J ユーザーおよびグループの作成ベースおよび検索ベースに対するアクセス制御の設定

ユーザー検索ベース、ユーザー作成ベース、グループ検索ベース、グループ作成ベースを変更すると、新しいコンテナに対するアクセス制御を適切に設定する必要があります。この付録の項目は次のとおりです。

• ユーザー検索ベースおよびユーザー作成ベースに対するアクセス制御の設定

• グループ検索ベースおよびグループ作成ベースに対するアクセス制御の設定

J.1 ユーザー検索ベースおよびユーザー作成ベースに対するアクセス制御の設定

ユーザー検索ベースおよびユーザー作成ベースに対するアクセス制御を設定するには、次のようにします。

1. 次の内容で、LDIF（user_aci.ldif）ファイルを作成します。

   --- BEGIN LDIF file contents---
   dn: %usersearch_or_createbase_dn%
   changetype: modify
   add: orclaci
   orclaci: access to entry by group="cn=oracledascreateuser,
    cn=groups,cn=OracleContext,%subscriberdn%"
    added_object_constraint=(objectclass=orcluser*) (browse,add) by
    group="cn=Common User Attributes, cn=Groups,
    cn=OracleContext,%subscriberdn%" (browse) by
    group="cn=PKIAdmins, cn=groups, cn=OracleContext,%subscriberdn%" (browse)
   orclaci: access to entry filter=(objectclass=inetorgperson) by
    group="cn=oracledascreateuser, cn=groups,cn=OracleContext,%subscriberdn%"
    added_object_constraint=(objectclass=orcluser*) (browse,add) by
    group="cn=oracledasdeleteuser, cn=groups,cn=OracleContext,%subscriberdn%"
    (browse,delete) by group="cn=oracledasedituser,
    cn=groups,cn=OracleContext,%subscriberdn%" (browse) by
    group="cn=UserProxyPrivilege, cn=Groups,cn=OracleContext,%subscriberdn%"
    (browse,
    proxy) by dn="orclApplicationCommonName=DASApp, cn=DAS,
    cn=Products,cn=oraclecontext" (browse,proxy) by self (browse, nodelete, noadd)
    by
    group="cn=Common User Attributes, cn=Groups,cn=OracleContext,%subscriberdn%"
    (browse) by * (browse, noadd, nodelete)
   orclaci: access to attr=(*) filter=(objectclass=inetorgperson) by
    group="cn=oracledasedituser, cn=groups,cn=OracleContext,
    %subscriberdn%" (read,search,write,compare) by self (
    read,search,write,selfwrite,compare) by *
    (read, nowrite, nocompare)
   orclaci: access to attr=(userPassword)
    filter=(objectclass=inetorgperson) by
    group="cn=OracleUserSecurityAdmins,cn=Groups,
    cn=OracleContext, %subscriberdn%"
    (read,search,write,compare) by group="cn=oracledasedituser,
    cn=groups,cn=OracleContext,%subscriberdn%"
    (read,search,write,compare) by self
    (read,search,write,selfwrite,compare) by group="cn=authenticationServices,
    cn=Groups,cn=OracleContext,%subscriberdn%" (compare) by * (none)
   orclaci: access to attr=(authpassword, orclpasswordverifier, orclpassword) by
    group="cn=oracledasedituser,cn=groups,cn=OracleContext,%subscriberdn%"
    (read,search,write,compare) by
    group="cn=verifierServices,cn=Groups,cn=OracleContext,%subscriberdn%"
    (search, read, compare) by self (search,read,write,compare) by * (none)
   orclaci: access to attr=(orclpwdaccountunlock) by
    group="cn=oracledasedituser,cn=groups,cn=OracleContext,%subscriberdn%" (
    write) by * (none)
   orclaci: access to attr=(usercertificate, usersmimecertificate) by
    group="cn=PKIAdmins,cn=Groups,cn=OracleContext,%subscriberdn%"
    (read, search, write, compare) by self (read, search, compare) by *
    (read, search, compare)
   orclaci: access to attr=(mail) by
    group="cn=EmailAdminsGroup,cn=EmailServerContainer,cn=Products,
    cn=OracleContext" (write) by group="cn=oracledasedituser,
    cn=groups,cn=OracleContext,%subscriberdn%" (read,search,write,compare)
   orclaci: access to attr=(orclguid, orclisenabled, modifytimestamp,mail)
    by group="cn=Common User Attributes,
    cn=Groups,cn=OracleContext,%subscriberdn%"
    (read, search, compare) by group="cn=oracledasedituser,
    cn=groups,cn=OracleContext,%subscriberdn%" (read,search,write,compare)
    by * (read, nowrite, nocompare)
   orclaci: access to attr=(orclpasswordhintanswer) by
    group="cn=Common User Attributes,
    cn=Groups,cn=OracleContext,%subscriberdn%" (read, search, compare) by self
    (read,search,write,selfwrite,compare) by * (noread, nowrite, nocompare)
   orclaci: access to attr=(orclpasswordhint) by
    group="cn=Common User Attributes,
    cn=Groups,cn=OracleContext,%subscriberdn%" (read, search, compare) by self
    (read,search,write,selfwrite,compare) by
    group="cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext,
    %subscriberdn%" (read,search,write,compare) by *
    (noread, nowrite, nocompare)
   orclaci: access to attr=(displayName, preferredlanguage,
    orcltimezone,orcldateofbirth,orclgender,orclwirelessaccountnumber,cn,
    uid,homephone,telephonenumber) by group="cn=Common User Attributes,
    cn=Groups,cn=OracleContext,%subscriberdn%"
    (read, search, compare) by group="cn=oracledasedituser,
    cn=groups,cn=OracleContext,%subscriberdn%" (read,search,write,compare)
    by self (read,search,write,selfwrite,compare) by *
    (read, nowrite, nocompare)
           -
   add: orclentrylevelaci
   orclentrylevelaci: access to entry by group="cn=oracledascreateuser,
    cn=groups,cn=OracleContext,%subscriberdn%" added_object_constraint=
    (objectclass=orcluser*) (browse, add) by * (browse)
   ---END LDIF file contents------
   

