Sun Java System Delegated Administrator 6.4 管理指南

Previous: 附錄 D Delegated Administrator 效能調校

附錄 E 合併 ACI 以提昇 Directory Server 效能

本附錄說明以下主題：

簡介

將 Messaging Server 與 Access Manager 同時安裝，且使用 LDAP Schema 2 目錄時，最初將在該目錄中安裝大量存取控制指令 (ACI)。Messaging Server 並不需要或使用許多預設 ACI。

由於在執行階段需要檢查這些ACI，Directory Server 的效能會受到影響，繼而影響 Messaging Server 查詢以及其他目錄作業的效能。

可以透過合併和減少目錄中的預設 ACI 數來提昇 Directory Server 的效能。合併 ACI 還可以使其更易於管理。

減少 ACI 的方法為︰

合併、最佳化以及簡化備援 ACI
修改 ACI 以使用更簡單、更高效的語法
將 ACI 與其他 ACI 合併 (在根字尾處)
刪除未使用的 ACI
對於包含多個組織的目錄，允許在個別組織節點上移除組織 ACI。

本附錄首先說明如何使用 ldif 檔案 (replacment.acis.ldif ) 在根字尾處合併 ACI 以及從目錄中移除未使用的 ACI。如需詳細資訊，請參閱以下合併和移除 ACI。

然後，附錄會分析每個 ACI，並推薦處理每個 ACI 的方法︰移除 ACI、修改 ACI 使其更高效或重寫 ACI。

請注意，這些推薦方法存在以下限制︰

一般使用者無法存取 Directory 主控台
一般使用者無法存取 Access Manager 主控台。

必須根據這些限制以及您的安裝需求自行決定是否可以使用 ldif 檔案合併和移除 ACI，或者是否需要保留目前存在於目錄中的某些ACI。

如需更多資訊，請參閱本附錄後面部分的分析現有 ACI。

然後，本附錄將說明由 replacement.acis.ldif 檔案合併的 ACI。本附錄列出合併之前的現有 ACI 以及合併之後已修改的 ACI。如需更多資訊，請參閱本附錄後面部分的分析如何合併 ACI。

最後，本附錄將列出 replacement.acis.ldif 捨棄的 ACI。如需更多資訊，請參閱本附錄後面部分的將要捨棄的未使用之 ACI 清單。

合併和移除 ACI

本小節中列出的 ldif 檔案 (replacement.acis.ldif) 在根字尾處安裝合併的 ACI，並從目錄刪除未使用的 ACI。此 ldif 檔案隨附於位於以下目錄中的 Delegated Administrator︰

da-base/lib/config-templates

將 replacement.acis.ldif 檔案套用至目錄 (使用 ldapmodify) 時，ldapmodify 指令將移除根字尾處的 aci 屬性之所有實例，並用 replacement.acis.ldif 檔案中的 ACI 替代這些 ACI。

因此，該程序最初會從根字尾處移除所有 ACI，並用下面列出的 ACI 集替代它們。如果目錄包含由其他應用程式 (例如，Portal Server) 產生的 ACI，應該將這些 ACI 儲存至檔案，並在套用 replacement.acis.ldif 檔案後將其重新套用到該目錄。

