付録 A
ルートおよびドメイン ACI の例
この付録に示す ACI のリストは、ドメインまたはルートノードがディレクトリ情報ツリーで作成されたときにインストールされるデフォルトの ACI です。これらの ACI は、システムの要件に応じて修正できます。また、ルートおよびドメイン エントリで LDAP 検索を行うことで、これらの ACI をオンラインで表示できます。ドメイン組織 ACI は、ドメイン組織が作成されたときに、LDAP を使用して追加する必要があるので注意してください。この付録は、次の節で構成されています。
|
Note
|
ドメイン、ユーザ、グループエントリ用に DC ツリーを使用している場合 (つまり、組織ツリーがない場合)、この付録で説明されている組織ツリーの ACI はすべて必要ありません。このような場合、DC ツリーの ACI で表示されている <OrgRoot> を、<DCRoot> の値に変更します。
|
ACI の様々な定義例
<OrgRoot> - 組織ツリーのルート。デフォルトのインストールでユーザおよびグループエントリが作成される場所です。
<DCRoot> - ドメイン構成要素ツリーのルート。ドメインエントリが作成される場所です。
<OrgNodeDN> - 組織ツリーのドメインノード。ドメインのユーザおよびグループエントリがある場所です。
<DCNodeDN> - DC ツリーのドメインノード。ドメインのユーザおよびグループエントリがある場所です。
<DomainOrgNodeDN> - ドメイン構成要素ツリーのルート。ドメインエントリが作成される場所です。
組織ツリー ルートノード ACI
以下の ACI は、トップレベル管理者、ドメイン管理者、ドメイン組織管理者、ファミリグループ管理者、メーリングリスト所有者、エンドユーザへの必須アクセス権を付与します。必要に応じて、ツリー構造上さらに下位のドメインノードおよびドメイン組織ノードで別の ACI が設定されます。最初からネームスペースを設定する場合 (つまり、ネームスペースの作成に iPlanet Message Server インストーラを使用していない場合)、組織ツリー ルートノードで ACI を設定する必要があります。
コード例 A-1 組織ツリー ルートノード ACI
dn:<OrgRoot>
|
changetype:modify
|
add:aci
|
#
|
#-----------------------------------
|
# iDA User access control
|
#
|
# Allow read and search access to all attributes in all entries
|
#
|
aci:(targetattr="*") (version 3.0; acl "NDAUser access -
|
product=ims5.0,class=nda,num=1,version=1"; allow (read,search)
|
userdn="ldap:///uid=NDAUser,ou=config,<OrgRoot>";)
|
#
|
# Allow write access to nsNum* attributes of all domain entries
|
#
|
aci:(targetattr="nsNumUsers||nsNumDepts||nsNumMailLists||nsNumDomains")
|
(version 3.0; acl "NDAUser access - product=ims5.0, class=nda,num=2,
|
version=1"; allow (write) userdn="ldap:///uid=NDAUser,ou=config,
|
<OrgRoot>";)
|
#
|
#-----------------------------------
|
# Service Administrator access control
|
#
|
# Allow read and search access to all DCROOT nodes
|
#
|
aci:(targetattr="*") (version 3.0; acl "SA root node access -
|
product=ims5.0,class=nda,num=3,version=1"; allow (all)
|
groupdn="ldap:///cn=Service Administrators,ou=Groups,<OrgRoot>";)
