A.9 Setting up Access Controls for Creation and Search Bases for Users and Groups

You can set up access controls in Oracle Internet Directory for the User Search Base, User Creation Base, Group Search Base, and Group Creation Base.

Note:

If you modify the User Search Base, the User Creation Base, the Group Search Base, or the Group Creation Base, then access controls for the new container need to be set up properly.

It includes the following sections:

• Setting up Access Controls for the User Search Base and the User Creation Base

• Setting up Access Controls for the Group Search Base and the Group Creation Base

A.9.1 Setting up Access Controls for the User Search Base and the User Creation Base

To set up access controls for the User Search Base and the User Creation Base you need to create an LDIF file.

Perform the following steps:

1. Create an LDIF (user_aci.ldif) file with the following entry:

   --- BEGIN LDIF file contents--- 
   dn: %usersearch_or_createbase_dn% 
   changetype: modify 
   add: orclaci 
   orclaci: access to entry by group="cn=oracledascreateuser,
    cn=groups,cn=OracleContext,%subscriberdn%"
    added_object_constraint=(objectclass=orcluser*) (browse,add) by  
    group="cn=Common User Attributes, cn=Groups,
    cn=OracleContext,%subscriberdn%" (browse) by 
    group="cn=PKIAdmins, cn=groups, cn=OracleContext,%subscriberdn%" (browse) 
   orclaci: access to entry filter=(objectclass=inetorgperson) by
    group="cn=oracledascreateuser, cn=groups,cn=OracleContext,%subscriberdn%"
    added_object_constraint=(objectclass=orcluser*) (browse,add) by
    group="cn=oracledasdeleteuser, cn=groups,cn=OracleContext,%subscriberdn%"
    (browse,delete) by group="cn=oracledasedituser,
    cn=groups,cn=OracleContext,%subscriberdn%" (browse) by
    group="cn=UserProxyPrivilege, cn=Groups,cn=OracleContext,%subscriberdn%" 
    (browse,
    proxy) by dn="orclApplicationCommonName=DASApp, cn=DAS,
    cn=Products,cn=oraclecontext" (browse,proxy) by self (browse, nodelete, noadd)
    by
    group="cn=Common User Attributes, cn=Groups,cn=OracleContext,%subscriberdn%"
    (browse) by * (browse, noadd, nodelete) 
   orclaci: access to attr=(*) filter=(objectclass=inetorgperson) by
    group="cn=oracledasedituser, cn=groups,cn=OracleContext, 
    %subscriberdn%" (read,search,write,compare) by self ( 
    read,search,write,selfwrite,compare) by *
    (read, nowrite, nocompare) 
   orclaci: access to attr=(userPassword)   
    filter=(objectclass=inetorgperson) by   
    group="cn=OracleUserSecurityAdmins,cn=Groups, 
    cn=OracleContext, %subscriberdn%" 
    (read,search,write,compare) by group="cn=oracledasedituser,
    cn=groups,cn=OracleContext,%subscriberdn%" 
    (read,search,write,compare) by self
    (read,search,write,selfwrite,compare) by group="cn=authenticationServices,
    cn=Groups,cn=OracleContext,%subscriberdn%" (compare) by * (none) 
   orclaci: access to attr=(authpassword, orclpasswordverifier, orclpassword) by
    group="cn=oracledasedituser,cn=groups,cn=OracleContext,%subscriberdn%"
    (read,search,write,compare) by
    group="cn=verifierServices,cn=Groups,cn=OracleContext,%subscriberdn%" 
    (search, read, compare) by self (search,read,write,compare) by * (none) 
   orclaci: access to attr=(orclpwdaccountunlock) by
    group="cn=oracledasedituser,cn=groups,cn=OracleContext,%subscriberdn%" ( 
    write) by * (none) 
   orclaci: access to attr=(usercertificate, usersmimecertificate) by
    group="cn=PKIAdmins,cn=Groups,cn=OracleContext,%subscriberdn%" 
    (read, search, write, compare) by self (read, search, compare) by * 
    (read, search, compare) 
   orclaci: access to attr=(mail) by
    group="cn=EmailAdminsGroup,cn=EmailServerContainer,cn=Products,
    cn=OracleContext" (write) by group="cn=oracledasedituser,
    cn=groups,cn=OracleContext,%subscriberdn%" (read,search,write,compare) 
   orclaci: access to attr=(orclguid, orclisenabled, modifytimestamp,mail) 
    by group="cn=Common User Attributes, 
    cn=Groups,cn=OracleContext,%subscriberdn%"
    (read, search, compare) by group="cn=oracledasedituser,
    cn=groups,cn=OracleContext,%subscriberdn%" (read,search,write,compare) 
    by * (read, nowrite, nocompare) 
   orclaci: access to attr=(orclpasswordhintanswer) by 
    group="cn=Common User Attributes,
    cn=Groups,cn=OracleContext,%subscriberdn%" (read, search, compare) by self
    (read,search,write,selfwrite,compare) by * (noread, nowrite, nocompare) 
   orclaci: access to attr=(orclpasswordhint) by 
    group="cn=Common User Attributes,
    cn=Groups,cn=OracleContext,%subscriberdn%" (read, search, compare) by self
    (read,search,write,selfwrite,compare) by
    group="cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext,
    %subscriberdn%" (read,search,write,compare) by * 
    (noread, nowrite, nocompare) 
   orclaci: access to attr=(displayName, preferredlanguage,
    orcltimezone,orcldateofbirth,orclgender,orclwirelessaccountnumber,cn,
    uid,homephone,telephonenumber) by group="cn=Common User Attributes,
    cn=Groups,cn=OracleContext,%subscriberdn%"
    (read, search, compare) by group="cn=oracledasedituser,
    cn=groups,cn=OracleContext,%subscriberdn%" (read,search,write,compare) 
    by self (read,search,write,selfwrite,compare) by * 
    (read, nowrite, nocompare)
           - 
   add: orclentrylevelaci 
   orclentrylevelaci: access to entry by group="cn=oracledascreateuser,
    cn=groups,cn=OracleContext,%subscriberdn%" added_object_constraint=
    (objectclass=orcluser*) (browse, add) by * (browse) 
   ---END LDIF file contents------
   

