本小節中的清單顯示在替代 ldif 檔案 replacement.acis.ldif (可以使用該檔案在目錄中合併 ACI) 中已合併的 ACI。如需有關如何替代 ACI 的說明,請參閱替代 ACI 的步驟。
ACI 分為幾對。對於每一種類,將先列出原始 ACI,然後列出合併後的 ACI︰
aci: (targetattr != “userPassword || passwordHistory || passwordExpirationTime || passwordExpWarned || passwordRetryCount || retryCountResetTime || accountUnlockTime || passwordAllowChangeTime “) (version 3.0; acl “Anonymous access”; allow (read, search, compare) userdn = “ldap:///anyone”;)
aci: (target=”ldap:///cn=Top-level Admin Role,$rootSuffix”) (targetattr=”*”) version 3.0; acl “S1IS Top-level admin delete right denied”; deny (delete) userdn = “ldap:///anyone”; ) aci: (target=”ldap:///$rootSuffix”) (targetfilter=(entrydn=$rootSuffix)) (targetattr=”*”) (version 3.0; acl “S1IS Default Organization delete right denied”; deny (delete) userdn = “ldap:///anyone”; ) aci: (target=”ldap:///ou=services,$rootSuffix”) (targetfilter=(!(objectclass=sunServiceComponent))) (targetattr = “*”) (version 3.0; acl “S1IS Services anonymous access”; allow (read, search, compare) userdn = “ldap:///anyone”;) aci: (target=”ldap:///ou=iPlanetAMAdminConsoleService,*,$rootSuffix”) (targetattr = “*”) (version 3.0; acl “S1IS iPlanetAMAdminConsoleService anonymous access”; allow (read, search, compare) userdn = “ldap:///anyone”;)
aci: (target=”ldap:///$rootSuffix”) (targetfilter=(!(objectclass=sunServiceComponent))) (targetattr != “userPassword||passwordHistory ||passwordExpirationTime||passwordExpWarned||passwordRetryCount ||retryCountResetTime||accountUnlockTime||passwordAllowChangeTime”) (version 3.0; acl “anonymous access rights”; allow (read,search,compare) userdn = “ldap:///anyone”; )
分析︰此 ACI (位於根中) 允許與原始匿名 ACI 集合相同的存取權限。此 ACI 透過列出一組排除的屬性清單來執行此作業。此替代 ACI 可以透過在目標中刪除 (*) 來提昇效能。
aci: (targetattr != “nsroledn || aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry || passwordExpirationTime || passwordExpWarned || passwordRetryCount || retryCountResetTime || accountUnlockTime || passwordHistory || passwordAllowChangeTime”) (version 3.0; acl “Allow self entry modification except for nsroledn, aci, resource limit attributes, passwordPolicySubentry and password policy state attributes”; allow (write) userdn =”ldap:///self”;) aci: (targetattr = “*”) (version 3.0; acl “S1IS Deny deleting self”; deny (delete) userdn =”ldap:///self”;) aci: (targetattr = “objectclass || inetuserstatus || planet-am-web-agent-access-allow-list || iplanet-am-domain-url-access-allow || iplanet-am-web-agent-access-deny-list || iplanet-am-user-account-life || iplanet-am-session-max-session-time || iplanet-am-session-max-idle-time || iplanet-am-session-get-valid-sessions || iplanet-am-session-destroy-sessions || iplanet-am-session-add-session-listener-on-all-sessions || iplanet-am-user-admin-start-dn || iplanet-am-auth-post-login-process-class”) (targetfilter=(!(nsroledn=cn=Top-levelAdmin Role,$rootSuffix))) (version 3.0; acl “S1IS User status self modification denied”; deny (write) userdn =”ldap:///self”;) aci: (targetattr != “iplanet-am-static-group-dn || uid || nsroledn || aci || LookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || memberOf || planet-am-web-agent-access-allow-list || iplanet-am-domain-url-access-allow || planet-am-web-agent-access-deny-list”) (version 3.0; acl “S1IS Allow self entry modification except for nsroledn, aci, and resource limit attributes”; allow (write) userdn =”ldap:///self”;) aci: (targetattr != “aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || iplanet-am-domain-url-access-allow”) (version 3.0; acl “S1IS Allow self entry read search except for nsroledn, aci, resource limit and web agent policy attributes”; allow (read,search) userdn =”ldap:///self”;) aci: (targetattr=”uid||ou||owner||mail||mailAlternateAddress ||mailEquivalentaddress||memberOf ||inetuserstatus||mailuserstatus||memberOfManagedGroup||mailQuota ||mailMsgQuota ||inetSubscriberAccountId||dataSource||mailhost||mailAllowedServiceAccess ||pabURI||inetCOS||mailSMTPSubmitChannel||aci”) (targetfilter=(&(objectClass=inetMailUser)(!(nsroledn=cn=Organization Admin role,*)))) (version 3.0; acl “Deny write access to users over Messaging Server protected attributes - product=SOMS,schema 2 support,class=installer,num=3,version=1 “; deny (write) userdn = “ldap:///self”;)