如需有關使用此 ldif 檔案清除 ACI 的說明，請參閱替代 ACI 的步驟。

replacement.acis.ldif 檔案

dn: $rootSuffix
changetype: modify
replace: aci
aci: (targetattr = “*”)(version 3.0; acl “Configuration Administrator”;
   allow (all)
   userdn=”ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,
o=NetscapeRoot”;)
aci: (target=”“ldap:///$rootSuffix”)
  (targetfilter=(!(objectclass=sunServiceComponent)))
  (targetattr != “userPassword||passwordHistory
   ||passwordExpirationTime||passwordExpWarned||passwordRetryCount
  ||retryCountResetTime||accountUnlockTime||passwordAllowChangeTime”)
  (version 3.0; acl “anonymous access rights”;
   allow (read,search,compare)
   userdn = “ldap:///anyone”; )
aci: (targetattr != “nsroledn||aci||nsLookThroughLimit||nsSizeLimit
  ||nsTimeLimit||nsIdleTimeout||passwordPolicySubentry||passwordExpiration
    Time
  ||passwordExpWarned||passwordRetryCount||retryCountResetTime
  ||accountUnlockTime||passwordHistory||passwordAllowChangeTime||uid||mem
    berOf
  ||objectclass||inetuserstatus||ou||owner||mail||mailuserstatus
  ||memberOfManagedGroup||mailQuota||mailMsgQuota||mailhost
  ||mailAllowedServiceAccess||inetCOS||mailSMTPSubmitChannel”)
  (version 3.0; acl “Allow self entry modification”;
  allow (write)
  userdn =”ldap:///self”;)
aci: (targetattr != “ aci || nsLookThroughLimit || nsSizeLimit
  || nsTimeLimit|| nsIdleTimeout”)
  (version 3.0; acl “Allow self entry read search”;
  allow(write)
  userdn =”ldap:///self”;)
aci: (target=”ldap:///$rootSuffix”)
  (targetattr=”*”)
  (version 3.0; acl “S1IS Proxy user rights”;
  allow (proxy)
  userdn = “ldap:///cn=puser,ou=DSAME Users,
  $rootSuffix”; )
aci: (target=”ldap:///$rootSuffix”)
  (targetattr=”*”)
  (version 3.0; acl “S1IS special dsame user rights for all under the root
   suffix”;
  allow (all)
  userdn = “ldap:///cn=dsameuser,ou=DSAME Users,
  $rootSuffix”; )
aci: (target=”ldap:///$rootSuffix”)
  (targetattr=”*”)
  (version 3.0; acl “S1IS special ldap auth user rights”;
  allow (read,search)
  userdn = “ldap:///cn=amldapuser,ou=DSAME Users,
  $rootSuffix”; )
aci: (target=”ldap:///$rootSuffix”)
  (targetattr=”*”)
  (version 3.0; acl “S1IS Top-level admin rights”;
  allow (all)
  roledn = “ldap:///cn=Top-level Admin Role,
  $rootSuffix”; )
aci: (targetattr=”*”)
  (version 3.0; acl “Messaging Server End User Administrator Read Only
   Access”;
  allow (read,search)
  groupdn=”ldap:///cn=Messaging End User Administrators Group,ou=Groups,
  $rootSuffix”;)
aci: (targetattr=”objectclass || mailalternateaddress || Mailautoreplymode
   || mailprogramdeliveryinfo || preferredlanguage || maildeliveryoption
   || mailforwardingaddress || mailAutoReplyTimeout
   || mailautoreplytextinternal
   || mailautoreplytext || vacationEndDate || vacationStartDate
   || mailautoreplysubject || maxPabEntries || mailMessageStore
   || mailSieveRuleSource || sunUCDateFormat || sunUCDateDeLimiter
   || sunUCTimeFormat || mailuserstatus || maildomainstatus
   || nswmextendeduserprefs || pabURI”)
  (version 3.0; acl “Messaging Server End User Administrator All Access”;
  allow (all)
  groupdn = “ldap:///cn=Messaging End User Administrators Group,ou=Groups,
  $rootSuffix”;)
aci: (targetattr = “*”)
  (version 3.0;acl “Allow Read-Only Access”;
  allow (read,search,compare)
  groupdn = “ldap:///cn=Read-Only,ou=Groups,
  $rootSuffix”;)
aci: (target=”ldap:///cn=Organization Admin Role,($dn),$rootSuffix”)
  (targetattr=”*”)
  (version 3.0; acl “S1IS Organization Admin Role access deny”;
  deny (write,add,delete,compare,proxy)
  roledn = “ldap:///cn=Organization Admin Role,($dn),
  $rootSuffix”;)
aci: (target=”ldap:///($dn),$rootSuffix”)
  (targetattr=”*”)
  (version 3.0; acl “Organization Admin Role access allow read”;
  allow(read,search)
  roledn = “ldap:///cn=Organization Admin Role,[$dn],
  $rootSuffix” ;)
aci: (target=”ldap:///($dn),$rootSuffix”)
  (targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
  (entrydn=($dn),$rootSuffix))))
  ( targetattr = “*”)
  (version 3.0; acl “S1IS Organization Admin Role access allow”;
  allow (all)
  roledn = “ldap:///cn=Organization Admin Role,[$dn],
  $rootSuffix”;)

替代 ACI 的步驟

開始使用之前

開始使用此程序之前，建議您先檢查目錄中的現有 ACI。應確定是否需要保留將被此程序刪除的任何 ACI。

該程序最初會從根字尾處移除所有 ACI，並用下面列出的 ACI 集替代它們。如果目錄包含由 Messaging Server 以外的應用程式產生的 ACI，應將這些 ACI 儲存至檔案，並在套用 replacement.acis.ldif 檔案後將其重新套用到該目錄。

為協助您分析由 Access Manager 和 Messaging Server 產生的現有 ACI，請參閱本指南後面部分的以下小節︰

替代 ACI

以下程序說明如何在根字尾處合併 ACI 以及移除未使用的 ACI。

替代 ACI

儲存目前在根字尾處的現有 ACI。

可以使用 ldapsearch 指令，如以下範例所示︰

ldapsearch -D “cn=Directory Manager” -w <password> -s base -b <$rootSuffix> aci=* aci ><filename>

其中，

<password> 為 Directory Server 管理員密碼。

<$rootSuffix> 為根字尾，例如 o=usergroup。

<filename> 是儲存的 ACI 將要寫入的檔案之名稱。

複製並重新命名 replacement.acis.ldif 檔案。

安裝 Delegated Administrator 時，replacement.acis.ldif 檔案將安裝在以下目錄中︰

da-base /lib/config-templates

在 replacement.acis.ldif 檔案副本中編輯 $rootSuffix 項目。

將根字尾參數 $rootSuffix 變更為您的根字尾 (例如 o=usergroup)。$rootSuffix 參數在 ldif 檔案中多次顯示；必須替代每個實例。

使用 LDAP 目錄工具 ldapmodify 替代 ACI。

例如，您可以執行以下指令：

ldapmodify -D <directory manager> -w <password> -f <replacement.acis.finished.ldif>

其中，

<directory manager> 是 Directory Server 管理員的名稱。

<password> 是 Directory Service 管理員的密碼。

<replacement.acis.finished.ldif> 是在目錄中合併和移除 ACI 之已編輯的 ldif 檔案的名稱。

刪除動態組織 ACI

使用 Delegated Administrator 主控台建立組織時，將在組織節點上建立一組 ACI。

在前面程序中安裝的替代 ACI 不需要這些針對組織的 ACI。可以透過使用 Access Manager 主控台阻止建立針對組織的 ACI。

刪除動態組織 ACI

做為 amadmin 登入 AM 主控台。

AM 主控台位於以下 URL 中︰

http://< machine name>:<port >/amconsole

其中，

<machine name> 是執行 Access Manager 的機器

<port> 是連接埠

選取 [服務配置] 標籤。

依預設，[管理配置] 頁面會顯示。

在主控台右側，向下捲動至 [動態管理角色 ACI]。

在 [動態管理角色 ACI] 文字方塊中，選取並刪除所有 ACI。

儲存已編輯的設定。

分析現有 ACI

本小節中的清單顯示安裝 Access Manager 和 Messaging Server 時安裝在目錄中的 ACI。本小節還說明每個 ACI 的功能，並建議是否保留、合併或捨棄某一 ACI。