2. Replace %subscriberdn% with the dn of the subscriber and %usersearch_or_createbase_dn% with the new value of the container DN where the new user search/create base points to.
3. Run the ldapmodify command as follows:

   ldapmodify -p oidport -h oidhost -D cn=orcladmin -q -v \
              -f  user_aci.ldif

A.9.2 Setting up Access Controls for the Group Search Base and the Group Creation Base

To set up access controls for the Group Search Base and the Group Creation Base, create an LDIF file as the first step.

Perform the following steps:

1. Create an LDIF (group_aci.ldif) file with the following entry:

   --- BEGIN LDIF file contents--- 
   dn: %groupsearch_or_createbase_dn% 
   changetype: modify 
   add: orclaci 
   orclaci: access to entry by group="cn=IASAdmins,
    cn=groups,cn=OracleContext,%subscriberdn%"
    added_object_constraint=(objectclass=orclcontainer) (browse,add) 
   orclaci: access to entry by group="cn=oracledascreategroup,
    cn=groups,cn=OracleContext,%subscriberdn%"
    added_object_constraint=(objectclass=orclgroup*) (browse,add) by  
    group="cn=Common
    Group Attributes, cn=Groups,cn=OracleContext,%subscriberdn%" (browse) 
   orclaci: access to entry filter=(&(objectclass=orclgroup)(orclisvisible=false))  
    by
    groupattr=(owner) (browse, add, delete) by dnattr=(owner) 
    (browse, add, delete) by
    group="cn=Common Group Attributes, cn=Groups,cn=OracleContext,%subscriberdn%"
    (browse) by * (none) 
   orclaci: access to entry  
    filter=(&(objectclass=orclgroup)(!(orclisvisible=false))) by
    group="cn=oracledascreategroup, cn=groups,cn=OracleContext,%subscriberdn%"
    added_object_constraint=(objectclass=orclgroup) (browse,add) by
    group="cn=oracledasdeletegroup, cn=groups,cn=OracleContext,%subscriberdn%"
    (browse,delete) by group="cn=oracledaseditgroup,
    cn=Groups,cn=OracleContext,%subscriberdn%" (browse) by groupattr=(owner) ( 
    browse,
    add, delete) by dnattr=(owner) (browse, add, delete) by group="cn=Common Group
    Attributes, cn=Groups,cn=OracleContext,%subscriberdn%" (browse) 
   orclaci: access to attr=(*)  
    filter=(&(objectclass=orclgroup)(orclisvisible=false)) by
    groupattr=(owner) (read,search,write,compare) by dnattr=(owner)
    (read,search,write,compare) by * (none) by group="cn=Common Group Attributes,
    cn=Groups,cn=OracleContext,%subscriberdn%" (read, search, compare) 
   orclaci: access to attr=(*)  
    filter=(&(objectclass=orclgroup)(!(orclisvisible=false))) by
    groupattr=(owner) (read,search,write,compare) by dnattr=(owner)
    (read,search,write,compare)  by group="cn=oracledaseditgroup,
    cn=groups,cn=OracleContext,%subscriberdn%" (read,search,write,compare) by
    group="cn=Common Group Attributes, cn=Groups,cn=OracleContext,%subscriberdn%"
    (read, search, compare) 
         - 
   add: orclentrylevelaci 
   orclentrylevelaci: access to entry by group="cn=oracledascreategroup,
    cn=groups,cn=OracleContext,%subscriberdn%"
    added_object_constraint=(objectclass=orclgroup) (browse, add) by
    group="cn=IASAdmins, cn=groups,cn=OracleContext,%subscriberdn%"
    added_object_constraint=(objectclass=orclcontainer) (browse,add) by * (browse) 
   ---END LDIF file contents------ 
   

2. Replace %subscriberdn% with the DN of the subscriber and %groupsearch_or_createbase_dn% with the new value of the container DN where the new group search base or group create base points to.
3. Run the ldapmodify command as follows:

   ldapmodify -p oidport -h oidhost -D cn=orcladmin -q -v -f group_aci.ldif