|
#
|
#-----------------------------------
|
# Domain Administrator control.
|
#
|
# Deny write and delete access to any domain container node.
|
#
|
aci:(targetfilter="objectclass=nsManagedDomain") (version 3.0; acl
|
"Domain Admin domain container access -
|
product=ims5.0,class=nda,num=5,version=1"; deny (delete,write)
|
userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Domain Administrators*)" or
|
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Domain Administrators*)";)
|
#
|
#-----------------------------------
|
# User access control
|
#
|
# Allow read and search access to self
|
#
|
aci:(targetattr="*") (targetfilter=(objectClass=inetOrgPerson)) (version
|
3.0; acl "User self search and read - product=ims5.0,class=nda,num=6,
|
version=1"; allow (read,search) userdn="ldap:///self";)
|
#
|
# Allow write access to self
|
#
|
aci:(targetattr="*") (version 3.0; acl "Allow self entry modification -
|
product=ims5.0,class=nda,num=7,version=1";
|
allow (write) userdn = "ldap:///self";)
|
#
|
# Deny write access to self for uid, ou, owner,
|
# nsDAModifiableBy, nsDACapability, mail, mailAlternateAddress,
|
# memberOf, and nsDADomain attributes
|
#
|
aci:(targetattr="uid||ou||owner||nsDAModifiableBy||nsDACapability||
|
mail||mailAlternateAddress||memberOf||nsDADomain||inetuserstatus||
|
mailuserstatus||memberOfManagedGroup||mailQuota||mailMsgQuota||
|
inetSubscriberAccountId||dataSource||mailhost||mailAllowedServiceAccess
|
||pabURI||inetCOS") (targetfilter=(objectClass=nsManagedPerson))
|
(version 3.0; acl "User self modification - product=ims5.0,class=nda,
|
num=8,version=1"; deny (write) userdn = "ldap:///self" and
|
userdn != "ldap:///<OrgRoot>??sub?(memberOf=cn=Domain Administrators*)"
|
and userdn !=
|
"ldap:///<DCRoot>??sub?(memberOf=cn=Domain Administrators*)"
|
and groupdn != "ldap:///cn=Service Administrators,ou=groups,<OrgRoot>";)
|
#
|
# Deny delete access to self
|
#
|
aci:(targetfilter=(objectClass=inetOrgPerson)) (version 3.0; acl
|
"User self deletion - product=ims5.0,class=nda,num=9,version=1";
|
deny (delete) userdn="ldap:///self";)
|
#
|
#-----------------------------------
|
# Mail List access control
|
#
|
# Allow designated users to create mail lists
|
#
|
aci:(targetattr="*")(targetfilter=(objectClass=inetMailGroupManagement))
|
(version 3.0; acl "Mail list create access - product=ims5.0,class=nda,
|
num=10,version=1"; allow (add)
|
userdn="ldap:///<OrgRoot>??sub?(nsDACapability=mailListCreate)";)
|
#
|
# Allow maillist owner read, search, write, and delete access
|
# to the maillists s/he owns except for the nsMaxUsers attr
|
#
|
aci:(targetattr="*") (targetfilter=(objectClass=inetMailGroupManagement))
version 3.0; acl "Mail list owner access - product=ims5.0,class=nda,num=11,
version=1"; allow (read,search,write,delete)
groupdnattr="ldap:///<OrgRoot>?owner";)
|
#
|
#-----------------------------------
|
# Family Group Administrator access control
|
#
|
# family group read access
|
#
|
aci:(targetattr="*") (targetfilter=(objectClass=inetManagedGroup))
|
(version 3.0; acl "Family Group Adm group read & search access -
|
product=ims5.0,class=nda,num=1,version=1"; allow (read,search)
|
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Family Group
|
Administrators*)" and groupdnattr="ldap:///<OrgRoot>?nsDAModifiableBy";)
|
#
|
# family group write access for 'description' attribute
|
#
|
aci:(targetattr="description")
|
(targetfilter=(objectClass=inetManagedGroup))
|
(version 3.0; acl "Family Group Adm description write access -
|
product=ims5.0,class=nda,num=13,version=1"; allow (write)
|
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Family Group
|
Administrators*)" and groupdnattr="ldap:///<OrgRoot>?nsDAModifiableBy";)
|
#
|
# family group write access for 'mnggrpCurrentUsers' attribute
|
#
|
aci:(targetattr="mnggrpCurrentUsers")
|
(targetfilter=(objectClass=inetManagedGroup)) (version 3.0; acl "Family
|
Group Adm description write access - product=ims5.0,class=nda,num=14,
|
version=1"; allow (write)
|
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Family Group
|
Administrators*)" and groupdnattr="ldap:///<OrgRoot>?nsDAModifiableBy";)
|
#
|
# family member create,delete,modify permissions
|
#
|
aci:(targetattr="*") (targetfilter=(objectClass=nsManagedPerson))
|
(version 3.0;acl "Family Group Adm member access - product=ims5.0,
|
class=nda, num=15,version=1"; allow (add,read,search,write,delete)
|
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Family Group
|
Administrators*)" and groupdnattr="ldap:///<OrgRoot>?nsDAModifiableBy";)
|
#
|
# access to add,remove family admins of the same admin group
|
#
|
aci:(targetattr="uniquemember")
|
(targetfilter=(&(|(objectClass=nsManagedDept)
|
(objectClass=nsManagedDeptAdminGroup))(cn=Family Group
|
Administrators*))) (version 3.0;acl "Family Group Adm admin write
|
access - product=ims5.0,class=nda,num=16,version=1"; allow (write)
|
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Family Group
|
Administrators*)" and groupdnattr="ldap:///<OrgRoot>?uniquemember";)
|
#
|
# access to add,remove memberof attribute
|
#
|
aci:(targetattr="memberOf") (targetfilter=(objectClass=nsManagedPerson))
|
(version 3.0;acl "Family Adm user access -
|
product=ims5.0,class=nda,num=17,version=1"; allow (write)
|
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Family Group
|
Administrators*)" and groupdnattr="ldap:///<OrgRoot>?nsDAModifiableBy";)
