Skip Navigation Links | |
Exit Print View | |
Oracle Fusion Middleware Administration Guide for Oracle Unified Directory 11g Release 1 (11.1.1) |
1. Starting and Stopping the Server
2. Configuring the Server Instance
3. Configuring the Proxy Components
4. Configuring Security Between Clients and Servers
5. Configuring Security Between the Proxy and the Data Source
6. Managing Oracle Unified Directory With Oracle Directory Services Manager
Managing Access Control With Oracle Directory Services Manager
Create an Access Control Point
Create an Access Control Point Based on an Existing Access Control Point
Delete an Access Control Point
Add an ACI Based on an Existing ACI
Granting Write Access to Personal Entries
Granting Write Access Based on DNS
Granting Write Access Based on Authentication Method
Granting a Group Full Access to a Suffix
Granting Rights to Add and Delete Group Entries
Allowing Users to Add or Remove Themselves From a Group
Granting Conditional Access to a Group
Defining Permissions for DNs That Contain a Comma
The Get Effective Rights Control
Using the Get Effective Rights Control
Understanding Effective Rights Results
write, selfwrite_add, and selfwrite_delete Permissions
Restricting Access to the Get Effective Rights Control
10. Managing Users and Groups With dsconfig
11. Managing Password Policies
Global ACIs control access to the root of the DIT instead of to a particular sub-tree. Global ACIs apply to all entries in the directory. You can set, reset, and delete global ACIs with the dsconfig command and with the ldapmodify command. dsconfig accesses the server configuration over SSL, using the administration connector. For more information about dsconfig, see Managing the Server Configuration With dsconfig.
You cannot use dsconfig to manage ACIs that are applied to entries in sub-trees. To manage non-global ACIs, see Managing ACIs With ldapmodify.
When you install Oracle Unified Directory, eight default global ACIs are defined. The effect of all the default global ACIs is to allow the following:
Anyone has read access to certain controls and extended operations.
Anyone has access to search, compare, and read user attributes (except for the userpassword and authPassword attributes.)
Authenticated users can modify a subset of the attributes in their own entries in the directory. Users are unable to delete their own entries.
Anyone has access to key operational attributes including many in the root DSE and cn=schema, as well as other attributes that show up in entries throughout the server.
The proxy does not evaluate global ACIs. The proxy forwards LDAP requests to the remote LDAP server, and the remote LDAP server evaluates the ACIs.
The global ACIs are all values of the global-aci property of the access control handler. You can use dsconfig to display the global ACIs currently configured on the server by viewing the global-aci property.
$ dsconfig -h localhost -p 4444 -D cn="Directory Manager" -w password -n \ get-access-control-handler-prop \ --property global-aci Property : Value(s) -----------:------------------------------------------------------------------- global-aci : (extop="1.3.6.1.4.1.26027.1.6.1 || 1.3.6.1.4.1.26027.1.6.3 || : 1.3.6.1.4.1.4203.1.11.1 || 1.3.6.1.4.1.1466.20037 || : 1.3.6.1.4.1.4203.1.11.3") (version 3.0; acl "Anonymous extended : operation access"; allow(read) userdn="ldap:///anyone";), : "(target="ldap:///")(targetscope="base")(targetattr="objectClass|| : namingContexts||supportedAuthPasswordSchemes||supportedControl||su : pportedExtension||supportedFeatures||supportedLDAPVersion||support : edSASLMechanisms||vendorName||vendorVersion")(version 3.0; acl : "User-Visible Root DSE Operational Attributes"; allow : (read,search,compare) userdn="ldap:///anyone";)", : (target="ldap:///cn=changelog")(targetattr="*")(version 3.0; acl : "External changelog access"; deny (all) userdn="ldap:///anyone";), : "(target="ldap:///cn=schema")(targetscope="base")(targetattr="obje : ctClass||attributeTypes||dITContentRules||dITStructureRules||ldapS : yntaxes||matchingRules||matchingRuleUse||nameForms||objectClasses" : )(version 3.0; acl "User-Visible Schema Operational Attributes"; : allow (read,search,compare) userdn="ldap:///anyone";)", : (target="ldap:///dc=replicationchanges")(targetattr="*")(version : 3.0; acl "Replication backend access"; deny (all) : userdn="ldap:///anyone";), : "(targetattr!="userPassword||authPassword")(version 3.0; acl : "Anonymous read access"; allow (read,search,compare) : userdn="ldap:///anyone";)", : (targetattr="audio||authPassword||description||displayName||givenN : ame||homePhone||homePostalAddress||initials||jpegPhoto||labeledURI : ||mobile||pager||postalAddress||postalCode||preferredLanguage||tel : ephoneNumber||userPassword")(version 3.0; acl "Self entry : modification"; allow (write) userdn="ldap:///self";), : "(targetattr="createTimestamp||creatorsName||modifiersName||modify : Timestamp||entryDN||entryUUID||subschemaSubentry")(version 3.0; : acl "User-Visible Operational Attributes"; allow : (read,search,compare) userdn="ldap:///anyone";)", : "(targetattr="userPassword||authPassword")(version 3.0; acl "Self : entry read"; allow (read,search,compare) userdn="ldap:///self";)", : (targetcontrol="1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 : || 1.2.840.113556.1.4.319 || 1.2.826.0.1.3344810.2.3 || : 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || : 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9") (version : 3.0; acl "Authenticated users control access"; allow(read) : userdn="ldap:///all";), (targetcontrol="2.16.840.1.113730.3.4.2 || : 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || : 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || : 2.16.840.1.113730.3.4.16") (version 3.0; acl "Anonymous control : access"; allow(read) userdn="ldap:///anyone";)
The easiest way to delete a global ACI is to use dsconfig in interactive mode. Interactive mode walks you through the ACI configuration, and is therefore not documented here. If you delete global ACIs in non-interactive mode, make sure that you escape all special characters in the ACI specification as required by your command line shell.
This example deletes the global ACI that allows anonymous access by using dsconfig in non-interactive mode.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ set-access-control-handler-prop \ --remove global-aci:\(targetattr!=\"userPassword\|\|authPassword\"\) \ \(version\ 3.0\;\ acl\ \"Anonymous\ read\ access\"\;\ allow\ \(read,search,compare\) \ userdn=\"ldap:///anyone\"\;\)
When you add a global ACI, make sure that you escape all special characters in the ACI specification as required by your command-line shell.
The following example adds the global ACI that was removed in the previous procedure, using dsconfig in non-interactive mode:
$ dsconfig -h localhost -p 4444 -D cn="Directory Manager" -w password -n \ set-access-control-handler-prop \ --add global-aci:\(targetattr!=\"userPassword\|\|authPassword\"\) \ \(version\ 3.0\;\ acl\ \"Anonymous\ read\ access\"\;\ allow\ \(read,search,compare\) \ userdn=\"ldap:///anyone\"\;\)