2. %subscriberdn%をサブスクライバのDNに置き換え、%usersearch_or_createbase_dn%を、新しいユーザー検索/作成ベースが示すコンテナの新しいDN値に置き換えます。

3. 次のように、ldapmodifyコマンドを入力します。

   ldapmodify -p oidport -h oidhost -D cn=orcladmin -q -v \
              -f  user_aci.ldif
   

J.2 グループ検索ベースおよびグループ作成ベースに対するアクセス制御の設定

グループ検索ベースおよびグループ作成ベースに対するアクセス制御を設定するには、次のようにします。

1. 次の内容で、ldif（group_aci.ldif）ファイルを作成します。

   --- BEGIN LDIF file contents---
   dn: %groupsearch_or_createbase_dn%
   changetype: modify
   add: orclaci
   orclaci: access to entry by group="cn=IASAdmins,
    cn=groups,cn=OracleContext,%subscriberdn%"
    added_object_constraint=(objectclass=orclcontainer) (browse,add)
   orclaci: access to entry by group="cn=oracledascreategroup,
    cn=groups,cn=OracleContext,%subscriberdn%"
    added_object_constraint=(objectclass=orclgroup*) (browse,add) by
    group="cn=Common
    Group Attributes, cn=Groups,cn=OracleContext,%subscriberdn%" (browse)
   orclaci: access to entry filter=(&(objectclass=orclgroup)(orclisvisible=false))
    by
    groupattr=(owner) (browse, add, delete) by dnattr=(owner)
    (browse, add, delete) by
    group="cn=Common Group Attributes, cn=Groups,cn=OracleContext,%subscriberdn%"
    (browse) by * (none)
   orclaci: access to entry
    filter=(&(objectclass=orclgroup)(!(orclisvisible=false))) by
    group="cn=oracledascreategroup, cn=groups,cn=OracleContext,%subscriberdn%"
    added_object_constraint=(objectclass=orclgroup) (browse,add) by
    group="cn=oracledasdeletegroup, cn=groups,cn=OracleContext,%subscriberdn%"
    (browse,delete) by group="cn=oracledaseditgroup,
    cn=Groups,cn=OracleContext,%subscriberdn%" (browse) by groupattr=(owner) (
    browse,
    add, delete) by dnattr=(owner) (browse, add, delete) by group="cn=Common Group
    Attributes, cn=Groups,cn=OracleContext,%subscriberdn%" (browse)
   orclaci: access to attr=(*)
    filter=(&(objectclass=orclgroup)(orclisvisible=false)) by
    groupattr=(owner) (read,search,write,compare) by dnattr=(owner)
    (read,search,write,compare) by * (none) by group="cn=Common Group Attributes,
    cn=Groups,cn=OracleContext,%subscriberdn%" (read, search, compare)
   orclaci: access to attr=(*)
    filter=(&(objectclass=orclgroup)(!(orclisvisible=false))) by
    groupattr=(owner) (read,search,write,compare) by dnattr=(owner)
    (read,search,write,compare)  by group="cn=oracledaseditgroup,
    cn=groups,cn=OracleContext,%subscriberdn%" (read,search,write,compare) by
    group="cn=Common Group Attributes, cn=Groups,cn=OracleContext,%subscriberdn%"
    (read, search, compare)
         -
   add: orclentrylevelaci
   orclentrylevelaci: access to entry by group="cn=oracledascreategroup,
    cn=groups,cn=OracleContext,%subscriberdn%"
    added_object_constraint=(objectclass=orclgroup) (browse, add) by
    group="cn=IASAdmins, cn=groups,cn=OracleContext,%subscriberdn%"
    added_object_constraint=(objectclass=orclcontainer) (browse,add) by * (browse)
   ---END LDIF file contents------
   

2. %subscriberdn%をサブスクライバのDNに置き換え、%groupsearch_or_createbase_dn%を、新しいグループ検索/作成ベースが示すコンテナの新しいDN値に置き換えます。

3. 次のように、ldapmodifyコマンドを入力します。

   ldapmodify -p oidport -h oidhost -D cn=orcladmin -q -v -f group_aci.ldif