根后缀 (Sun Java System Communications Services 6 2005Q4 Delegated Administrator 指南)

Sun Java System Communications Services 6 2005Q4 Delegated Administrator 指南

根后缀

-------------------------------------------------------------------------------------------------------------

dn: $rootSuffix
#
# consolidate
#
aci:
(targetattr != “nsroledn || aci || nsLookThroughLimit || nsSizeLimit ||
nsTimeLimit || nsIdleTimeout || passwordPolicySubentry
|| passwordExpirationTime
|| passwordExpWarned || passwordRetryCount || retryCountResetTime
|| accountUnlockTime || passwordHistory || passwordAllowChangeTime”)
(version 3.0; acl “Allow self entry modification except for nsroledn, aci,
resource limit attributes, passwordPolicySubentry and password policy state
attributes”;
allow (write)
userdn =”ldap:///self”;)

操作：合并。

无需自访问此后缀。此 ACI 将被复制；它可以合并到根后缀上的 ACI 自身中。

------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# retain
#
aci:
(targetattr = “*”)
(version 3.0; acl “Configuration Administrator”;
allow (all)
userdn = “ldap:///uid=admin, ou=Administrators,
ou=TopologyManagement,o=NetscapeRoot”;)

操作：保留。

此后缀是 "admin" 用户，该用户将通过“通道验证”来验证 slapd-config 实例。如果所有配置是以 Directory Manager 身份使用命令行实用程序执行的，则无需此 ACI。如果某个用户需要以此用户身份验证控制台，则可以将此 ACI 保留在此处。可以删除类似的 ACI。

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(targetattr =”*”)
(version 3.0;acl “Configuration Administrators Group”;
allow (all)
(groupdn = “ldap:///cn=Configuration Administrators, ou=Groups,
ou=TopologyManagement, o=NetscapeRoot”);)

操作：在所有 DB 后端上执行放弃。

此后缀是“配置管理员”组，当使用控制台来委托服务器管理特权时，该组将具有此权限。

------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(targetattr =”*”)
(version 3.0;acl “Directory Administrators Group”;
allow (all)
(groupdn = “ldap:///cn=Directory Administrators, $rootSuffix”);)

操作：在所有 DB 后端上执行放弃。

此后缀是常见“目录管理员”组特权定义。

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(targetattr = “*”)
(version 3.0; acl “SIE Group”;
allow (all)
groupdn = “ldap:///cn=slapd-whater, cn=Sun ONE Directory Server, 
cn=Server Group, cn=whater.red.iplanet.com, ou=red.iplanet.com, 
o=NetscapeRoot”;)

操作：在所有 DB 后端上执行放弃。

此后缀是控制台/管理服务器相关组特权定义。

-------------------------------------------------------------------------------------------------------------

Access Manager

-------------------------------------------------------------------------------------------------------------

# retain
#
aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Proxy user rights”;
allow (proxy)
userdn = “ldap:///cn=puser,ou=DSAME Users,$rootSuffix”; )

操作：保留。

此 ACI 可授予系统用户访问 Access Manager 的权限。

-------------------------------------------------------------------------------------------------------------

#
# retain
#
aci:
 (target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS special dsame user rights for all under the
root suffix”;
allow (all)
userdn = “ldap:///cn=dsameuser,ou=DSAME Users,$rootSuffix”; )

操作：保留。

此 ACI 可授予系统用户访问 Access Manager 的权限。

-------------------------------------------------------------------------------------------------------------

#
# retain
#
aci:
(target=”ldap:///$rootSuffix”)(targetattr=”*”)|
(version 3.0;acl “S1IS special ldap auth user rights”;
allow (read,search)
userdn = “ldap:///cn=amldapuser,ou=DSAME Users,$rootSuffix”; )

操作：保留。

此 ACI 可授予系统用户访问 Access Manager 的权限。

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target=”ldap:///cn=amldapuser,ou=DSAME Users,$rootSuffix”)
(targetattr = “*”)
(version 3.0;
acl “S1IS special ldap auth user modify right”;
deny (write)
roledn != “ldap:///cn=Top-level Admin Role,$rootSuffix”;)

