If you are using an LDAP directory in Schema 2 compatibility mode, you must manually add ACIs to the directory to enable Delegated Administrator to provision in your directory. Take the following steps:
Add the following two ACIs to the OSI root. You can find the following two ACIs in the usergroup.ldif file, located in the /opt/SUNWcomm/config directory.
Be sure to replace ugldapbasedn with your usergroup suffix. Add the edited usergroup.ldif into the LDAP directory.
# # acis to limit Org Admin Role # ######################################## # dn: <local.ugldapbasedn> ######################################## dn: <ugldapbasedn> changetype: modify add: aci aci: (target="ldap:///($dn),<ugldapbasedn>")(targetattr="*") (version 3.0; acl "Organization Admin Role access deny to org node"; deny (write,add,delete) roledn = "ldap:///cn=Organization Admin Role,($dn),<ugldapbasedn>";) |
dn: <ugldapbasedn> changetype: modify add: aci aci: (target="ldap:///($dn),<ugldapbasedn>")(targetattr="*") (version 3.0; acl "Organization Admin Role access allow read to org node"; allow (read,search) roledn = "ldap:///cn=Organization Admin Role,($dn),<ugldapbasedn>";) |
Add the following two ACIs to the DC Tree root suffix. You can find the following two ACIs in the dctree.ldif file, located in the /opt/SUNWcomm/config directory.
Be sure to replace dctreebasedn with your DC Tree root suffix and ugldapbasedn with your usergroup suffix. Add the edited dctree.ldif into the LDAP directory.
# # acis to limit Org Admin Role # ######################################## # dn: <dctreebasedn> ######################################## dn: <dctreebasedn> changetype: modify add: aci aci: (target="ldap:///($dn),<dctreebasedn>")(targetattr="*") (version 3.0; acl "Organization Admin Role access deny to dc node"; deny (write,add,delete) roledn = "ldap:///cn=Organization Admin Role,($dn),<ugldapbasedn>";) |
dn: <dctreebasedn> changetype: modify add: aci aci: (target="ldap:///($dn),<dctreebasedn>")(targetattr="*") (version 3.0; acl "Organization Admin Role access allow read to dc node"; allow (read,search) roledn = "ldap:///cn=Organization Admin Role,($dn),<ugldapbasedn>";) |
Add the following additional ACIs to the DC Tree root suffix. (These ACIs are not in the dctree.ldif file.)
dn:<dctreebasedn> changetype:modify add:aci aci: (target="ldap:///<dctreebasedn>")(targetattr="*") (version 3.0; acl "S1IS Proxy user rights"; allow (proxy) userdn = "ldap:///cn=puser,ou=DSAME Users,<ugldapbasedn>";) |
dn:<dctreebasedn> changetype:modify add:aci aci: (target="ldap:///<dctreebasedn>")(targetattr="*") (version 3.0; acl "S1IS special dsame user rights for all under the root suffix"; allow (all) userdn ="ldap:///cn=dsameuser,ou=DSAME Users,<ugldapbasedn>";) |
dn:<dctreebasedn> changetype:modify add:aci aci: (target="ldap:///<dctreebasedn>")(targetattr="*") (version 3.0; acl "S1IS Top-level admin rights"; allow (all) roledn = "ldap:///cn=Top-level Admin Role,<ugldapbasedn>";) |
Set the com.iplanet.am.domaincomponent property in the AMConfig.properties file to your DC Tree root suffix.
For example, modify the following lines in the <AM_base_directory>/lib/AMConfig.properties file:
from
com.iplanet.am.domaincomponent=o=isp
to
com.iplanet.am.domaincomponent=o=internet
Enable Access Manager (formerly called Identity Server) to use compatibility mode.
In the Access Manager Console, in the Administration Console Service page, check (enable) the Domain Component Tree Enabled check box.
Add the inetdomain object class to all the DC Tree nodes (such as dc=com,o=internet), as in following example:
/var/mps/serverroot/shared/bin 298% ./ldapmodify -D "cn=Directory Manager" -w password dn: dc=com,o=internet changetype: modify add: objectclass objectclass: inetdomain |
Restart the Web container.