ACI 分為以下種類︰

根字尾

-------------------------------------------------------------------------------------------------------------

dn: $rootSuffix
#
# consolidate
#
aci:
(targetattr != “nsroledn || aci || nsLookThroughLimit || nsSizeLimit ||
nsTimeLimit || nsIdleTimeout || passwordPolicySubentry
|| passwordExpirationTime
|| passwordExpWarned || passwordRetryCount || retryCountResetTime
|| accountUnlockTime || passwordHistory || passwordAllowChangeTime”)
(version 3.0; acl “Allow self entry modification except for nsroledn, aci,
resource limit attributes, passwordPolicySubentry and password policy state
attributes”;
allow (write)
userdn =”ldap:///self”;)

動作︰合併。

無需此字尾的自我存取權限。此 ACI 是重複的；可以在根字尾處將其併入自我 ACI。

------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# retain
#
aci:
(targetattr = “*”)
(version 3.0; acl “Configuration Administrator”;
allow (all)
userdn = “ldap:///uid=admin, ou=Administrators,
ou=TopologyManagement,o=NetscapeRoot”;)

動作︰保留。

這是「管理」使用者，該使用者將經由通過認證對 slapd-config 實例進行認證。如果使用 comm 和 line 公用程式，所有配置都將做為 Directory Manager 執行，則不需要此 ACI。如果某人需要做為此使用者對主控台進行認證，則可以在此處保留該 ACI。可以移除類似的 ACI。

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(targetattr =”*”)
(version 3.0;acl “Configuration Administrators Group”;
allow (all)
(groupdn = “ldap:///cn=Configuration Administrators, ou=Groups,
ou=TopologyManagement, o=NetscapeRoot”);)

動作︰在所有 DB 後端捨棄。

這是「配置管理員」群組，如果主控台用於委派伺服器管理權限，則該群組將具有權限。

------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(targetattr =”*”)
(version 3.0;acl “Directory Administrators Group”;
allow (all)
(groupdn = “ldap:///cn=Directory Administrators, $rootSuffix”);)

動作︰在所有 DB 後端捨棄。

這是一般「目錄管理員」群組權限定義。

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(targetattr = “*”)
(version 3.0; acl “SIE Group”;
allow (all)
groupdn = “ldap:///cn=slapd-whater, cn=Sun ONE Directory Server, 
cn=Server Group, cn=whater.red.iplanet.com, ou=red.iplanet.com, 
o=NetscapeRoot”;)

動作︰在所有 DB 後端捨棄。

這是主控台/管理伺服器相關群組權限定義。

-------------------------------------------------------------------------------------------------------------

Access Manager

-------------------------------------------------------------------------------------------------------------

# retain
#
aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Proxy user rights”;
allow (proxy)
userdn = “ldap:///cn=puser,ou=DSAME Users,$rootSuffix”; )

動作︰保留。

此 ACI 可以為 Access Manager 系統使用者授予存取權限。

-------------------------------------------------------------------------------------------------------------

#
# retain
#
aci:
 (target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS special dsame user rights for all under the
root suffix”;
allow (all)
userdn = “ldap:///cn=dsameuser,ou=DSAME Users,$rootSuffix”; )

動作︰保留。

此 ACI 可以為 Access Manager 系統使用者授予存取權限。

-------------------------------------------------------------------------------------------------------------

#
# retain
#
aci:
(target=”ldap:///$rootSuffix”)(targetattr=”*”)|
(version 3.0;acl “S1IS special ldap auth user rights”;
allow (read,search)
userdn = “ldap:///cn=amldapuser,ou=DSAME Users,$rootSuffix”; )

動作︰保留。

此 ACI 可以為 Access Manager 系統使用者授予存取權限。

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target=”ldap:///cn=amldapuser,ou=DSAME Users,$rootSuffix”)
(targetattr = “*”)
(version 3.0;
acl “S1IS special ldap auth user modify right”;
deny (write)
roledn != “ldap:///cn=Top-level Admin Role,$rootSuffix”;)

動作︰捨棄。

此 ACI 可以阻止頂層管理員 (TLA) 修改 amldapuser 帳號。

-------------------------------------------------------------------------------------------------------------

#
# retain
#
aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Top-level admin rights”;
allow (all)
roledn = “ldap:///cn=Top-level Admin Role,$rootSuffix”; )

動作︰保留。

此 ACI 可以為頂層管理員角色授予存取權限。

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(targetattr=”iplanet-am-saml-user || iplanet-am-saml-password”)
(targetfilter=”(objectclass=iplanet-am-saml-service)”)
(version 3.0; acl “S1IS Right to modify saml user and password”;
deny (all)
(roledn != “ldap:///cn=Top-level Admin Role,$rootSuffix”)
AND (userdn != “ldap:///cn=dsameuser,ou=DSAME Users,$rootSuffix”)
AND (userdn != “ldap:///cn=puser,ou=DSAME Users,$rootSuffix”); )

動作︰捨棄。

此 ACI 可以保護 SAML 相關屬性。

-------------------------------------------------------------------------------------------------------------

頂層用戶服務管理角色

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix)))
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Help Desk Admin Role access allow”;
allow (read,search)
roledn = “ldap:///cn=Top-level Help Desk Admin Role,$rootSuffix”;)

動作︰捨棄。

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix)))
(targetattr = “userPassword”)
(version 3.0; acl “S1IS Top-level Help Desk Admin Role access allow”;
allow (write)
roledn = “ldap:///cn=Top-level Help Desk Admin Role,$rootSuffix”;)

動作︰捨棄。

-------------------------------------------------------------------------------------------------------------

頂層策略管理角色

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
target=”ldap:///$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix))))
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access allow”;
allow (read,search)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)

動作︰捨棄。

此 ACI 適用於頂層策略管理角色。

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target=”ldap:///ou=iPlanetAMAuthService,ou=services,*$rootSuffix”)
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access Auth Service
deny”;
deny (add,write,delete)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)

