:///ou=People,$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix)
(nsroledn=cn=Container Admin Role,$rootSuffix))))
(targetattr != “iplanet-am-web-agent-access-allow-list ||
iplanet-am-domain-url-access-allow
|| iplanet-am-web-agent-access-deny-list || nsroledn”)
(version 3.0; acl “S1IS Group and people container admin role”;
allow (all)
roledn = “ldap:///cn=ou=People_dc=red_dc=iplanet_dc=com,$rootSuffix”;)
Á¶Á÷ ÇïÇÁ µ¥½ºÅ©
#
# discard
#
aci: (extra verses dreambig)
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix))))
(targetattr = “*”)
(version 3.0; acl “S1IS Organization Help Desk Admin Role access allow”;
allow (read,search)
roledn = “ldap:///cn=Organization Help Desk Admin Role,$rootSuffix”;)
#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix))))
(targetattr = “userPassword”)
(version 3.0; acl “S1IS Organization Help Desk Admin Role access allow”;
allow(write)
roledn = “ldap:///cn=Organization Help Desk Admin Role,$rootSuffix”;)
Access Manager ±âŸ
#
# discard - Removal disables the associated privileges to the attribute
iplanetam-modifiable-by
#
aci:
(target=”ldap:///$rootSuffix”)
(targetattr!=”nsroledn”)
(version 3.0; acl “S1IS Group admin’s right to the users he creates”;
allow (all)
userattr = “iplanet-am-modifiable-by#ROLEDN”;)