aci: (targetattr != “nsroledn || aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry || asswordExpirationTime || passwordExpWarned || passwordRetryCount || retryCountResetTime || accountUnlockTime || passwordHistory || passwordAllowChangeTime || id || memberOf || objectclass || inetuserstatus || ou || owner || mail || mailuserstatus || memberOfManagedGroup ||mailQuota || mailMsgQuota || mailhost || mailAllowedServiceAccess || inetCOS || mailSMTPSubmitChannel”) (version 3.0; acl “Allow self entry modification”; allow (write) userdn =”ldap:///self”;) aci: (targetattr != “ aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit|| nsIdleTimeout”) (version 3.0; acl “Allow self entry read search”; allow(read,search) userdn =”ldap:///self”;)
分析︰缺少所有 iplanet-am-* 屬性。由於 deny 是預設值 (如果 ACI 不存在),因此將移除所有 deny ACI。允許 write 的所有 ACI 將被合併為單一 ACI。
aci: (target=”ldap:///$rootSuffix”) (targetattr=”*”) (version 3.0; acl “Messaging Server End User Administrator Read Access Rights - product=SOMS,schema 2 support,class=installer,num=1,version=1”; allow (read,search) groupdn=”ldap:///cn=Messaging End User Administrators Group, ou=Groups, rootSuffix”;) aci: (target=”ldap:///$rootSuffix”) (targetattr=”objectclass||mailalternateaddress||mailautoreplymode|| mailprogramdeliveryinfo ||nswmextendeduserprefs||preferredlanguage||maildeliveryoption|| mailforwardingaddress ||mailAutoReplyTimeout||mailautoreplytextinternal||mailautoreplytext|| vacationEndDate ||vacationStartDate||mailautoreplysubject||pabURI||maxPabEntries|| mailMessageStore ||mailSieveRuleSource||sunUCDateFormat||sunUCDateDeLimiter|| sunUCTimeFormat”) (version 3.0; acl “Messaging Server End User Adminstrator Write Access Rights - product=SOMS,schema 2 support,class=installer,num=2,version=1”; allow (all) groupdn=”ldap:///cn=Messaging End User Administrators Group, ou=Groups, rootSuffix”;) aci: (targetattr=”uid||ou||owner||mail||mailAlternateAddress|| mailEquivalentAddress||memberOf ||inetuserstatus||mailuserstatus||memberOfManagedGroup||mailQuota|| mailMsgQuota ||inetSubscriberAccountId||dataSource||mailhost||mailAllowedServiceAccess ||pabURI||inetCOS||mailSMTPSubmitChannel||aci”) (targetfilter=(&(objectClass=inetMailUser)(!(nsroledn=cn=Organization Admin Role,*)))) (version 3.0; acl “Deny write access to users over Messaging Server protected attributes - product=SOMS,schema 2 support,class=installer,num=3,version=1 “; deny (write) userdn = “ldap:///self”;)
將在自我 ACI 中處理自我 ACI。
aci: (targetattr=”*”) (version 3.0; acl “Messaging Server End User Administrator Read Only Access”; allow (read,search) groupdn = “ldap:///cn=Messaging End User Administrators group,ou=Groups,$rootSuffix”; ) aci: (targetattr=”objectclass || mailalternateaddress || Mailautoreplymode || mailprogramdeliveryinfo || preferredlanguage || maildeliveryoption || mailforwardingaddress || mailAutoReplyTimeout || mailautoreplytextinternal || mailautoreplytext || vacationEndDate || vacationStartDate || mailautoreplysubject || maxPabEntries || mailMessageStore || mailSieveRuleSource || sunUCDateFormat || sunUCDateDeLimiter || sunUCTimeFormat || mailuserstatus || maildomainstatus”) (version 3.0; acl “Messaging Server End User Administrator All Access”; allow (all) groupdn = “ldap:///cn=Messaging End User Administrators group,ou=Groups,$rootSuffix”;)
分析︰與原始 ACI 相同。
