Analysis of How ACIs Are Consolidated
The listing in this section shows the ACIs that have been consolidated in the replacement ldif file, replacement.acis.ldif, which you can use to consolidate ACIs in the directory. For instructions in how to replace ACIs, see Steps for Replacing ACIs.
The ACIs are divided into pairs. For each category, first the original ACIs and then the consolidated ACIs are listed:
Original Anonymous Access Rights
aci: (targetattr != “userPassword || passwordHistory || passwordExpirationTime || passwordExpWarned || passwordRetryCount || retryCountResetTime || accountUnlockTime || passwordAllowChangeTime “) (version 3.0; acl “Anonymous access”; allow (read, search, compare) userdn = “ldap:///anyone”;)
aci: (target=”ldap:///cn=Top-level Admin Role,$rootSuffix”) (targetattr=”*”) version 3.0; acl “S1IS Top-level admin delete right denied”; deny (delete) userdn = “ldap:///anyone”; ) aci: (target=”ldap:///$rootSuffix”) (targetfilter=(entrydn=$rootSuffix)) (targetattr=”*”) (version 3.0; acl “S1IS Default Organization delete right denied”; deny (delete) userdn = “ldap:///anyone”; ) aci: (target=”ldap:///ou=services,$rootSuffix”) (targetfilter=(!(objectclass=sunServiceComponent))) (targetattr = “*”) (version 3.0; acl “S1IS Services anonymous access”; allow (read, search, compare) userdn = “ldap:///anyone”;) aci: (target=”ldap:///ou=iPlanetAMAdminConsoleService,*,$rootSuffix”) (targetattr = “*”) (version 3.0; acl “S1IS iPlanetAMAdminConsoleService anonymous access”; allow (read, search, compare) userdn = “ldap:///anyone”;)
Consolidated Anonymous Access Rights
aci: (target=”ldap:///$rootSuffix”) (targetfilter=(!(objectclass=sunServiceComponent))) (targetattr != “userPassword||passwordHistory ||passwordExpirationTime||passwordExpWarned||passwordRetryCount ||retryCountResetTime||accountUnlockTime||passwordAllowChangeTime”) (version 3.0; acl “anonymous access rights”; allow (read,search,compare) userdn = “ldap:///anyone”; )
Analysis: This ACI, which is on the root, allows the same access as the original collection of anonymous ACIs. It does this by listing a set of excluded attributes. This replacement ACI improves performance by eliminating the (*) in the target.
Original Self Acis
aci: (targetattr != “nsroledn || aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry || passwordExpirationTime || passwordExpWarned || passwordRetryCount || retryCountResetTime || accountUnlockTime || passwordHistory || passwordAllowChangeTime”) (version 3.0; acl “Allow self entry modification except for nsroledn, aci, resource limit attributes, passwordPolicySubentry and password policy state attributes”; allow (write) userdn =”ldap:///self”;) aci: (targetattr = “*”) (version 3.0; acl “S1IS Deny deleting self”; deny (delete) userdn =”ldap:///self”;) aci: (targetattr = “objectclass || inetuserstatus || planet-am-web-agent-access-allow-list || iplanet-am-domain-url-access-allow || iplanet-am-web-agent-access-deny-list || iplanet-am-user-account-life || iplanet-am-session-max-session-time || iplanet-am-session-max-idle-time || iplanet-am-session-get-valid-sessions || iplanet-am-session-destroy-sessions || iplanet-am-session-add-session-listener-on-all-sessions || iplanet-am-user-admin-start-dn || iplanet-am-auth-post-login-process-class”) (targetfilter=(!(nsroledn=cn=Top-levelAdmin Role,$rootSuffix))) (version 3.0; acl “S1IS User status self modification denied”; deny (write) userdn =”ldap:///self”;) aci: (targetattr != “iplanet-am-static-group-dn || uid || nsroledn || aci || LookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || memberOf || planet-am-web-agent-access-allow-list || iplanet-am-domain-url-access-allow || planet-am-web-agent-access-deny-list”) (version 3.0; acl “S1IS Allow self entry modification except for nsroledn, aci, and resource limit attributes”; allow (write) userdn =”ldap:///self”;) aci: (targetattr != “aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || iplanet-am-domain-url-access-allow”) (version 3.0; acl “S1IS Allow self entry read search except for nsroledn, aci, resource limit and web agent policy attributes”; allow (read,search) userdn =”ldap:///self”;) aci: (targetattr=”uid||ou||owner||mail||mailAlternateAddress ||mailEquivalentaddress||memberOf ||inetuserstatus||mailuserstatus||memberOfManagedGroup||mailQuota ||mailMsgQuota ||inetSubscriberAccountId||dataSource||mailhost||mailAllowedServiceAccess ||pabURI||inetCOS||mailSMTPSubmitChannel||aci”) (targetfilter=(&(objectClass=inetMailUser)(!(nsroledn=cn=Organization Admin role,*)))) (version 3.0; acl “Deny write access to users over Messaging Server protected attributes - product=SOMS,schema 2 support,class=installer,num=3,version=1 “; deny (write) userdn = “ldap:///self”;)