動作︰捨棄。

此 ACI 適用於頂層策略管理角色。

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target=”ldap:///ou=services,*$rootSuffix”)
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)

動作︰捨棄。

此 ACI 適用於頂層策略管理角色。

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=”(objectclass=sunismanagedorganization)”)
(targetattr = “sunRegisteredServiceName”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access allow”;
allow (read,write,search)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)

動作︰捨棄。

此 ACI 適用於頂層策略管理角色。

-------------------------------------------------------------------------------------------------------------

AM 自身

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(targetattr = “*”)
(version 3.0;
acl “S1IS Deny deleting self”;
deny (delete)
userdn =”ldap:///self”;)

動作︰合併為單一自我寫入 ACI。由於一般使用者沒有權限刪除任何項目 (包括其自身)，因此不需要明確拒絕。

這是可以設定自身權限的 ACI 之一。明確拒絕將阻止所有項目刪除自身。

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(targetattr = “objectclass || inetuserstatus 
|| iplanet-am-user-login-status
|| iplanet-am-web-agent-access-allow-list 
|| iplanet-am-domain-url-access-allow
|| iplanet-am-web-agent-access-deny-list || iplanet-am-user-account-life
|| iplanet-am-session-max-session-time || iplanet-am-session-max-idle-time
|| iplanet-am-session-get-valid-sessions 
|| iplanet-am-session-destroy-sessions
|| iplanet-am-session-add-session-listener-on-all-sessions 
|| iplanet-am-user-admin-start-dn
|| iplanet-am-auth-post-login-process-class”)
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix)))
(version 3.0; acl “S1IS User status self modification denied”;
deny (write)
userdn =”ldap:///self”;)

動作︰合併為單一自我寫入 ACI。

這是可以設定自我寫入權限的 ACI 之一。

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(targetattr != “iplanet-am-static-group-dn || uid || nsroledn || aci 
|| nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout 
|| memberOf || iplanet-am-web-agent-access-allow-list
|| iplanet-am-domain-url-access-allow 
|| iplanet-am-web-agent-access-deny-list”)
(version 3.0; acl “S1IS Allow self entry modification except for nsroledn,
aci, and resource limit attributes”;
allow (write)
userdn =”ldap:///self”;)

動作︰合併為單一自我寫入 ACI。

這是可以設定權限的 ACI 之一。

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(targetattr != “aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit
|| nsIdleTimeout || iplanet-am-domain-url-access-allow”)
(version 3.0; acl “S1IS Allow self entry read search except for nsroledn,
aci, resource limit and web agent policy attributes”;
allow (read,search)
userdn =”ldap:///self”;)

動作︰合併為單一自我寫入 ACI。

這是可以設定自我寫入權限的 ACI 之一。

-------------------------------------------------------------------------------------------------------------

AM 匿名

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(target=”ldap:///ou=services,$rootSuffix”)
(targetfilter=(!(objectclass=sunServiceComponent)))
(targetattr = “*”)
(version 3.0; acl “S1IS Services anonymous access”;
allow (read, search, compare)
userdn = “ldap:///anyone”;)

動作︰合併為單一匿名 ACI。

這是可以授予匿名權限的 ACI 之一。

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(target=”ldap:///ou=iPlanetAMAdminConsoleService,*,$rootSuffix”)
(targetattr = “*”)
(version 3.0; acl “S1IS iPlanetAMAdminConsoleService anonymous access”;
allow (read, search, compare)
userdn = “ldap:///anyone”;)

動作︰合併為單一匿名 ACI。

這是可以授予匿名權限的 ACI 之一。

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(entrydn=$rootSuffix))
(targetattr=”*”)
(version 3.0; acl “S1IS Default Organization delete right denied”;
deny (delete)
userdn = “ldap:///anyone”; )

動作︰捨棄。

此 ACI 可以阻止任何使用者 (rootdn 之外) 刪除預設組織。

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target=”ldap:///cn=Top-level Admin Role,$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Top-level admin delete right denied”;
deny(delete)
userdn = “ldap:///anyone”; )

動作︰捨棄。

此 ACI 可阻止任何使用者 (rootdn 之外) 刪除頂層管理員角色。

-------------------------------------------------------------------------------------------------------------

AM 拒絕寫入存取權限

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci: (targetattr = “*”)
(version 3.0; acl “S1IS Deny write to anonymous user”;
deny (add,write,delete)
roledn =”ldap:///cn=Deny Write Access,$rootSuffix”;)

動作︰捨棄。

此 ACI 適用於拒絕寫入存取權限角色。

-------------------------------------------------------------------------------------------------------------

AM 容器管理角色

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “S1IS Container Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Container Admin Role,[$dn],$rootSuffix”;)

動作︰捨棄。

此 ACI 適用於容器管理角色。

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target=”ldap:///cn=Container Admin Role,($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Container Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Container Admin Role,($dn),$rootSuffix”;)

動作︰捨棄。

此 ACI 適用於容器管理角色。

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
 (target=”ldap:///ou=People,$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix)
(nsroledn=cn=Container Admin Role,$rootSuffix))))
(targetattr != “iplanet-am-web-agent-access-allow-list 
|| iplanet-am-domain-url-access-allow
|| iplanet-am-web-agent-access-deny-list || nsroledn”)
(version 3.0; acl “S1IS Group and people container admin role”;
allow (all)
roledn = “ldap:///cn=ou=People_dc=red_dc=iplanet_dc=com,$rootSuffix”;)

動作︰捨棄。

此 ACI 適用於群組和使用者容器管理角色。

-------------------------------------------------------------------------------------------------------------

組織用戶服務

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci: (extra verses dreambig)
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix))))
(targetattr = “*”)
(version 3.0; acl “S1IS Organization Help Desk Admin Role access allow”;
allow (read,search)
roledn = “ldap:///cn=Organization Help Desk Admin Role,$rootSuffix”;)