aci: (different name - “allow all” instead of “allow”) (target=”ldap:///($dn),$rootSuffix”) (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix) (nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix) (nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)))) (targetattr != “nsroledn”) (version 3.0; acl “S1IS Organization Admin Role access allow all”; allow (all) roledn =”ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;) aci: (missing) (target=”ldap:///($dn),$rootSuffix”) (targetattr=”*”) (version 3.0; acl “Organization Admin Role access allow read to org node”; allow (read,search) roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix” ;) aci: (target=”ldap:///($dn),$rootSuffix”) (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix) (nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)))) (targetattr != “nsroledn”) (version 3.0; acl “Organization Admin Role access allow”; allow (all) roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;) aci: (target=”ldap:///($dn),$rootSuffix”) (targetattr!=”businessCategory || description || facsimileTelephoneNumber || postalAddress || preferredLanguage || searchGuide || postOfficeBox || postalCode || registeredaddress || street || l || st || telephonenumber || maildomainreportaddress || maildomainwelcomemessage || preferredlanguage || sunenablegab”) (version 3.0; acl “Organization Admin Role access deny to org node”; deny (write,add,delete) roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix” ;) aci: (duplicate of per organization aci) (target=”ldap:///cn=Organization Admin Role,($dn),$rootSuffix”) (targetattr=”*”) (version 3.0; acl “S1IS Organization Admin Role access deny”; deny (write,add,delete,compare,proxy) roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix”;) aci: (target=”ldap:///cn=Organization Admin Role,($dn),dc=red,dc=iplanet,dc=com”) (targetattr=”*”) (version 3.0; acl “S1IS Organization Admin Role access deny”; deny (write,add,delete,compare,proxy) roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix”;) aci: (target=”ldap:///o=fullOrg1,o=VIS,o=siroe.com,o=SharedDomainsRoot, o=Business,rootSuffix”) (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix) (nsroledn=cn=Top-level Help Desk Admin Role,dc=red,dc=iplanet,dc=com)))) (targetattr = “nsroledn”) (targattrfilters=”add=nsroledn:(nsroledn=*,o=fullOrg1,o=VIS,o=siroe.com, o=SharedDomainsRoot,o=Business,$rootSuffix), del=nsroledn:(nsroledn=*,o=fullOrg1,o=VIS,o=siroe.com,o=SharedDomainsRoot, o=Business,$rootSuffix)”) (version 3.0; acl “S1IS Organization Admin Role access allow”; allow (all) roledn = “ldap:///cn=Organization Admin Role,o=fullOrg1,o=VIS,o=siroe.com,o=SharedDomainsRoot,o=Business, $rootSuffix”;) aci: (target=”ldap:///($dn),$rootSuffix”) (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix) (nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)))) (targetattr != “nsroledn”) (version 3.0; acl “S1IS Organization Admin Role access allow all”; allow (all) roledn = “ldap:///cn=Organization Admin Role,[$dn],dc=red,dc=iplanet,dc=com”;)
aci: (target=”ldap:///cn=Organization Admin Role,($dn),$rootSuffix”) (targetattr=”*”) (version 3.0; acl “S1IS Organization Admin Role access deny”; deny (write,add,delete,compare,proxy) roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix”;) aci: (target=”ldap:///($dn),$rootSuffix”) (targetattr=”*”) (version 3.0; acl “Organization Admin Role access allow read”; allow(read,search) roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix” ;) aci: (target=”ldap:///($dn),$rootSuffix”) (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix) (entrydn=($dn),$rootSuffix)))) ( targetattr = “*”) (version 3.0; acl “S1IS Organization Admin Role access allow”; allow (all) roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;)