使用 amadmin 建立策略

1. 根據 amadmin.dtd 建立策略 XML 檔。此檔案位於下列目錄：

   AccessManager-base/SUNWam/dtd。

   下列是策略 XML 檔的範例。此範例包含所有預設的主體及條件值。如需這些值的定義，請參閱策略類型。

   <Policy name="bigpolicy" referralPolicy="false" active="true" >
   <Rule name="rule1">
   <ServiceName name="iPlanetAMWebAgentService" />
   <ResourceName name="http://thehost.thedomain.com:80/*.html" />
   <AttributeValuePair>
   <Attribute name="POST" />
   <Value>allow</Value>
   </AttributeValuePair>
   <AttributeValuePair>
   <Attribute name="GET" />
   <Value>allow</Value>
   </AttributeValuePair>
   </Rule>
   <Subjects name="subjects" description="desccription">
   <Subject name="webservicescleint" type="WebServicesClients" includeType="inclusive">
   <AttributeValuePair><Attribute name="Values"/><Value>CN=sun-unix, 
   OU=SUN Java System Access Manager, O=Sun, C=US</Value>
   </AttributeValuePair>
   </Subject>
   <Subject name="amrole" type="IdentityServerRoles" includeType="inclusive">
   <AttributeValuePair><Attribute name="Values"/><Value>
   cn=organization admin role,o=realm1,dc=red,dc=iplanet,dc=com</Value>
   </AttributeValuePair>
   </Subject>
   <Subject name="au" type="AuthenticatedUsers" includeType="inclusive">
   </Subject>
   <Subject name="ldaporganization" type="Organization" includeType="inclusive">
   <AttributeValuePair><Attribute name="Values"/>
   <Value>dc=red,dc=iplanet,dc=com</Value>
   </AttributeValuePair>
   </Subject>
   <Subject name="ldapuser" type="LDAPUsers" includeType="inclusive">
   <AttributeValuePair><Attribute name="Values"/>
   <Value>uid=amAdmin,ou=People,dc=red,dc=iplanet,dc=com</Value>
   </AttributeValuePair>
   </Subject>
   <Subject name="ldaprole" type="LDAPRoles" includeType="inclusive">
   <AttributeValuePair><Attribute name="Values"/>
   <Value>cn=Organization Admin Role,o=realm1,dc=red,dc=iplanet,dc=com</Value>
   </AttributeValuePair>
   </Subject>
   <Subject name="ldapgroup" type="LDAPGroups" includeType="inclusive">
   <AttributeValuePair><Attribute name="Values"/>
   <Value>cn=g1,ou=Groups,dc=red,dc=iplanet,dc=com</Value>
   </AttributeValuePair>
   </Subject>
   <Subject name="amidentitysubject" type="AMIdentitySubject" includeType="inclusive">
   <AttributeValuePair><Attribute name="Values"/>
   <Value>id=amAdmin,ou=user,dc=red,dc=iplanet,dc=com</Value>
   </AttributeValuePair>
   </Subject>
   </Subjects>
   <Conditions name="conditions" description="description">
   <Condition name="ldapfilter" type="LDAPFilterCondition">
   <AttributeValuePair><Attribute name="ldapFilter"/>
   <Value>dept=finance</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="authlevelge-nonrealmqualified" type="AuthLevelCondition">
   <AttributeValuePair><Attribute name="AuthLevel"/>
   <Value>1</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="authlevelle-realmqaulfied" type="LEAuthLevelCondition">
   <AttributeValuePair><Attribute name="AuthLevel"/>
   <Value>/:2</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="sessionproperties" type="SessionPropertyCondition">
   <AttributeValuePair><Attribute name="valueCaseInsensitive"/>
   <Value>true</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="a"/><Value>10</Value>
   <Value>20</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="b"/><Value>15</Value>
   <Value>25</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="activesessiontime" type="SessionCondition">
   <AttributeValuePair><Attribute name="TerminateSession"/>
   <Value>session_condition_false_value</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="MaxSessionTime"/>
   <Value>30</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="authelevelle-nonrealmqualfied" 
              type="LEAuthLevelCondition">
   <AttributeValuePair><Attribute name="AuthLevel"/>
   <Value>2</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="ipcondition" type="IPCondition">
   <AttributeValuePair><Attribute name="DnsName"/>
   <Value>*.iplanet.com</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="EndIp"/>
   <Value>145.15.15.15</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="StartIp"/>
   <Value>120.10.10.10</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="authchain-realmqualfied"
             type="AuthenticateToServiceCondition">
   <AttributeValuePair><Attribute name="AuthenticateToService"/>
   <Value>/:ldapService</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="auth to realm" 
         type="AuthenticateToRealmCondition">
   <AttributeValuePair><Attribute name="AuthenticateToRealm"/>
   <Value>/</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="authlevelge-realmqualified"
         type="AuthLevelCondition">
   <AttributeValuePair><Attribute name="AuthLevel"/>
   <Value>/:2</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="authchain-nonrealmqualfied" 
        type="AuthenticateToServiceCondition">
   <AttributeValuePair><Attribute name="AuthenticateToService"/>
   <Value>ldapService</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="timecondition" type="SimpleTimeCondition">
   <AttributeValuePair><Attribute name="EndTime"/>
   <Value>17:00</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="StartTime"/>
   <Value>08:00</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="EndDate"/>
   <Value>2006:07:28</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="EnforcementTimeZone"/>
   <Value>America/Los_Angeles</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="StartDay"/>
   <Value>mon</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="StartDate"/>
   <Value>2006:01:02</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="EndDay"/>
   <Value>fri</Value>
   </AttributeValuePair>
   </Condition>
   </Conditions>
   <ResponseProviders name="responseproviders"
          description="description">
   <ResponseProvider name="idresponseprovidere" 
        type="IDRepoResponseProvider">
   <AttributeValuePair>
   <Attribute name="DynamicAttribute"/>
   </AttributeValuePair>
   <AttributeValuePair>
   <Attribute name="StaticAttribute"/>
   <Value>m=10</Value>
   <Value>n=30</Value>
   </AttributeValuePair>
   </ResponseProvider>
   </ResponseProviders>
   </Policy>

2. 策略 XML 檔案開發完成後，您可使用下列指令加以載入：

   AccessManager-base/SUNWam/bin/amadmin --runasdn "uid=amAdmin,ou=People,default_org, root_suffix" --password password --data policy.xml

   若要同時加入多重策略，請將這些策略放在一個 XML 檔案中，這一點與在每個 XML 檔案中放一個策略相反。如果使用多重 XML 檔案連續快速載入策略，則內部策略索引可能會損毀，而且某些策略可能不參與策略評估。

   透過 amadmin 建立策略時請確定：當建立認證方案條件時認證模組是以範圍註冊；當建立範圍、LDAP 群組、LDAP 角色和 LDAP 使用者時對應的 LDAP 物件範圍、群組、角色和使用者存在；當建立 IdentityServerRoles 主體時 Access Manager 角色存在；當建立子範圍或同級範圍參照時相關範圍存在。

   請注意，在 SubrealmReferral、PeerRealmReferral 的 Value 元素之內容中，Realm 主體、IdentityServerRoles 主體、LDAPGroups 主體、LDAPRoles 主體和 LDAPUsers 主體必須為完整的 DN。