動作︰捨棄。

此 ACI 適用於組織用戶服務管理角色。

-------------------------------------------------------------------------------------------------------------

#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix))))
(targetattr = “userPassword”)
(version 3.0; acl “S1IS Organization Help Desk Admin Role access allow”;
allow (write)
roledn = “ldap:///cn=Organization Help Desk Admin Role,$rootSuffix”;)

動作︰捨棄。

此 ACI 適用於組織用戶服務管理角色。

-------------------------------------------------------------------------------------------------------------

AM 組織管理角色

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci: (different name - “allow all” instead of “allow”)
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “S1IS Organization Admin Role access allow all”;
allow (all)
roledn =”ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;)

動作︰合併。

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(target=”ldap:///cn=Organization Admin Role,($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Organization Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix”;)

動作︰合併。

此 ACI 適用於組織管理角色。

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci: (missing)
(target=”ldap:///($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “Organization Admin Role access allow read to org node”;
allow (read,search)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix” ;)

動作︰合併。

此 ACI 適用於組織管理角色。

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “Organization Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;)

動作︰合併。

此 ACI 適用於組織管理角色。

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetattr!=”businessCategory || description || facsimileTelephoneNumber
|| postalAddress || preferredLanguage || searchGuide || postOfficeBox ||
postalCode
|| registeredaddress || street || l || st || telephonenumber
||maildomainreportaddress
|| maildomainwelcomemessage || preferredlanguage || sunenablegab”)
(version 3.0; acl “Organization Admin Role access deny to org node”;
deny (write,add,delete)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix” ;)

動作︰合併。

此 ACI 適用於組織管理角色。

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “S1IS Organization Admin Role access allow all”;
allow (all)
roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;)

動作︰合併。

-------------------------------------------------------------------------------------------------------------

AM 其他

-------------------------------------------------------------------------------------------------------------

#
#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetattr!=”nsroledn”)
(version 3.0; acl “S1IS Group admin’s right to the users he creates”;
allow (all)
userattr = “iplanet-am-modifiable-by#ROLEDN”;)

動作︰捨棄。

捨棄此 ACI 將停用與 iplanet-am-modifiable-by 屬性關聯的權限。

-------------------------------------------------------------------------------------------------------------

Messaging Server

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “Messaging Server End User Administrator Read
Access Rights -
product=SOMS,schema 2 support,class=installer,num=1,version=1”;
allow (read,search)
groupdn=”ldap:///cn=Messaging End User Administrators Group, ou=Groups,
$rootSuffix”;)

動作︰合併。

此 ACI 可以授予郵件傳送一般使用者管理員群組權限。

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”objectclass||mailalternateaddress||mailautoreplymode
||mailprogramdeliveryinfo||nswmextendeduserprefs||preferredlanguage
||maildeliveryoption||mailforwardingaddress
||mailAutoReplyTimeout||mailautoreplytextinternal||mailautoreplytext
||vacationEndDate||vacationStartDate||mailautoreplysubject||pabURI
||maxPabEntries||mailMessageStore||mailSieveRuleSource||sunUCDateFormat
||sunUCDateDeLimiter||sunUCTimeFormat”)
(version 3.0; acl “Messaging Server End User Adminstrator Write
Access Rights -
product=SOMS,schema 2 support,class=installer,num=2,version=1”;
allow (all)
groupdn=”ldap:///cn=Messaging End User Administrators Group, ou=Groups,
$rootSuffix”;)

動作︰合併。

此 ACI 可以授予郵件傳送一般使用者管理員群組權限。

-------------------------------------------------------------------------------------------------------------

#
# consolidate
#
aci:
(targetattr=”uid||ou||owner||mail||mailAlternateAddress
||mailEquivalentAddress||memberOf
||inetuserstatus||mailuserstatus||memberOfManagedGroup||mailQuota
||mailMsgQuota||inetSubscriberAccountId||dataSource||mailhost
||mailAllowedServiceAcces||pabURI||inetCOS||mailSMTPSubmitChannel
||aci”)
(targetfilter=(&(objectClass=inetMailUser)(!(nsroledn=cn=Organization
Admin Role,*))))
(version 3.0; acl “Deny write access to users over Messaging Server
protected attributes -
product=SOMS,schema 2 support,class=installer,num=3,version=1 “;
deny (write)
userdn = “ldap:///self”;)

動作︰合併。

這是可以設定自身權限的 ACI 之一。

-------------------------------------------------------------------------------------------------------------

分析如何合併 ACI

本小節中的清單顯示在替代 ldif 檔案 replacement.acis.ldif (可以使用該檔案在目錄中合併 ACI) 中已合併的 ACI。如需有關如何替代 ACI 的說明，請參閱替代 ACI 的步驟。

ACI 分為幾對。對於每一種類，將先列出原始 ACI，然後列出合併後的 ACI︰

原始匿名存取權限

aci:
(targetattr != “userPassword || passwordHistory || passwordExpirationTime
|| passwordExpWarned || passwordRetryCount || retryCountResetTime ||
accountUnlockTime || passwordAllowChangeTime “)
(version 3.0; acl “Anonymous access”;
allow (read, search, compare)
userdn = “ldap:///anyone”;)

aci:
(target=”ldap:///cn=Top-level Admin Role,$rootSuffix”)
(targetattr=”*”)
version 3.0; acl “S1IS Top-level admin delete right denied”;
deny (delete)
userdn = “ldap:///anyone”; )


aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(entrydn=$rootSuffix))
(targetattr=”*”)
(version 3.0; acl “S1IS Default Organization delete right denied”;
deny (delete)
userdn = “ldap:///anyone”; )


aci:
(target=”ldap:///ou=services,$rootSuffix”)
(targetfilter=(!(objectclass=sunServiceComponent)))
(targetattr = “*”)
(version 3.0; acl “S1IS Services anonymous access”;
allow (read, search, compare)
userdn = “ldap:///anyone”;)


aci:
(target=”ldap:///ou=iPlanetAMAdminConsoleService,*,$rootSuffix”)
(targetattr = “*”)
(version 3.0; acl “S1IS iPlanetAMAdminConsoleService anonymous access”;
allow (read, search, compare)
userdn = “ldap:///anyone”;)

