J Setting up Access Controls for Creation and Search Bases for Users and Groups

If you modify the User Search Base, the User Creation Base, the Group Search Base, or the Group Creation Base, then access controls for the new container need to be set up properly. This appendix contains these topics:

J.1 Setting up Access Controls for the User Search Base and the User Creation Base

To set up access controls for the User Search Base and the User Creation Base:

  1. Create an LDIF (user_aci.ldif) file with the following entry:

    --- BEGIN LDIF file contents--- 
    dn: %usersearch_or_createbase_dn% 
    changetype: modify 
    add: orclaci 
    orclaci: access to entry by group="cn=oracledascreateuser,
     cn=groups,cn=OracleContext,%subscriberdn%"
     added_object_constraint=(objectclass=orcluser*) (browse,add) by  
     group="cn=Common User Attributes, cn=Groups,
     cn=OracleContext,%subscriberdn%" (browse) by 
     group="cn=PKIAdmins, cn=groups, cn=OracleContext,%subscriberdn%" (browse) 
    orclaci: access to entry filter=(objectclass=inetorgperson) by
     group="cn=oracledascreateuser, cn=groups,cn=OracleContext,%subscriberdn%"
     added_object_constraint=(objectclass=orcluser*) (browse,add) by
     group="cn=oracledasdeleteuser, cn=groups,cn=OracleContext,%subscriberdn%"
     (browse,delete) by group="cn=oracledasedituser,
     cn=groups,cn=OracleContext,%subscriberdn%" (browse) by
     group="cn=UserProxyPrivilege, cn=Groups,cn=OracleContext,%subscriberdn%" 
     (browse,
     proxy) by dn="orclApplicationCommonName=DASApp, cn=DAS,
     cn=Products,cn=oraclecontext" (browse,proxy) by self (browse, nodelete, noadd)
     by
     group="cn=Common User Attributes, cn=Groups,cn=OracleContext,%subscriberdn%"
     (browse) by * (browse, noadd, nodelete) 
    orclaci: access to attr=(*) filter=(objectclass=inetorgperson) by
     group="cn=oracledasedituser, cn=groups,cn=OracleContext, 
     %subscriberdn%" (read,search,write,compare) by self ( 
     read,search,write,selfwrite,compare) by *
     (read, nowrite, nocompare) 
    orclaci: access to attr=(userPassword)   
     filter=(objectclass=inetorgperson) by   
     group="cn=OracleUserSecurityAdmins,cn=Groups, 
     cn=OracleContext, %subscriberdn%" 
     (read,search,write,compare) by group="cn=oracledasedituser,
     cn=groups,cn=OracleContext,%subscriberdn%" 
     (read,search,write,compare) by self
     (read,search,write,selfwrite,compare) by group="cn=authenticationServices,
     cn=Groups,cn=OracleContext,%subscriberdn%" (compare) by * (none) 
    orclaci: access to attr=(authpassword, orclpasswordverifier, orclpassword) by
     group="cn=oracledasedituser,cn=groups,cn=OracleContext,%subscriberdn%"
     (read,search,write,compare) by
     group="cn=verifierServices,cn=Groups,cn=OracleContext,%subscriberdn%" 
     (search, read, compare) by self (search,read,write,compare) by * (none) 
    orclaci: access to attr=(orclpwdaccountunlock) by
     group="cn=oracledasedituser,cn=groups,cn=OracleContext,%subscriberdn%" ( 
     write) by * (none) 
    orclaci: access to attr=(usercertificate, usersmimecertificate) by
     group="cn=PKIAdmins,cn=Groups,cn=OracleContext,%subscriberdn%" 
     (read, search, write, compare) by self (read, search, compare) by * 
     (read, search, compare) 
    orclaci: access to attr=(mail) by
     group="cn=EmailAdminsGroup,cn=EmailServerContainer,cn=Products,
     cn=OracleContext" (write) by group="cn=oracledasedituser,
     cn=groups,cn=OracleContext,%subscriberdn%" (read,search,write,compare) 
    orclaci: access to attr=(orclguid, orclisenabled, modifytimestamp,mail) 
     by group="cn=Common User Attributes, 
     cn=Groups,cn=OracleContext,%subscriberdn%"
     (read, search, compare) by group="cn=oracledasedituser,
     cn=groups,cn=OracleContext,%subscriberdn%" (read,search,write,compare) 
     by * (read, nowrite, nocompare) 
    orclaci: access to attr=(orclpasswordhintanswer) by 
     group="cn=Common User Attributes,
     cn=Groups,cn=OracleContext,%subscriberdn%" (read, search, compare) by self
     (read,search,write,selfwrite,compare) by * (noread, nowrite, nocompare) 
    orclaci: access to attr=(orclpasswordhint) by 
     group="cn=Common User Attributes,
     cn=Groups,cn=OracleContext,%subscriberdn%" (read, search, compare) by self
     (read,search,write,selfwrite,compare) by
     group="cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext,
     %subscriberdn%" (read,search,write,compare) by * 
     (noread, nowrite, nocompare) 
    orclaci: access to attr=(displayName, preferredlanguage,
     orcltimezone,orcldateofbirth,orclgender,orclwirelessaccountnumber,cn,
     uid,homephone,telephonenumber) by group="cn=Common User Attributes,
     cn=Groups,cn=OracleContext,%subscriberdn%"
     (read, search, compare) by group="cn=oracledasedituser,
     cn=groups,cn=OracleContext,%subscriberdn%" (read,search,write,compare) 
     by self (read,search,write,selfwrite,compare) by * 
     (read, nowrite, nocompare)
            - 
    add: orclentrylevelaci 
    orclentrylevelaci: access to entry by group="cn=oracledascreateuser,
     cn=groups,cn=OracleContext,%subscriberdn%" added_object_constraint=
     (objectclass=orcluser*) (browse, add) by * (browse) 
    ---END LDIF file contents------
    
