The following procedure describes how to consolidate ACIS in the root suffix and remove unused ACIs.
Save your existing ACIs currently on the root suffix.
You can use the ldapsearch command, as in the following example:
ldapsearch -D “cn=Directory Manager” -w <password> -s base -b <$rootSuffix> aci=* aci ><filename>
<password> is the password of the Directory Server administrator.
<$rootSuffix> is your root suffix, such as o=usergroup.
<filename> is the name of the file into which the saved ACIs will be written.
Copy and rename the replacement.acis.ldif file.
When you install Delegated Administrator, the replacement.acis.ldif file is installed in the following directory:
Edit the $rootSuffix entries in your copy of the replacement.acis.ldif file.
Change the root suffix parameter, $rootSuffix, to your root suffix (such as o=usergroup). The $rootSuffix parameter appears multiple times in the ldif file; each instance must be replaced.
Use the LDAP directory tool ldapmodify to replace the ACIs.
For example, you could run the following command:
ldapmodify -D <directory manager> -w <password> -f <replacement.acis.finished.ldif>
<directory manager> is the name of the Directory Server administrator.
<password> is the password of the Directory Service administrator.
<replacement.acis.finished.ldif> is the name of the edited ldif file that consolidates and removes ACIs in the directory.