|
#
|
#-----------------------------------
|
# Domain Organization Administrator
|
#
|
# access to the Domain Organization nodes.
|
#
|
aci:(targetattr="*") (targetfilter=(objectClass=inetdomainorg))(version
|
3.0; acl "Domain Organization Administrator - Dom Org node read & search
|
access - product=ims5.0,class=nda,num=21,version=1"; allow (read,search)
|
groupdnattr="ldap:///<OrgRoot>?nsDAModifiableBy";)
|
#
|
# write access for selected attribute
|
#
|
aci:(targetattr="description||domOrgMaxUsers")
|
(targetfilter=(objectClass=inetdomainorg)) (version 3.0; acl "Domain
|
Organization Administrator - Dom Org node write access -
|
product=ims5.0,class=nda,num=22,version=1"; allow (write)
|
groupdnattr="ldap:///<OrgRoot>?nsDAModifiableBy";)
|
|
DC ツリールートノード ACI
以下の ACI は、トップレベル管理者、ドメイン管理者、ドメイン組織管理者、ファミリグループ管理者、メーリングリスト所有者、エンドユーザへの必須アクセス権を付与します。必要に応じて、ツリー構造上さらに下位のドメインノードおよびドメイン組織ノードで別の ACI が設定されます。最初からネームスペースを設定する場合 (つまり、ネームスペースの作成に iPlanet Message Server インストーラを使用していない場合)、 DC ツリーノードで ACI を設定する必要があります。
コード例 A-2 DC ツリールートノード ACI
dn:<DCRoot>
changetype:modify
|
add:aci
|
#-----------------------------------
|
#
|
# iDA User access control
|
#
|
# Allow read and search access to all attributes in all entries
|
#
|
aci:(targetattr="*") (version 3.0; acl "NDAUser access -
product=ims5.0,class=nda,num=1,version=1"; allow (read,search)
userdn="ldap:///uid=NDAUser,ou=config,<OrgRoot>";)
|
#
|
# Allow write access to nsNum* attributes of all domain entries
|
#
|
aci:(targetattr="nsNumUsers||nsNumDepts||nsNumMailLists||nsNumDomains")
|
(version 3.0; acl "NDAUser access - product=ims5.0,class=nda,num=2,
|
version=1"; allow (write) userdn="ldap:///uid=NDAUser,
|
ou=config,<OrgRoot>";)
|
#
|
#-----------------------------------
|
# Service Administrator access control
|
#
|
# Allow read and search access to all DCROOT nodes
|
#
|
aci:(targetattr="*") (version 3.0; acl "SA root node access -
|
product=ims5.0,class=nda,num=3,version =1"; allow (all)
|
groupdn="ldap:///cn=Service Administrators,ou=Groups,<OrgRoot>";)
|
#
|
#-----------------------------------
|
# Domain Administrator control.
|
#
|
# Access to dcroot to search for domain components
|
#
|
aci:(targetattr="*") (version 3.0; acl "Domain Admin dc root access -
|
product=ims5.0,class=nda,num=4 ,version=1"; allow (read,search)
|
userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Domain Administrators*)" or
|
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Domain Administrators*)";)
