Defining Access Control on Virtual Data Views

ACIs on virtual data views can be stored in an LDAP directory or in an LDIF file. For information about how virtual ACIs work, see Access Control On Virtual Data Views in Oracle Directory Server Enterprise Edition Reference.

When you create a Directory Proxy Server instance, the following default configuration for virtual access controls is defined:

An LDIF file in which ACIs are stored by default (instance-path/config/access_controls.ldif)
An LDIF data view named virtual access controls

This data view enables Directory Proxy Server to access the ACIs stored in the LDIF file.

To Define a New ACI Storage Repository

If you do not want to use the default ACI configuration described previously, you can define a different storage repository.

You cannot use DSCC to perform this task. Use the command line, as described in this procedure.

Create a data view for the repository in which the virtual ACIs will be stored.
- If the ACIs will be stored in an LDAP directory, create an LDAP data source, an LDAP data source pool, and an LDAP data view, as described in Chapter 18, LDAP Data Views.
- If the ACIs will be stored in an LDIF file, create an LDIF data view, as described in Creating and Configuring LDIF Data Views.
Specify the name of the data view created in the previous step as the ACI data view.
```
$ dpconf set-virtual-aci-prop -h host -p port aci-data-view:data-view-name
```

If the ACI repository is an LDAP directory, define the credentials required to access the ACI data view.

$ dpconf set-virtual-aci-prop -h host -p port aci-manager-bind-dn:bind-dn
$ dpconf set-virtual-aci-prop -h host -p port aci-manager-bind-pwd-file:filename

To Configure Virtual Access Controls

Regardless of the ACI repository that you use, you must configure the virtual access controls.

Note - Only the Proxy Manager can create a pool of ACIs and manage ACIs directly through the ACI data view. If the ACI repository is an LDAP directory, you must modify the schema of that directory to include the aciSource object class and the dpsaci attribute. For more information about customizing the schema, see Extending Directory Server Schema.

You cannot use DSCC to perform this task. Use the command line, as described in this procedure.

Create a pool of ACIs in the ACI repository, and set up global ACIs.

For information about global ACIs, see Global ACIs in Oracle Directory Server Enterprise Edition Reference. To set up global ACIs, add an aciSource entry under the view base of the ACI data view. For example:

% ldapmodify -p port -D "cn=proxy manager" -w -
dn: cn=aci-source-name,cn=virtual access controls
changetype: add
objectclass: aciSource
dpsaci: (targetattr="*") (target="ldap:///ou=people,o=virtual") (version 3.0; 
 acl "perm1"; allow(all) groupdn="ldap:///cn=virtualGroup1,o=groups,o=virtual";)
cn: aci-source-name

Configure one or more connection handlers to use this pool of ACIs.

% dpconf set-connection-handler-prop -h host -p port connection-handler \
aci-source:aci-source-name

Add the required ACIs to the data.

To do this, create a virtual entry that contains the ACIs. For example:

% ldapmodify -p port -D "cn=virtual application,ou=application users,dc=com" -w -
dn: ou=people,o=virtual
changetype: modify
add: dpsaci
dpsaci: (targetattr="*")(version 3.0; acl "perm1"; allow(all) userdn="ldap:///self";)
dpsaci: (targetattr="*")(version 3.0; acl "perm1"; allow(search, read, compare) 
 userdn ="ldap:///anyone";)

Note - Any user with the appropriate access rights can add and retrieve virtual ACIs through the data view.

Skip Navigation Links
Exit Print View
	Oracle Directory Server Enterprise Edition Administration Guide 11g Release 1 (11.1.1.5.0)