Consolidated Self Acis
aci: (targetattr != “nsroledn || aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry || asswordExpirationTime || passwordExpWarned || passwordRetryCount || retryCountResetTime || accountUnlockTime || passwordHistory || passwordAllowChangeTime || id || memberOf || objectclass || inetuserstatus || ou || owner || mail || mailuserstatus || memberOfManagedGroup ||mailQuota || mailMsgQuota || mailhost || mailAllowedServiceAccess || inetCOS || mailSMTPSubmitChannel”) (version 3.0; acl “Allow self entry modification”; allow (write) userdn =”ldap:///self”;) aci: (targetattr != “ aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit|| nsIdleTimeout”) (version 3.0; acl “Allow self entry read search”; allow(read,search) userdn =”ldap:///self”;)
Analysis: Missing all the iplanet-am-* attributes. Since deny is the default if an ACI is not present, all deny ACIs are removed. The ones that allow write are consolidated into a single ACI.
Original Messaging Server ACIs
aci: (target=”ldap:///$rootSuffix”) (targetattr=”*”) (version 3.0; acl “Messaging Server End User Administrator Read Access Rights - product=SOMS,schema 2 support,class=installer,num=1,version=1”; allow (read,search) groupdn=”ldap:///cn=Messaging End User Administrators Group, ou=Groups, rootSuffix”;) aci: (target=”ldap:///$rootSuffix”) (targetattr=”objectclass||mailalternateaddress||mailautoreplymode|| mailprogramdeliveryinfo ||nswmextendeduserprefs||preferredlanguage||maildeliveryoption|| mailforwardingaddress ||mailAutoReplyTimeout||mailautoreplytextinternal||mailautoreplytext|| vacationEndDate ||vacationStartDate||mailautoreplysubject||pabURI||maxPabEntries|| mailMessageStore ||mailSieveRuleSource||sunUCDateFormat||sunUCDateDeLimiter|| sunUCTimeFormat”) (version 3.0; acl “Messaging Server End User Adminstrator Write Access Rights - product=SOMS,schema 2 support,class=installer,num=2,version=1”; allow (all) groupdn=”ldap:///cn=Messaging End User Administrators Group, ou=Groups, rootSuffix”;) aci: (targetattr=”uid||ou||owner||mail||mailAlternateAddress|| mailEquivalentAddress||memberOf ||inetuserstatus||mailuserstatus||memberOfManagedGroup||mailQuota|| mailMsgQuota ||inetSubscriberAccountId||dataSource||mailhost||mailAllowedServiceAccess ||pabURI||inetCOS||mailSMTPSubmitChannel||aci”) (targetfilter=(&(objectClass=inetMailUser)(!(nsroledn=cn=Organization Admin Role,*)))) (version 3.0; acl “Deny write access to users over Messaging Server protected attributes - product=SOMS,schema 2 support,class=installer,num=3,version=1 “; deny (write) userdn = “ldap:///self”;)
Consolidated Messaging Server ACIs
The self ACI is handled in the self ACIs.
aci: (targetattr=”*”) (version 3.0; acl “Messaging Server End User Administrator Read Only Access”; allow (read,search) groupdn = “ldap:///cn=Messaging End User Administrators group,ou=Groups,$rootSuffix”; ) aci: (targetattr=”objectclass || mailalternateaddress || Mailautoreplymode || mailprogramdeliveryinfo || preferredlanguage || maildeliveryoption || mailforwardingaddress || mailAutoReplyTimeout || mailautoreplytextinternal || mailautoreplytext || vacationEndDate || vacationStartDate || mailautoreplysubject || maxPabEntries || mailMessageStore || mailSieveRuleSource || sunUCDateFormat || sunUCDateDeLimiter || sunUCTimeFormat || mailuserstatus || maildomainstatus”) (version 3.0; acl “Messaging Server End User Administrator All Access”; allow (all) groupdn = “ldap:///cn=Messaging End User Administrators group,ou=Groups,$rootSuffix”;)
Analysis: Same as the original ACIs.