合併後的匿名存取權限

aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(objectclass=sunServiceComponent)))
(targetattr != “userPassword||passwordHistory
||passwordExpirationTime||passwordExpWarned||passwordRetryCount
||retryCountResetTime||accountUnlockTime||passwordAllowChangeTime”)
(version 3.0; acl “anonymous access rights”;
allow (read,search,compare)
userdn = “ldap:///anyone”; )

分析︰此 ACI (位於根中) 允許與原始匿名 ACI 集合相同的存取權限。此 ACI 透過列出一組排除的屬性清單來執行此作業。此替代 ACI 可以透過在目標中刪除 (*) 來提昇效能。

原始自我 ACI

aci:
(targetattr != “nsroledn || aci || nsLookThroughLimit || nsSizeLimit ||
nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ||
passwordExpirationTime
|| passwordExpWarned || passwordRetryCount || retryCountResetTime ||
accountUnlockTime || passwordHistory || passwordAllowChangeTime”)
(version 3.0; acl “Allow self entry modification except for nsroledn, aci,
resource limit attributes, passwordPolicySubentry and password policy
state attributes”;
allow (write)
userdn =”ldap:///self”;) 


aci:
(targetattr = “*”)
(version 3.0; acl “S1IS Deny deleting self”;
deny (delete)
userdn =”ldap:///self”;) 


aci:
(targetattr = “objectclass || inetuserstatus ||
planet-am-web-agent-access-allow-list
|| iplanet-am-domain-url-access-allow 
|| iplanet-am-web-agent-access-deny-list
|| iplanet-am-user-account-life || iplanet-am-session-max-session-time
|| iplanet-am-session-max-idle-time 
|| iplanet-am-session-get-valid-sessions
|| iplanet-am-session-destroy-sessions 
|| iplanet-am-session-add-session-listener-on-all-sessions
|| iplanet-am-user-admin-start-dn 
|| iplanet-am-auth-post-login-process-class”)
(targetfilter=(!(nsroledn=cn=Top-levelAdmin Role,$rootSuffix)))
(version 3.0; acl “S1IS User status self modification denied”;
deny (write)
userdn =”ldap:///self”;) 


aci:
(targetattr != “iplanet-am-static-group-dn || uid || nsroledn || aci 
|| LookThroughLimit
|| nsSizeLimit || nsTimeLimit || nsIdleTimeout || memberOf ||
planet-am-web-agent-access-allow-list
|| iplanet-am-domain-url-access-allow ||
planet-am-web-agent-access-deny-list”)
(version 3.0; acl “S1IS Allow self entry modification except 
for nsroledn, aci, and resource limit attributes”;
allow (write)
userdn =”ldap:///self”;) 


aci:
(targetattr != “aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit
|| nsIdleTimeout || iplanet-am-domain-url-access-allow”)
(version 3.0; acl “S1IS Allow self entry read search except for 
nsroledn, aci, resource limit and web agent policy attributes”;
allow (read,search)
userdn =”ldap:///self”;) 


aci:
(targetattr=”uid||ou||owner||mail||mailAlternateAddress
||mailEquivalentaddress||memberOf
||inetuserstatus||mailuserstatus||memberOfManagedGroup||mailQuota
||mailMsgQuota
||inetSubscriberAccountId||dataSource||mailhost||mailAllowedServiceAccess
||pabURI||inetCOS||mailSMTPSubmitChannel||aci”)
(targetfilter=(&(objectClass=inetMailUser)(!(nsroledn=cn=Organization Admin
role,*))))
(version 3.0; acl “Deny write access to users over Messaging Server 
protected attributes -
product=SOMS,schema 2 support,class=installer,num=3,version=1 “;
deny (write)
userdn = “ldap:///self”;)

合併後的自我 ACI

aci:
(targetattr != “nsroledn || aci || nsLookThroughLimit || nsSizeLimit
|| nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ||
asswordExpirationTime
|| passwordExpWarned || passwordRetryCount || retryCountResetTime
|| accountUnlockTime || passwordHistory || passwordAllowChangeTime ||
id || memberOf
|| objectclass || inetuserstatus || ou || owner || mail || mailuserstatus
|| memberOfManagedGroup ||mailQuota || mailMsgQuota || mailhost
|| mailAllowedServiceAccess || inetCOS || mailSMTPSubmitChannel”)
(version 3.0; acl “Allow self entry modification”;
allow (write)
userdn =”ldap:///self”;) 


aci:
(targetattr != “ aci || nsLookThroughLimit || nsSizeLimit
|| nsTimeLimit|| nsIdleTimeout”)
(version 3.0; acl “Allow self entry read search”;
allow(read,search)
userdn =”ldap:///self”;)

分析︰缺少所有 iplanet-am-* 屬性。由於 deny 是預設值 (如果 ACI 不存在)，因此將移除所有 deny ACI。允許 write 的所有 ACI 將被合併為單一 ACI。