|
#
|
# Deny write and delete access to any domain container node.
|
#
|
aci:(targetfilter="objectclass=nsManagedDomain") (version 3.0; acl
|
"Domain Admin domain container access -
|
product=ims5.0,class=nda,num=5,version=1"; deny (delete,write)
|
userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Domain Administrators*)" or
|
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Domain Administrators*)";)
|
#
|
#-----------------------------------
|
# User access control
|
#
|
# Allow read and search access to self
|
#
|
aci:(targetattr="*") (targetfilter=(objectClass=inetOrgPerson)) (version
|
3.0; acl "User self search and read - product=ims5.0,class=nda, num=6,
|
version=1"; allow (read,search) userdn="ldap:///self";)
|
#
|
# Allow write access to self
|
#
|
aci:(targetattr = "*") (version 3.0; acl "Allow self entry modification
|
- product=ims5.0,class=nda,num=7,version=1"; allow (write) userdn =
|
"ldap:///self";)
|
#
|
# Deny write access to self for uid, ou, owner,
|
# nsDAModifiableBy, nsDACapability, mail, mailAlternateAddress,
|
# memberOf, and nsDADomain attributes
|
#
|
aci:(targetattr="uid||ou||owner||nsDAModifiableBy||nsDACapability||
|
mail||mailAlternateAddress||memberOf||nsDADomain||inetuserstatus||
|
mailuserstatus||memberOfManagedGroup||mailQuota||mailMsgQuota||
|
inetSubscriberAccountId||dataSource||mailhost||mailAllowedServiceAccess
||pabURI||inetCOS") (targetfilter=(objectClass=nsManagedPerson))
|
(version 3.0; acl "User self modification - product=ims5.0,class=nda,
|
num=8, version=1"; deny (write) userdn = "ldap:///self" and userdn
|
!= "ldap:///<DCRoot>??sub?(memberOf=cn=Domain Administrators*)" and
|
userdn != "ldap:///<OrgRoot>??sub?(memberOf=cn=Domain Administrators*)"
|
and groupdn != "ldap:///cn=Service Administrators,ou=groups,<OrgRoot>";)
|
#
|
# Deny delete access to self
|
#
|
aci:(targetfilter=(objectClass=inetOrgPerson)) (version 3.0; acl "User
|
self deletion - product=ims5.0,class=nda,num=9,version=1"; deny (delete)
userdn="ldap:///self";)
|
#
|
#-----------------------------------
|
# Mail List access control
|
#
|
# Allow designated users to create mail lists
|
#
|
aci:(targetattr="*") (targetfilter=(objectClass=inetMailGroupManagement))
(version 3.0; acl "Mail list create access - product=ims5.0,class=nda,
num=10, version=1"; allow (add)
userdn="ldap:///<DCRoot>??sub?(nsDACapability=mailListCreate)";)
|
#
|
# Allow maillist owner read, search, write, and delete access
|
# to the maillists s/he owns except for the nsMaxUsers attr
|
#
|
aci:(targetattr="*") (targetfilter=(objectClass=inetMailGroupManagement))
(version 3.0; acl "Mail list owner access -
product=ims5.0,class=nda,num=11,version=1"; allow (read,search,write,delete)
groupdnattr="ldap:///<DCRoot>?owner";)
|
#
|
#-----------------------------------
|
# Family Group Administrator access control
|
#
|
# family group read access
|
#
|
aci:(targetattr="*") (targetfilter=(objectClass=inetManagedGroup))
(version 3.0; acl "Family Group Adm group read & search access -
|
product=ims5.0 ,class=nda,num=12,version=1"; allow (read,search)
|
userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Family Group
|
Administrators*)" and groupdnattr="ldap:///<DCRoot>?nsDAModifiableBy";)
|
#
|
# family group write access for 'description' attribute
|
#
|
aci:(targetattr="description")
|
(targetfilter=(objectClass=inetManagedGroup)) (version 3.0; acl "Family
|
Group Adm description write access -
|
product=ims5.0,class=nda,num=13,version=1"; allow (write)
|
userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Family Group
|
Administrators*)" and groupdnattr="ldap:///<DCRoot>?nsDAModifiableBy";)
|
#
|