  2. Replace %subscriberdn% with the dn of the subscriber and %usersearch_or_createbase_dn% with the new value of the container DN where the new user search/create base points to.

  3. Run the ldapmodify command as follows:

    ldapmodify -p oidport -h oidhost -D cn=orcladmin -q -v \
               -f  user_aci.ldif
    

J.2 Setting up Access Controls for the Group Search Base and the Group Creation Base

To set up access controls for the Group Search Base and the Group Creation Base:

  1. Create an ldif (group_aci.ldif) file with the following entry:

    --- BEGIN LDIF file contents--- 
    dn: %groupsearch_or_createbase_dn% 
    changetype: modify 
    add: orclaci 
    orclaci: access to entry by group="cn=IASAdmins,
     cn=groups,cn=OracleContext,%subscriberdn%"
     added_object_constraint=(objectclass=orclcontainer) (browse,add) 
    orclaci: access to entry by group="cn=oracledascreategroup,
     cn=groups,cn=OracleContext,%subscriberdn%"
     added_object_constraint=(objectclass=orclgroup*) (browse,add) by  
     group="cn=Common
     Group Attributes, cn=Groups,cn=OracleContext,%subscriberdn%" (browse) 
    orclaci: access to entry filter=(&(objectclass=orclgroup)(orclisvisible=false))  
     by
     groupattr=(owner) (browse, add, delete) by dnattr=(owner) 
     (browse, add, delete) by
     group="cn=Common Group Attributes, cn=Groups,cn=OracleContext,%subscriberdn%"
     (browse) by * (none) 
    orclaci: access to entry  
     filter=(&(objectclass=orclgroup)(!(orclisvisible=false))) by
     group="cn=oracledascreategroup, cn=groups,cn=OracleContext,%subscriberdn%"
     added_object_constraint=(objectclass=orclgroup) (browse,add) by
     group="cn=oracledasdeletegroup, cn=groups,cn=OracleContext,%subscriberdn%"
     (browse,delete) by group="cn=oracledaseditgroup,
     cn=Groups,cn=OracleContext,%subscriberdn%" (browse) by groupattr=(owner) ( 
     browse,
     add, delete) by dnattr=(owner) (browse, add, delete) by group="cn=Common Group
     Attributes, cn=Groups,cn=OracleContext,%subscriberdn%" (browse) 
    orclaci: access to attr=(*)  
     filter=(&(objectclass=orclgroup)(orclisvisible=false)) by
     groupattr=(owner) (read,search,write,compare) by dnattr=(owner)
     (read,search,write,compare) by * (none) by group="cn=Common Group Attributes,
     cn=Groups,cn=OracleContext,%subscriberdn%" (read, search, compare) 
    orclaci: access to attr=(*)  
     filter=(&(objectclass=orclgroup)(!(orclisvisible=false))) by
     groupattr=(owner) (read,search,write,compare) by dnattr=(owner)
     (read,search,write,compare)  by group="cn=oracledaseditgroup,
     cn=groups,cn=OracleContext,%subscriberdn%" (read,search,write,compare) by
     group="cn=Common Group Attributes, cn=Groups,cn=OracleContext,%subscriberdn%"
     (read, search, compare) 
          - 
    add: orclentrylevelaci 
    orclentrylevelaci: access to entry by group="cn=oracledascreategroup,
     cn=groups,cn=OracleContext,%subscriberdn%"
     added_object_constraint=(objectclass=orclgroup) (browse, add) by
     group="cn=IASAdmins, cn=groups,cn=OracleContext,%subscriberdn%"
     added_object_constraint=(objectclass=orclcontainer) (browse,add) by * (browse) 
    ---END LDIF file contents------ 
    
  2. Replace %subscriberdn% with the DN of the subscriber and %groupsearch_or_createbase_dn% with the new value of the container DN where the new group search base or group create base points to.

  3. Run the ldapmodify command as follows:

    ldapmodify -p oidport -h oidhost -D cn=orcladmin -q -v -f group_aci.ldif