原始 Messaging Server ACI

aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “Messaging Server End User Administrator Read 
Access Rights -
product=SOMS,schema 2 support,class=installer,num=1,version=1”;
allow (read,search)
groupdn=”ldap:///cn=Messaging End User Administrators Group, ou=Groups,
rootSuffix”;) 


aci:
(target=”ldap:///$rootSuffix”)
(targetattr=”objectclass||mailalternateaddress||mailautoreplymode||
mailprogramdeliveryinfo
||nswmextendeduserprefs||preferredlanguage||maildeliveryoption||
mailforwardingaddress
||mailAutoReplyTimeout||mailautoreplytextinternal||mailautoreplytext||
vacationEndDate
||vacationStartDate||mailautoreplysubject||pabURI||maxPabEntries||
mailMessageStore
||mailSieveRuleSource||sunUCDateFormat||sunUCDateDeLimiter||
sunUCTimeFormat”)
(version 3.0; acl “Messaging Server End User Adminstrator Write 
Access Rights -
product=SOMS,schema 2 support,class=installer,num=2,version=1”;
allow (all)
groupdn=”ldap:///cn=Messaging End User Administrators Group, ou=Groups,
rootSuffix”;) 


aci:
(targetattr=”uid||ou||owner||mail||mailAlternateAddress||
mailEquivalentAddress||memberOf
||inetuserstatus||mailuserstatus||memberOfManagedGroup||mailQuota||
mailMsgQuota
||inetSubscriberAccountId||dataSource||mailhost||mailAllowedServiceAccess
||pabURI||inetCOS||mailSMTPSubmitChannel||aci”)
(targetfilter=(&(objectClass=inetMailUser)(!(nsroledn=cn=Organization Admin
Role,*))))
(version 3.0; acl “Deny write access to users over Messaging Server
protected attributes - 
product=SOMS,schema 2 support,class=installer,num=3,version=1 “;
deny (write)
userdn = “ldap:///self”;)

合併後的 Messaging Server ACI

將在自我 ACI 中處理自我 ACI。

aci:
(targetattr=”*”)
(version 3.0; acl “Messaging Server End User Administrator 
Read Only Access”;
allow (read,search)
groupdn = “ldap:///cn=Messaging End User Administrators
group,ou=Groups,$rootSuffix”; ) 


aci:
(targetattr=”objectclass || mailalternateaddress || Mailautoreplymode 
|| mailprogramdeliveryinfo || preferredlanguage || maildeliveryoption
|| mailforwardingaddress || mailAutoReplyTimeout 
|| mailautoreplytextinternal
|| mailautoreplytext || vacationEndDate || vacationStartDate
|| mailautoreplysubject || maxPabEntries || mailMessageStore
|| mailSieveRuleSource || sunUCDateFormat || sunUCDateDeLimiter
|| sunUCTimeFormat || mailuserstatus || maildomainstatus
|| nswmextendeduserprefs || pabURI”)
(version 3.0; acl “Messaging Server End User Administrator All Access”;
allow (all)
groupdn = “ldap:///cn=Messaging End User Administrators
group,ou=Groups,$rootSuffix”;)

分析︰與原始 ACI 相同。

原始組織管理 ACI

aci: (different name - “allow all” instead of “allow”)
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “S1IS Organization Admin Role access allow all”;
allow (all)
roledn =”ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;) 


aci: (missing)
(target=”ldap:///($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “Organization Admin Role access allow read to org node”;
allow (read,search)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix” ;) 


aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “Organization Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;) 


aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetattr!=”businessCategory || description || facsimileTelephoneNumber
|| postalAddress || preferredLanguage || searchGuide || postOfficeBox 
|| postalCode
|| registeredaddress || street || l || st || telephonenumber 
|| maildomainreportaddress
|| maildomainwelcomemessage || preferredlanguage || sunenablegab”)
(version 3.0; acl “Organization Admin Role access deny to org node”;
deny (write,add,delete)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix” ;) 


aci: (duplicate of per organization aci)
(target=”ldap:///cn=Organization Admin Role,($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Organization Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix”;)


aci:
(target=”ldap:///cn=Organization Admin
Role,($dn),dc=red,dc=iplanet,dc=com”)
(targetattr=”*”)
(version 3.0; acl “S1IS Organization Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix”;)


aci:
(target=”ldap:///o=fullOrg1,o=VIS,o=siroe.com,o=SharedDomainsRoot,
o=Business,rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,dc=red,dc=iplanet,dc=com))))
(targetattr = “nsroledn”)
(targattrfilters=”add=nsroledn:(nsroledn=*,o=fullOrg1,o=VIS,o=siroe.com,
o=SharedDomainsRoot,o=Business,$rootSuffix),
del=nsroledn:(nsroledn=*,o=fullOrg1,o=VIS,o=siroe.com,o=SharedDomainsRoot,
o=Business,$rootSuffix)”)
(version 3.0;
acl “S1IS Organization Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Organization Admin
Role,o=fullOrg1,o=VIS,o=siroe.com,o=SharedDomainsRoot,o=Business,
$rootSuffix”;)


aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “S1IS Organization Admin Role access allow all”;
allow (all)
roledn = “ldap:///cn=Organization Admin
Role,[$dn],dc=red,dc=iplanet,dc=com”;)

合併後的組織管理 ACI

aci:
(target=”ldap:///cn=Organization Admin Role,($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Organization Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Organization Admin Role,($dn),$rootSuffix”;)


aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “Organization Admin Role access allow read”;
allow(read,search)
roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix” ;)


aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(entrydn=($dn),$rootSuffix))))
( targetattr = “*”)
(version 3.0; acl “S1IS Organization Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Organization Admin Role,[$dn],$rootSuffix”;)

將要捨棄的未使用之 ACI 清單

本小節中的清單顯示在將 replacement.acis.ldif 檔案套用至目錄時要捨棄的未使用之預設 ACI。

要捨棄的 ACI 分為以下種類︰

字尾

# discard
#
aci:
(targetattr =”*”)
(version 3.0;acl “Configuration Administrators Group”;
allow (all)
(groupdn = “ldap:///cn=Configuration Administrators, ou=Groups,
ou=TopologyManagement, o=NetscapeRoot”);)


#
# discard
#
aci:
(targetattr =”*”)
(version 3.0;acl “Directory Administrators Group”;
allow (all)
(groupdn = “ldap:///cn=Directory Administrators, $rootSuffix”);)