Original Organization Admin ACIs
aci: (different name - “allow all” instead of “allow”) (target=”ldap:///($dn),$rootSuffix”) (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix) (nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix) (nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)))) (targetattr != “nsroledn”) (version 3.0; acl “S1IS Organization Admin Role access allow all”; allow (all) roledn =”ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;) aci: (missing) (target=”ldap:///($dn),$rootSuffix”) (targetattr=”*”) (version 3.0; acl “Organization Admin Role access allow read to org node”; allow (read,search) roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix” ;) aci: (target=”ldap:///($dn),$rootSuffix”) (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix) (nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)))) (targetattr != “nsroledn”) (version 3.0; acl “Organization Admin Role access allow”; allow (all) roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;) aci: (target=”ldap:///($dn),$rootSuffix”) (targetattr!=”businessCategory || description || facsimileTelephoneNumber || postalAddress || preferredLanguage || searchGuide || postOfficeBox || postalCode || registeredaddress || street || l || st || telephonenumber || maildomainreportaddress || maildomainwelcomemessage || preferredlanguage || sunenablegab”) (version 3.0; acl “Organization Admin Role access deny to org node”; deny (write,add,delete) roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix” ;) aci: (duplicate of per organization aci) (target=”ldap:///cn=Organization Admin Role,($dn),$rootSuffix”) (targetattr=”*”) (version 3.0; acl “S1IS Organization Admin Role access deny”; deny (write,add,delete,compare,proxy) roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix”;) aci: (target=”ldap:///cn=Organization Admin Role,($dn),dc=red,dc=iplanet,dc=com”) (targetattr=”*”) (version 3.0; acl “S1IS Organization Admin Role access deny”; deny (write,add,delete,compare,proxy) roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix”;) aci: (target=”ldap:///o=fullOrg1,o=VIS,o=siroe.com,o=SharedDomainsRoot, o=Business,rootSuffix”) (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix) (nsroledn=cn=Top-level Help Desk Admin Role,dc=red,dc=iplanet,dc=com)))) (targetattr = “nsroledn”) (targattrfilters=”add=nsroledn:(nsroledn=*,o=fullOrg1,o=VIS,o=siroe.com, o=SharedDomainsRoot,o=Business,$rootSuffix), del=nsroledn:(nsroledn=*,o=fullOrg1,o=VIS,o=siroe.com,o=SharedDomainsRoot, o=Business,$rootSuffix)”) (version 3.0; acl “S1IS Organization Admin Role access allow”; allow (all) roledn = “ldap:///cn=Organization Admin Role,o=fullOrg1,o=VIS,o=siroe.com,o=SharedDomainsRoot,o=Business, $rootSuffix”;) aci: (target=”ldap:///($dn),$rootSuffix”) (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix) (nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)))) (targetattr != “nsroledn”) (version 3.0; acl “S1IS Organization Admin Role access allow all”; allow (all) roledn = “ldap:///cn=Organization Admin Role,[$dn],dc=red,dc=iplanet,dc=com”;)
Consolidated Organization Admin ACIs
aci: (target=”ldap:///cn=Organization Admin Role,($dn),$rootSuffix”) (targetattr=”*”) (version 3.0; acl “S1IS Organization Admin Role access deny”; deny (write,add,delete,compare,proxy) roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix”;) aci: (target=”ldap:///($dn),$rootSuffix”) (targetattr=”*”) (version 3.0; acl “Organization Admin Role access allow read”; allow(read,search) roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix” ;) aci: (target=”ldap:///($dn),$rootSuffix”) (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix) (entrydn=($dn),$rootSuffix)))) ( targetattr = “*”) (version 3.0; acl “S1IS Organization Admin Role access allow”; allow (all) roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;)
- © 2010, Oracle Corporation and/or its affiliates