操作：放弃。

此 ACI 可阻止顶级管理员 ( Top-Level Administrator, TLA) 修改 amldapuser 帐户。

-------------------------------------------------------------------------------------------------------------

#
# retain
#
aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Top-level admin rights”;
allow (all)
roledn = “ldap:///cn=Top-level Admin Role,$rootSuffix”; )

操作：保留。

此 ACI 可向顶级管理员职责授予访问权限。

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(targetattr=”iplanet-am-saml-user || iplanet-am-saml-password”)
(targetfilter=”(objectclass=iplanet-am-saml-service)”)
(version 3.0; acl “S1IS Right to modify saml user and password”;
deny (all)
(roledn != “ldap:///cn=Top-level Admin Role,$rootSuffix”)
AND (userdn != “ldap:///cn=dsameuser,ou=DSAME Users,$rootSuffix”)
AND (userdn != “ldap:///cn=puser,ou=DSAME Users,$rootSuffix”); )

操作：放弃。

此 ACI 可保护 SAML 相关属性。

-------------------------------------------------------------------------------------------------------------

顶级帮助桌面管理职责

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix)))
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Help Desk Admin Role access allow”;
allow (read,search)
roledn = “ldap:///cn=Top-level Help Desk Admin Role,$rootSuffix”;)

操作：放弃。

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix)))
(targetattr = “userPassword”)
(version 3.0; acl “S1IS Top-level Help Desk Admin Role access allow”;
allow (write)
roledn = “ldap:///cn=Top-level Help Desk Admin Role,$rootSuffix”;)

操作：放弃。

-------------------------------------------------------------------------------------------------------------

顶级策略管理职责

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
target=”ldap:///$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix))))
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access allow”;
allow (read,search)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)

操作：放弃。

此 ACI 属于顶级策略管理职责。

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target=”ldap:///ou=iPlanetAMAuthService,ou=services,*$rootSuffix”)
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access Auth Service
deny”;
deny (add,write,delete)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)

操作：放弃。

此 ACI 属于顶级策略管理职责。

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target=”ldap:///ou=services,*$rootSuffix”)
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)

操作：放弃。

此 ACI 属于顶级策略管理职责。

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=”(objectclass=sunismanagedorganization)”)
(targetattr = “sunRegisteredServiceName”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access allow”;
allow (read,write,search)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)

操作：放弃。

此 ACI 属于顶级策略管理职责。

-------------------------------------------------------------------------------------------------------------

AM 自身

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(targetattr = “*”)
(version 3.0;
acl “S1IS Deny deleting self”;
deny (delete)
userdn =”ldap:///self”;)

操作：合并为单个自写 ACI。由于最终用户不具有删除任何条目（包括其自身）的权限，因此无需显式拒绝。

这是若干用于设置自身权限的 ACI 之一。显式拒绝可阻止任何条目删除其自身。

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(targetattr = “objectclass || inetuserstatus 
|| iplanet-am-user-login-status
|| iplanet-am-web-agent-access-allow-list 
|| iplanet-am-domain-url-access-allow
|| iplanet-am-web-agent-access-deny-list || iplanet-am-user-account-life
|| iplanet-am-session-max-session-time || iplanet-am-session-max-idle-time
|| iplanet-am-session-get-valid-sessions 
|| iplanet-am-session-destroy-sessions
|| iplanet-am-session-add-session-listener-on-all-sessions 
|| iplanet-am-user-admin-start-dn
|| iplanet-am-auth-post-login-process-class”)
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix)))
(version 3.0; acl “S1IS User status self modification denied”;
deny (write)
userdn =”ldap:///self”;)

操作：合并为单个自写 ACI。

这是若干用于设置自写权限的 ACI 之一。

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(targetattr != “iplanet-am-static-group-dn || uid || nsroledn || aci 
|| nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout 
|| memberOf || iplanet-am-web-agent-access-allow-list
|| iplanet-am-domain-url-access-allow 
|| iplanet-am-web-agent-access-deny-list”)
(version 3.0; acl “S1IS Allow self entry modification except for nsroledn,
aci, and resource limit attributes”;
allow (write)
userdn =”ldap:///self”;)