# family group write access for 'mnggrpCurrentUsers' attribute
|
#
|
aci:(targetattr="mnggrpCurrentUsers")
|
(targetfilter=(objectClass=inetManagedGroup)) (version 3.0; acl "Family
|
Group Adm description write access -
|
product=ims5.0,class=nda,num=14,version=1"; allow (write)
|
userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Family Group
|
Administrators*)" and groupdnattr="ldap:///<DCRoot>?nsDAModifiableBy";)
|
#
|
# family member create,delete,modify permissions
|
#
|
aci:(targetattr="*") (targetfilter=(objectClass=nsManagedPerson))
|
(version 3.0;acl "Family Group Adm member access -
|
product=ims5.0,class=nda,num=15,version=1"; allow
|
(add,read,search,write,delete)
|
userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Family Group
|
Administrators*)" and groupdnattr="ldap:///<DCRoot>?nsDAModifiableBy";)
|
#
|
# access to add,remove family admins of the same admin group
|
#
|
aci:(targetattr="uniquemember")
|
(targetfilter=(&(|(objectClass=nsManagedDept)(objectClass=nsManagedDept
|
AdminGroup))(cn=Family Group Administrators*))) (version 3.0;acl "Family
|
Group Adm admin write access - product=ims5.0,class=nda,num=16,
|
version=1"; allow (write) userdn="ldap:///<DCRoot>??sub?(memberOf=cn=
|
Family Group Administrators*)" and
|
groupdnattr="ldap:///<DCRoot>?uniquemember";)
|
#
|
# access to add,remove memberof attribute
|
#
|
aci:(targetattr="memberOf") (targetfilter=(objectClass=nsManagedPerson))
|
(version 3.0;acl "Family Adm user access - product=ims5.0,class=nda,
|
num=17,version=1"; allow (write)
|
userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Family Group
|
Administrators*)" and groupdnattr="ldap:///<DCRoot>?nsDAModifiableBy";)
|
#
|
# Family Admin needs to read domain to get the dn
|
#
|
aci:(targetattr="objectclass||preferredmailhost||
|
preferredmailmessagestore") (targetfilter=(objectClass=domain)) (version
|
3.0;acl "Family Adm domain access - product=ims5.0,class=nda,num=18,
|
version=1"; allow (read,search)
|
userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Family Group
|
Administrators*)" or userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Family
|
Group Administrators*)";)
|
#
|
#-----------------------------------
|
# Domain Organization Administrator
|
#
|
# Allow domain organization administrators to read the
|
# attributes from the dc tree.
|
#
|
aci:(targetattr="objectclass||preferredmailhost||
|
preferredmailmessagestore||dc") (targetfilter=(objectClass=domain))
|
(version 3.0;acl "Domain Organization Admin domain access -
|
product=ims5.0,class=nda,num=20,version=1"; allow (read,search)
|
userdn="ldap:///<DCRoot>??sub?(memberOf=cn=Domain Organization
|
Administrators*)" or userdn="ldap:///<OrgRoot>??sub?(memberOf=cn=Domain
|
Organization Administrators*)";)
|
#
|
# access to the Domain Organization nodes.
|
#
|
aci:(targetattr="*") (targetfilter=(objectClass=inetdomainorg))(version
|
3.0; acl "Domain Organization Administrator - Dom Org node read & search
|
access - product=ims5.0,class=nda,num=21,version=1"; allow (read,search)
|
groupdnattr="ldap:///<DCRoot>?nsDAModifiableBy";)
|
#
|
# write access for selected attribute
|
#
|
aci:(targetattr="description||domOrgMaxUsers")
|
(targetfilter=(objectClass=inetdomainorg))(version 3.0; acl "Domain
|
Organization Administrator - Dom Org node write access -
|
product=ims5.0,class=nda,num=22,version=1"; allow (write)
|
groupdnattr="ldap:///<DCRoot>?nsDAModifiableBy";)
|
|
ホストドメイン ACI
以下の ACI は、ドメイン管理者、メーリングリスト所有者、エンドユーザへの必須アクセス権を付与します。以下の 6 つの ACI は、標準の二重ツリーネームスペース用で、組織ツリーの規則が 5 つ、DC ツリーの規則が 1 つです。DC ツリーが 1 つだけあるネームスペースを使用している場合、6 つの規則はすべて、ホストドメインノードで設定されます。これらの ACI は、プロビジョニングを行うすべてのドメインで設定する必要があります。
コード例 A-3 ホストドメイン ACI
