ユーザー検索ベース、ユーザー作成ベース、グループ検索ベース、グループ作成ベースを変更すると、新しいコンテナに対するアクセス制御を適切に設定する必要があります。この付録の項目は次のとおりです。
ユーザー検索ベースおよびユーザー作成ベースに対するアクセス制御を設定するには、次のようにします。
次の内容で、LDIF(user_aci.ldif)ファイルを作成します。
--- BEGIN LDIF file contents--- 
dn: %usersearch_or_createbase_dn% 
changetype: modify 
add: orclaci 
orclaci: access to entry by group="cn=oracledascreateuser,
 cn=groups,cn=OracleContext,%subscriberdn%"
 added_object_constraint=(objectclass=orcluser*) (browse,add) by  
 group="cn=Common User Attributes, cn=Groups,
 cn=OracleContext,%subscriberdn%" (browse) by 
 group="cn=PKIAdmins, cn=groups, cn=OracleContext,%subscriberdn%" (browse) 
orclaci: access to entry filter=(objectclass=inetorgperson) by
 group="cn=oracledascreateuser, cn=groups,cn=OracleContext,%subscriberdn%"
 added_object_constraint=(objectclass=orcluser*) (browse,add) by
 group="cn=oracledasdeleteuser, cn=groups,cn=OracleContext,%subscriberdn%"
 (browse,delete) by group="cn=oracledasedituser,
 cn=groups,cn=OracleContext,%subscriberdn%" (browse) by
 group="cn=UserProxyPrivilege, cn=Groups,cn=OracleContext,%subscriberdn%" 
 (browse,
 proxy) by dn="orclApplicationCommonName=DASApp, cn=DAS,
 cn=Products,cn=oraclecontext" (browse,proxy) by self (browse, nodelete, noadd)
 by
 group="cn=Common User Attributes, cn=Groups,cn=OracleContext,%subscriberdn%"
 (browse) by * (browse, noadd, nodelete) 
orclaci: access to attr=(*) filter=(objectclass=inetorgperson) by
 group="cn=oracledasedituser, cn=groups,cn=OracleContext, 
 %subscriberdn%" (read,search,write,compare) by self ( 
 read,search,write,selfwrite,compare) by *
 (read, nowrite, nocompare) 
orclaci: access to attr=(userPassword)   
 filter=(objectclass=inetorgperson) by   
 group="cn=OracleUserSecurityAdmins,cn=Groups, 
 cn=OracleContext, %subscriberdn%" 
 (read,search,write,compare) by group="cn=oracledasedituser,
 cn=groups,cn=OracleContext,%subscriberdn%" 
 (read,search,write,compare) by self
 (read,search,write,selfwrite,compare) by group="cn=authenticationServices,
 cn=Groups,cn=OracleContext,%subscriberdn%" (compare) by * (none) 
orclaci: access to attr=(authpassword, orclpasswordverifier, orclpassword) by
 group="cn=oracledasedituser,cn=groups,cn=OracleContext,%subscriberdn%"
 (read,search,write,compare) by
 group="cn=verifierServices,cn=Groups,cn=OracleContext,%subscriberdn%" 
 (search, read, compare) by self (search,read,write,compare) by * (none) 
orclaci: access to attr=(orclpwdaccountunlock) by
 group="cn=oracledasedituser,cn=groups,cn=OracleContext,%subscriberdn%" ( 
 write) by * (none) 
orclaci: access to attr=(usercertificate, usersmimecertificate) by
 group="cn=PKIAdmins,cn=Groups,cn=OracleContext,%subscriberdn%" 
 (read, search, write, compare) by self (read, search, compare) by * 
 (read, search, compare) 
orclaci: access to attr=(mail) by
 group="cn=EmailAdminsGroup,cn=EmailServerContainer,cn=Products,
 cn=OracleContext" (write) by group="cn=oracledasedituser,
 cn=groups,cn=OracleContext,%subscriberdn%" (read,search,write,compare) 
orclaci: access to attr=(orclguid, orclisenabled, modifytimestamp,mail) 
 by group="cn=Common User Attributes, 
 cn=Groups,cn=OracleContext,%subscriberdn%"
 (read, search, compare) by group="cn=oracledasedituser,
 cn=groups,cn=OracleContext,%subscriberdn%" (read,search,write,compare) 
 by * (read, nowrite, nocompare) 
orclaci: access to attr=(orclpasswordhintanswer) by 
 group="cn=Common User Attributes,
 cn=Groups,cn=OracleContext,%subscriberdn%" (read, search, compare) by self
 (read,search,write,selfwrite,compare) by * (noread, nowrite, nocompare) 
orclaci: access to attr=(orclpasswordhint) by 
 group="cn=Common User Attributes,
 cn=Groups,cn=OracleContext,%subscriberdn%" (read, search, compare) by self
 (read,search,write,selfwrite,compare) by
 group="cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext,
