| Oracle® Fusion Middleware Administrator's Guide for Oracle Internet Directory 11g Release 1 (11.1.1) Part Number E10029-03 |
|
|
PDF · Mobi · ePub |
| Oracle® Fusion Middleware Administrator's Guide for Oracle Internet Directory 11g Release 1 (11.1.1) Part Number E10029-03 |
|
|
PDF · Mobi · ePub |
This appendix describes the format (syntax) of any access control item (ACI). It contains these topics:
The access control directive defined by the user attribute orclACI has the following schema:
OrclACI:{ object_identifier NAME 'orclACI' DESC 'Stores an inheritable ACI' EQUALITY
accessDirectiveMatch SYNTAX 'accessDirectiveDescription' USAGE
'directoryOperation'}
accessDirectiveDescription has the following BNF:
<accessDirectiveDescription>
::= access to <object> [by <subject> ( <accessList> )]+
<object> ::= [attr <EQ-OR-NEQ> ( * | (<attrList>) ) | entry]
[filter=(<ldapFilter>)] [DenyGroupOverride] [AppendToAll]
<subject> ::= <entity> [<BindMode>] [<BindIPFilter>] [Added_object_constraint=(<ldapFilter>)]
<entity> ::= * | self | dn="<regex>" | dnAttr=(<dn_attribute>) | group="<dn>" |
guidattr=(<guid_attribute>) | groupattr=(<group_attribute>) | [SuperUser]
BindMode=(LDAP_authentication_choice)|LDAP_security_choice)
LDAP_authentication_choice::= proxy | simple | MD5Digest | PKCS12
LDAP_security_choice::= SSLNoAuth | SSLOneWay | SASL
BindIPFilter=(<ldapFilter for orclipaddress>)
ex: (|(orclipaddress=1.2.3.*)(orclipaddress=1.2.4.*)), (&(orclipaddress!=1.2.*)(orclipaddress!=3.4.*))
<accessList> ::= <access> | <access>, <accessList>
<access> ::= none | compare | search | browse | proxy | read | selfwrite | write |
add | delete | nocompare | nosearch | nobrowse | noproxy |noread | noselfwrite |
nowrite | noadd | nodelete
<attrList> ::= <attribute name> | <attribute name>,<attrList>
<EQ-OR-NEQ> ::= = | !=
<regex> ::= <dn> | *,<dn_of_any_subtree_root>
Note:
The regular expression defined earlier is not meant to match any arbitrary expression. The syntax only allows expressions where the wildcard is followed by a comma and a valid DN. The latter DN denoted by <dn_of_any_subtree_root> is intended to specify the root of some subtree.The BER format for orclEntryLevelACI is the same as the format for orclACI.
The entry level access control directive defined by the user attribute orclEntryLevelACI has the following schema:
"orclEntryLevelACI":
{ object_identifier NAME 'orclEntryLevelACI' DESC 'Stores entry level ACL Directive'
EQUALITY accessDirectiveMatch SYNTAX 'orclEntryLevelACIDescription'
USAGE 'directoryOperation' }
<orclEntryLevelACIDescription>
::= access to <object> [by <subject> ( <accessList> )]+
|
 Copyright © 1999, 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|