操作：合并为单个自写 ACI。

这是若干用于设置权限的 ACI 之一。

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(targetattr != “aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit
|| nsIdleTimeout || iplanet-am-domain-url-access-allow”)
(version 3.0; acl “S1IS Allow self entry read search except for nsroledn,
aci, resource limit and web agent policy attributes”;
allow (read,search)
userdn =”ldap:///self”;)

操作：合并为单个自写 ACI。

这是若干用于设置自写权限的 ACI 之一。

-------------------------------------------------------------------------------------------------------------

AM 匿名

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(target=”ldap:///ou=services,$rootSuffix”)
(targetfilter=(!(objectclass=sunServiceComponent)))
(targetattr = “*”)
(version 3.0; acl “S1IS Services anonymous access”;
allow (read, search, compare)
userdn = “ldap:///anyone”;)

操作：合并为单个匿名 ACI。

这是若干用于授予匿名特权的 ACI 之一。

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(target=”ldap:///ou=iPlanetAMAdminConsoleService,*,$rootSuffix”)
(targetattr = “*”)
(version 3.0; acl “S1IS iPlanetAMAdminConsoleService anonymous access”;
allow (read, search, compare)
userdn = “ldap:///anyone”;)

操作：合并为单个匿名 ACI。

这是若干用于授予匿名特权的 ACI 之一。

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(entrydn=$rootSuffix))
(targetattr=”*”)
(version 3.0; acl “S1IS Default Organization delete right denied”;
deny (delete)
userdn = “ldap:///anyone”; )

操作：放弃。

此 ACI 可阻止任何用户（rootdn 除外）删除默认组织。

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target=”ldap:///cn=Top-level Admin Role,$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Top-level admin delete right denied”;
deny(delete)
userdn = “ldap:///anyone”; )

操作：放弃。

此 ACI 可阻止任何用户（rootdn 除外）删除顶级管理员职责。

-------------------------------------------------------------------------------------------------------------

AM 拒绝写访问

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci: (targetattr = “*”)
(version 3.0; acl “S1IS Deny write to anonymous user”;
deny (add,write,delete)
roledn =”ldap:///cn=Deny Write Access,$rootSuffix”;)

操作：放弃。

此 ACI 属于拒绝写访问职责。

-------------------------------------------------------------------------------------------------------------

AM 容器管理职责

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “S1IS Container Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Container Admin Role,[$dn],$rootSuffix”;)

操作：放弃。

此 ACI 属于容器管理职责。

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target=”ldap:///cn=Container Admin Role,($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Container Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Container Admin Role,($dn),$rootSuffix”;)

操作：放弃。

此 ACI 属于容器管理职责。

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
 (target=”ldap:///ou=People,$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix)
(nsroledn=cn=Container Admin Role,$rootSuffix))))
(targetattr != “iplanet-am-web-agent-access-allow-list 
|| iplanet-am-domain-url-access-allow
|| iplanet-am-web-agent-access-deny-list || nsroledn”)
(version 3.0; acl “S1IS Group and people container admin role”;
allow (all)
roledn = “ldap:///cn=ou=People_dc=red_dc=iplanet_dc=com,$rootSuffix”;)

操作：放弃。

此 ACI 属于组和人员容器管理职责。

-------------------------------------------------------------------------------------------------------------

组织帮助台

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci: (extra verses dreambig)
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix))))
(targetattr = “*”)
(version 3.0; acl “S1IS Organization Help Desk Admin Role access allow”;
allow (read,search)
roledn = “ldap:///cn=Organization Help Desk Admin Role,$rootSuffix”;)

操作：放弃。

此 ACI 属于组织帮助台管理职责。

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix))))
(targetattr = “userPassword”)
(version 3.0; acl “S1IS Organization Help Desk Admin Role access allow”;
allow (write)
roledn = “ldap:///cn=Organization Help Desk Admin Role,$rootSuffix”;)