 %subscriberdn%" (read,search,write,compare) by * 
 (noread, nowrite, nocompare) 
orclaci: access to attr=(displayName, preferredlanguage,
 orcltimezone,orcldateofbirth,orclgender,orclwirelessaccountnumber,cn,
 uid,homephone,telephonenumber) by group="cn=Common User Attributes,
 cn=Groups,cn=OracleContext,%subscriberdn%"
 (read, search, compare) by group="cn=oracledasedituser,
 cn=groups,cn=OracleContext,%subscriberdn%" (read,search,write,compare) 
 by self (read,search,write,selfwrite,compare) by * 
 (read, nowrite, nocompare)
        - 
add: orclentrylevelaci 
orclentrylevelaci: access to entry by group="cn=oracledascreateuser,
 cn=groups,cn=OracleContext,%subscriberdn%" added_object_constraint=
 (objectclass=orcluser*) (browse, add) by * (browse) 
---END LDIF file contents------
%subscriberdn%をサブスクライバのDNに置き換え、%usersearch_or_createbase_dn%を、新しいユーザー検索/作成ベースが示すコンテナの新しいDN値に置き換えます。
次のように、ldapmodifyコマンドを入力します。
ldapmodify -p oidport -h oidhost -D cn=orcladmin -q -v \ -f user_aci.ldif
グループ検索ベースおよびグループ作成ベースに対するアクセス制御を設定するには、次のようにします。
次の内容で、ldif(group_aci.ldif)ファイルを作成します。
--- BEGIN LDIF file contents--- 
dn: %groupsearch_or_createbase_dn% 
changetype: modify 
add: orclaci 
orclaci: access to entry by group="cn=IASAdmins,
 cn=groups,cn=OracleContext,%subscriberdn%"
 added_object_constraint=(objectclass=orclcontainer) (browse,add) 
orclaci: access to entry by group="cn=oracledascreategroup,
 cn=groups,cn=OracleContext,%subscriberdn%"
 added_object_constraint=(objectclass=orclgroup*) (browse,add) by  
 group="cn=Common
 Group Attributes, cn=Groups,cn=OracleContext,%subscriberdn%" (browse) 
orclaci: access to entry filter=(&(objectclass=orclgroup)(orclisvisible=false))  
 by
 groupattr=(owner) (browse, add, delete) by dnattr=(owner) 
 (browse, add, delete) by
 group="cn=Common Group Attributes, cn=Groups,cn=OracleContext,%subscriberdn%"
 (browse) by * (none) 
orclaci: access to entry  
 filter=(&(objectclass=orclgroup)(!(orclisvisible=false))) by
 group="cn=oracledascreategroup, cn=groups,cn=OracleContext,%subscriberdn%"
 added_object_constraint=(objectclass=orclgroup) (browse,add) by
 group="cn=oracledasdeletegroup, cn=groups,cn=OracleContext,%subscriberdn%"
 (browse,delete) by group="cn=oracledaseditgroup,
 cn=Groups,cn=OracleContext,%subscriberdn%" (browse) by groupattr=(owner) ( 
 browse,
 add, delete) by dnattr=(owner) (browse, add, delete) by group="cn=Common Group
 Attributes, cn=Groups,cn=OracleContext,%subscriberdn%" (browse) 
orclaci: access to attr=(*)  
 filter=(&(objectclass=orclgroup)(orclisvisible=false)) by
 groupattr=(owner) (read,search,write,compare) by dnattr=(owner)
 (read,search,write,compare) by * (none) by group="cn=Common Group Attributes,
 cn=Groups,cn=OracleContext,%subscriberdn%" (read, search, compare) 
orclaci: access to attr=(*)  
 filter=(&(objectclass=orclgroup)(!(orclisvisible=false))) by
 groupattr=(owner) (read,search,write,compare) by dnattr=(owner)
 (read,search,write,compare)  by group="cn=oracledaseditgroup,
 cn=groups,cn=OracleContext,%subscriberdn%" (read,search,write,compare) by
 group="cn=Common Group Attributes, cn=Groups,cn=OracleContext,%subscriberdn%"
 (read, search, compare) 
      - 
add: orclentrylevelaci 
orclentrylevelaci: access to entry by group="cn=oracledascreategroup,
 cn=groups,cn=OracleContext,%subscriberdn%"
 added_object_constraint=(objectclass=orclgroup) (browse, add) by
 group="cn=IASAdmins, cn=groups,cn=OracleContext,%subscriberdn%"
 added_object_constraint=(objectclass=orclcontainer) (browse,add) by * (browse) 
---END LDIF file contents------ 
%subscriberdn%をサブスクライバのDNに置き換え、%groupsearch_or_createbase_dn%を、新しいグループ検索/作成ベースが示すコンテナの新しいDN値に置き換えます。
次のように、ldapmodifyコマンドを入力します。
ldapmodify -p oidport -h oidhost -D cn=orcladmin -q -v -f group_aci.ldif