Skip Navigation Links | |
Exit Print View | |
Oracle Directory Server Enterprise Edition Upgrade and Migration Guide 11 g Release 1 (11.1.1.5.0) |
Part I Patching Directory Server Enterprise Edition 7 to 11g Release 1 (11.1.1.5.0)
2. Patching Directory Server Enterprise Edition 7 to Version 11g Release 1 (11.1.1.5.0)
Part II Upgrading Directory Server Enterprise Edition 6 to 11g Release 1 (11.1.1.5.0)
3. Upgrading Directory Server Enterprise Edition 6 to Version 11g Release 1 (11.1.1.5.0)
Part III Migrating Directory Server Enterprise Edition 5.2 to Version 11g Release 1 (11.1.1.5.0)
4. Overview of the Migration Process for Directory Server
5. Automated Migration Using the dsmig Command
6. Migrating Directory Server Manually
7. Migrating a Replicated Topology
8. Architectural Changes in Directory Server Since Version 5.2
Changes in the Administration Framework
Removal of the ServerRoot Directory
Removal of the o=netscapeRoot Suffix
Changes to the Installed Product Layout
Administration Utilities Previously Under ServerRoot
Binaries Previously Under ServerRoot/bin
Libraries and Plug-Ins Previously Under ServerRoot/lib
Online Help Previously Under ServerRoot/manual
Plug-Ins Previously Under ServerRoot/plugins
Utilities Previously Under ServerRoot/shared/bin
Silent Installation and Uninstallation Templates
Server Instance Scripts Previously Under ServerRoot/slapd-ServerID
Server Instance Subdirectories
9. Migrating Directory Proxy Server
The following changes have been made to ACIs in Directory Server 11g Release 1 (11.1.1.5.0).
In Directory Server 5.2 ACIs on the root DSE had base scope. In Directory Server 11g Release 1 (11.1.1.5.0), ACIs on the root DSE have global scope by default, equivalent to targetscope="subtree".
To reproduce the same behavior as Directory Server 5.2, add targetscope="base" to ACIs on the root DSE. If you use dsmig to migrate the configuration, this is done automatically.
In Directory Server 5.2, the following ACI was provided, at the suffix level:
aci: (targetattr != "nsroledn || aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry || passwordExpirationTime || passwordExpWarned || passwordRetryCount || retryCountResetTime || acc ountUnlockTime || passwordHistory || passwordAllowChangeTime")(version 3.0; acl "Allow self entry modification except for nsroledn, aci, resource limit attributes, passwordPolicySubentry and password policy state attributes"; allow (write)userdn ="ldap:///self";)
This ACI allowed self-modification of user passwords, among other things. This ACI is no longer provided in Directory Server 11g Release 1 (11.1.1.5.0). Instead, the following global ACIs are provided by default:
aci: (targetattr != "aci") (targetscope = "base") (version 3.0; aci "Enable read access to rootdse for anonymous users"; allow(read,search,compare) user dn="ldap:///anyone"; )
aci: (targetattr = "*") (version 3.0; acl "Enable full access for Administrators group"; allow (all)(groupdn = "ldap:///cn=Administrators,cn=config"); )
aci: (targetattr = "userPassword") ( version 3.0; acl "allow userpassword self modification"; allow (write) userdn = "ldap:///self";)
In Directory Server 11g Release 1 (11.1.1.5.0), the default userPassword ACI at root DSE level provides equivalent access control to the default legacy ACI at suffix level. However, if you want to reproduce exactly the same access control as in legacy version, add the following ACI to your suffix. This ACI is the legacy ACI, with the new password policy operational attributes for Directory Server 11g Release 1 (11.1.1.5.0).
aci: (targetattr != "nsroledn || aci || nsLookThroughLimit || nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry || passwordExpirationTime || passwordExpWarned || passwordRetryCount || retryCountResetTime || accountUnlockTime || passwordHistory || passwordAllowChangeTime || pwdAccountLockedTime || pwdChangedTime || pwdFailureTime || pwdGraceUseTime || pwdHistory || pwdLastAuthTime || pwdPolicySubentry || pwdReset")(version 3.0; acl "Allow self entry modification except for nsroledn, aci, resource limit attributes, passwordPolicySubentry and password policy state attributes"; allow (write)userdn ="ldap:///self";)
Tip - Do not allow users write access to everything and then deny write access to specific attributes. Instead, explicitly list the attributes to which you allow write access.