#
# discard
#
aci:
(targetattr = “*”)
(version 3.0;
acl “SIE Group”;
allow (all)
groupdn = “ldap:///cn=slapd-whater, cn=Sun ONE Directory Server, cn=Server
Group, cn=whater.red.iplanet.com, ou=red.iplanet.com, o=NetscapeRoot”;)


#
# discard - prevents TLA from modifying the amldapuser account.
#
aci:
(target=”ldap:///cn=amldapuser,ou=DSAME Users,$rootSuffix”)
(targetattr = “*”)
(version 3.0;
acl “S1IS special ldap auth user modify right”;
deny (write)
roledn != “ldap:///cn=Top-level Admin Role,$rootSuffix”;)


#
# discard - protects SAML related attributes
#
aci:
(targetattr=”iplanet-am-saml-user || iplanet-am-saml-password”)
(targetfilter=”(objectclass=iplanet-am-saml-service)”)
(version 3.0; acl “S1IS Right to modify saml user and password”;
deny (all)
(roledn != “ldap:///cn=Top-level Admin Role,$rootSuffix”)
AND (userdn != “ldap:///cn=dsameuser,ou=DSAME Users,$rootSuffix”)
AND (userdn != “ldap:///cn=puser,ou=DSAME Users,$rootSuffix”); )

頂層用戶服務管理角色

#
# discard
 #
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix)))
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Help Desk Admin Role access allow”;
allow (read,search)
roledn = “ldap:///cn=Top-level Help Desk Admin Role,$rootSuffix”;)


#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(nsroledn=cn=Top-level Admin Role,$rootSuffix)))
(targetattr = “userPassword”)
(version 3.0; acl “S1IS Top-level Help Desk Admin Role access allow”;
allow (write)
roledn = “ldap:///cn=Top-level Help Desk Admin Role,$rootSuffix”;)

頂層策略管理角色

#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix))))
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access allow”;
allow (read,search)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)


#
# discard
#
aci:
(target=”ldap:///ou=iPlanetAMAuthService,ou=services,*$rootSuffix”)
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access
Auth Service deny”;
deny (add,write,delete)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)


#
# discard
#
aci:
(target=”ldap:///ou=services,*$rootSuffix”)
(targetattr = “*”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)


#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=”(objectclass=sunismanagedorganization)”)
(targetattr = “sunRegisteredServiceName”)
(version 3.0; acl “S1IS Top-level Policy Admin Role access allow”;
allow (read,write,search)
roledn = “ldap:///cn=Top-level Policy Admin Role,$rootSuffix”;)

Access Manager 匿名

#
# discard - prevents anyone other than rootdn from deleting
# default organization.
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(entrydn=$rootSuffix))
(targetattr=”*”)
(version 3.0; acl “S1IS Default Organization delete right denied”;
deny (delete)
userdn = “ldap:///anyone”; )


#
# discard - prevents any user other than rootdn from deleting the
# TLA admin role.
#
aci:
(target=”ldap:///cn=Top-level Admin Role,$rootSuffix”)
(targetattr=”*”)
version 3.0; acl “S1IS Top-level admin delete right denied”;
deny(delete)
userdn = “ldap:///anyone”; )

Access Manager 拒絕寫入存取權限

#
# discard
#
aci:
(targetattr = “*”)
(version 3.0; acl “S1IS Deny write to anonymous user”;
deny (add,write,delete)
roledn =”ldap:///cn=Deny Write Access,$rootSuffix”;)

Access Manager 容器管理角色

#
# discard
#
aci:
(target=”ldap:///($dn),$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix))))
(targetattr != “nsroledn”)
(version 3.0; acl “S1IS Container Admin Role access allow”;
allow (all)
roledn = “ldap:///cn=Container Admin Role,[$dn],$rootSuffix”;)


#
# discard
#
aci:
(target=”ldap:///cn=Container Admin Role,($dn),$rootSuffix”)
(targetattr=”*”)
(version 3.0; acl “S1IS Container Admin Role access deny”;
deny (write,add,delete,compare,proxy)
roledn = “ldap:///cn=Container Admin Role,($dn),$rootSuffix”;)


#
# discard
#
aci:
(target=”ldap:///ou=People,$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix)
(nsroledn=cn=Container Admin Role,$rootSuffix))))
(targetattr != “iplanet-am-web-agent-access-allow-list 
|| iplanet-am-domain-url-access-allow
|| iplanet-am-web-agent-access-deny-list || nsroledn”)
(version 3.0; acl “S1IS Group and people container admin role”;
allow (all)
roledn = “ldap:///cn=ou=People_dc=red_dc=iplanet_dc=com,$rootSuffix”;)

組織用戶服務

#
# discard
#
aci: (extra verses dreambig)
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix))))
(targetattr = “*”)
(version 3.0; acl “S1IS Organization Help Desk Admin Role access allow”;
allow (read,search)
roledn = “ldap:///cn=Organization Help Desk Admin Role,$rootSuffix”;)


#
# discard
#
aci:
(target=”ldap:///$rootSuffix”)
(targetfilter=(!(|(nsroledn=cn=Top-level Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Help Desk Admin Role,$rootSuffix)
(nsroledn=cn=Top-level Policy Admin Role,$rootSuffix)
(nsroledn=cn=Organization Admin Role,$rootSuffix))))
(targetattr = “userPassword”)
(version 3.0; acl “S1IS Organization Help Desk Admin Role access allow”;
allow (write)
roledn = “ldap:///cn=Organization Help Desk Admin Role,$rootSuffix”;)

Access Manager 其他

#
# discard - Removal disables the associated privileges to the attribute
# iplanetam-modifiable-by
#
aci:
(target=”ldap:///$rootSuffix”)
(targetattr!=”nsroledn”)
(version 3.0; acl “S1IS Group admin’s right to the users he creates”;
allow (all)
userattr = “iplanet-am-modifiable-by#ROLEDN”;)

Previous: 附錄 D Delegated Administrator 效能調校