操作：放弃。

此 ACI 属于组织帮助台管理职责。

-------------------------------------------------------------------------------------------------------------

AM 组织管理职责

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci: (different name - “allow all” instead of “allow”)
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “S1IS Organization Admin Role access allow all”;
allow (all)
roledn =”ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;)

操作：合并。

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(target=”ldap:///cn=Organization Admin Role,($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Organization Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix”;)

操作：合并。

此 ACI 属于组织管理职责。

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci: (missing)
(target=”ldap:///($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “Organization Admin Role access allow read to org node”;
allow (read,search)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix” ;)

操作：合并。

此 ACI 属于组织管理职责。

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “Organization Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;)

操作：合并。

此 ACI 属于组织管理职责。

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetattr!=”businessCategory || description || facsimileTelephoneNumber
|| postalAddress || preferredLanguage || searchGuide || postOfficeBox ||
postalCode
|| registeredaddress || street || l || st || telephonenumber
||maildomainreportaddress
|| maildomainwelcomemessage || preferredlanguage || sunenablegab”)
(version 3.0; acl “Organization Admin Role access deny to org node”;
deny (write,add,delete)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix” ;)

操作：合并。

此 ACI 属于组织管理职责。

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “S1IS Organization Admin Role access allow all”;
allow (all)
roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;)

操作：合并。

-------------------------------------------------------------------------------------------------------------

AM 杂项

-------------------------------------------------------------------------------------------------------------

#
#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetattr!=”nsroledn”)
(version 3.0; acl “S1IS Group admin’s right to the users he creates”;
allow (all)
userattr = “iplanet-am-modifiable-by#ROLEDN”;)

操作：放弃。

放弃此 ACI 将会禁用与属性 iplanet-am-modifiable-by 关联的特权。

-------------------------------------------------------------------------------------------------------------

Messaging Server

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “Messaging Server End User Administrator Read
Access Rights -
product=SOMS,schema 2 support,class=installer,num=1,version=1”;
allow (read,search)
groupdn=”ldap:///cn=Messaging End User Administrators Group, ou=Groups,
$rootSuffix”;)

操作：合并。

此 ACI 可向通讯最终用户管理员组授予权限。

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”objectclass||mailalternateaddress||mailautoreplymode
||mailprogramdeliveryinfo||nswmextendeduserprefs||preferredlanguage
||maildeliveryoption||mailforwardingaddress
||mailAutoReplyTimeout||mailautoreplytextinternal||mailautoreplytext
||vacationEndDate||vacationStartDate||mailautoreplysubject||pabURI
||maxPabEntries||mailMessageStore||mailSieveRuleSource||sunUCDateFormat
||sunUCDateDeLimiter||sunUCTimeFormat”)
(version 3.0; acl “Messaging Server End User Adminstrator Write
Access Rights -
product=SOMS,schema 2 support,class=installer,num=2,version=1”;
allow (all)
groupdn=”ldap:///cn=Messaging End User Administrators Group, ou=Groups,
$rootSuffix”;)

操作：合并。

此 ACI 可向通讯最终用户管理员组授予权限。

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(targetattr=”uid||ou||owner||mail||mailAlternateAddress
||mailEquivalentAddress||memberOf
||inetuserstatus||mailuserstatus||memberOfManagedGroup||mailQuota
||mailMsgQuota||inetSubscriberAccountId||dataSource||mailhost
||mailAllowedServiceAcces||pabURI||inetCOS||mailSMTPSubmitChannel
||aci”)
(targetfilter=(&(objectClass=inetMailUser)(!(nsroledn=cn=Organization
Admin Role,*))))
(version 3.0; acl “Deny write access to users over Messaging Server
protected attributes -
product=SOMS,schema 2 support,class=installer,num=3,version=1 “;
deny (write)
userdn = “ldap:///self”;)

操作：合并。

这是若干用于设置自身权限的 ACI 之一。

-------------------------------------------------------------------------------------------------------------