dn:<OrgNodeDN>
|
changetype:modify
|
add:aci
|
#
|
#-----------------------------------
|
# Domain Administrator access control
|
#
|
# allow full access to the domains user/group subtree
|
#
|
aci:(targetattr="*") (version 3.0; acl "Domain Admin Domain access -
|
product=ims5.0,class=nda,num=18,version=1"; allow (all)
|
groupdn="ldap:///cn=Domain Administrators,ou=Groups,<OrgNodeDN>";)
|
#
|
#-----------------------------------
|
# End user access control
|
# allow users to read and search all users in the domain
|
#
|
aci:(targetattr!="userPassword")
|
(targetfilter=(|(objectClass=inetOrgPerson)(objectclass=nsManagedDomain
|
))) (version 3.0; acl "User access to all users in domain -
|
product=ims5.0,class=nda,num=1,version=1"; allow (read,search)
|
userdn="ldap:///<OrgNodeDN>??sub?(objectclass=inetOrgPerson)";)
|
#
|
# allow users to add themselves to self subscribe mail lists
|
#
|
aci:(targetattr="uniqueMember")
|
(targetfilter=(&(objectClass=nsManagedMailList)
|
(|(mgmanJoinability=anyone)(mgmanJoinability=all))))
|
(version 3.0; acl "User mail list self subscribe access -
|
product=ims5.0,class=nda,num=20,version=1"; allow (selfwrite)
|
userdn="ldap:///<OrgNodeDN>??sub?(objectclass=inetOrgPerson)";)
|
#
|
# hide group members when they are marked hidden
|
#
|
aci:(targetattr!="uniqueMember||mgrpRfc822MailMember")
|
(targetfilter=(&(objectClass=inetMailGroupManagement)
|
(mgmanHidden=false))) (version 3.0; acl "User mail list access when
|
visible - product=ims5.0,class=nda,num=21,version=1"; allow
|
(read,search)
|
userdn="ldap:///<OrgNodeDN>??sub?(objectclass=inetOrgPerson)";)
|
#
|
# hide group members when they are marked hidden
|
#
|
aci:(targetattr="uniqueMember||mgrpRfc822MailMember")
|
(targetfilter=(&(objectClass=inetMailGroupManagement)
|
(|(mgmanMemberVisibility=anyone)(mgmanMemberVisibility=all)))) (version
|
3.0; acl "User mail list member access -
|
product=ims5.0,class=nda,num=22,version=1"; allow (read,search)
|
userdn="ldap:///<OrgNodeDN>??sub?(objectclass=inetOrgPerson)";)
|
|
dn:<DCNodeDN>
|
changetype:modify
|
add:aci
|
#
|
#-----------------------------------
|
# Domain Administrator access to iCS attributes
|
#
|
aci:(targetattr="icsTimeZone||icsMandatorySubscribed||
|
icsMandatoryView||icsDefaultAccess||icsRecurrenceBound||
|
icsRecurrenceDate||icsAnonymousLogin||icsAnonymousAllowWrite||
|
icsAnonymousCalendar||icsAnonymousSet||icsAnonymousDefaultSet||
|
icsSessionTimeout||icsAllowRights||icsExtended||
|
icsExtendedDomainPrefs")(targetfilter=(objectClass=icsCalendarDomain))
|
(version 3.0; acl "Domain Adm calendar access - product=ims5.0,
|
class=nda,num=16,version=1"; allow (all) groupdn="ldap:///cn=Domain
|
Administrators,ou=Groups,<OrgNodeDN>";)
|
|
ドメイン組織 ACI
これらの ACI は、プロビジョニングを行なったすべてのドメイン組織に追加する必要があります。
コード例 A-4 ドメイン組織 ACI
dn:<DomainOrgNodeDN>
|
changetype:modify
|
add:aci
|
#
|
# Rights to modify, add, delete users
|
#
|
aci:(target="ldap:///uid=*,ou=people,<DomainOrgNodeDN>")
|
(targetattr ="*")
|
(targetfilter=(objectclass=organizationalPerson))
|
(version 3.0; acl "Domain Organization Admin User add,delete,write -
|
product=ims5.0,class=nda,num=201,version=1";
|
allow (add,write,delete)
|
groupdn="ldap:///cn=Domain Organization
|
Administrators,<DomainOrgNodeDN>";)
|
#
|
# Rights to modify, add, delete mailing lists.
|
#
|
aci:(target="ldap:///cn=*,ou=groups,<DomainOrgNodeDN>")
|
(targetattr ="*")
|
(targetfilter=(objectclass=inetMailGroup))
|
(version 3.0; acl "Domain Organization Admin User add,delete,write -
|
product=ims5.0,class=nda,num=202,version=1";
|
allow (add,write,delete)
|
groupdn="ldap:///cn=Domain Organization
|
Administrators,<DomainOrgNodeDN>";)
|
|