Oracle® Internet Directory Administrator's Guide,
10g Release 2 (10.1.2) B14082-02 |
|
Previous |
Next |
If you modify the User Search Base, the User Creation Base, the Group Search Base, or the Group Creation Base, then access controls for the new container need to be set up properly. This appendix contains these topics:
Setting up Access Controls for the User Search Base and the User Creation Base
Setting up Access Controls for the Group Search Base and the Group Creation Base
To set up access controls for the User Search Base and the User Creation Base:
Create an LDIF (user_aci.ldif) file with the following entry:
--- BEGIN LDIF file contents--- dn: %usersearch_or_createbase_dn% changetype: modify add: orclaci orclaci: access to entry by group="cn=oracledascreateuser, cn=groups,cn=OracleContext,%subscriberdn%" added_object_constraint=(objectclass=orcluser*) (browse,add) by group="cn=Common User Attributes, cn=Groups, cn=OracleContext,%subscriberdn%" (browse) by group="cn=PKIAdmins, cn=groups, cn=OracleContext,%subscriberdn%" (browse) orclaci: access to entry filter=(objectclass=inetorgperson) by group="cn=oracledascreateuser, cn=groups,cn=OracleContext,%subscriberdn%" added_object_constraint=(objectclass=orcluser*) (browse,add) by group="cn=oracledasdeleteuser, cn=groups,cn=OracleContext,%subscriberdn%" (browse,delete) by group="cn=oracledasedituser, cn=groups,cn=OracleContext,%subscriberdn%" (browse) by group="cn=UserProxyPrivilege, cn=Groups,cn=OracleContext,%subscriberdn%" (browse, proxy) by dn="orclApplicationCommonName=DASApp, cn=DAS, cn=Products,cn=oraclecontext" (browse,proxy) by self (browse, nodelete, noadd) by group="cn=Common User Attributes, cn=Groups,cn=OracleContext,%subscriberdn%" (browse) by * (browse, noadd, nodelete) orclaci: access to attr=(*) filter=(objectclass=inetorgperson) by group="cn=oracledasedituser, cn=groups,cn=OracleContext, %subscriberdn%" (read,search,write,compare) by self ( read,search,write,selfwrite,compare) by * (read, nowrite, nocompare) orclaci: access to attr=(userPassword) filter=(objectclass=inetorgperson) by group="cn=OracleUserSecurityAdmins,cn=Groups, cn=OracleContext, %subscriberdn%" (read,search,write,compare) by group="cn=oracledasedituser, cn=groups,cn=OracleContext,%subscriberdn%" (read,search,write,compare) by self (read,search,write,selfwrite,compare) by group="cn=authenticationServices, cn=Groups,cn=OracleContext,%subscriberdn%" (compare) by * (none) orclaci: access to attr=(authpassword, orclpasswordverifier, orclpassword) by group="cn=oracledasedituser,cn=groups,cn=OracleContext,%subscriberdn%" (read,search,write,compare) by group="cn=verifierServices,cn=Groups,cn=OracleContext,%subscriberdn%" (search, read, compare) by self (search,read,write,compare) by * (none) orclaci: access to attr=(orclpwdaccountunlock) by group="cn=oracledasedituser,cn=groups,cn=OracleContext,%subscriberdn%" ( write) by * (none) orclaci: access to attr=(usercertificate, usersmimecertificate) by group="cn=PKIAdmins,cn=Groups,cn=OracleContext,%subscriberdn%" (read, search, write, compare) by self (read, search, compare) by * (read, search, compare) orclaci: access to attr=(mail) by group="cn=EmailAdminsGroup,cn=EmailServerContainer,cn=Products, cn=OracleContext" (write) by group="cn=oracledasedituser, cn=groups,cn=OracleContext,%subscriberdn%" (read,search,write,compare) orclaci: access to attr=(orclguid, orclisenabled, modifytimestamp,mail) by group="cn=Common User Attributes, cn=Groups,cn=OracleContext,%subscriberdn%" (read, search, compare) by group="cn=oracledasedituser, cn=groups,cn=OracleContext,%subscriberdn%" (read,search,write,compare) by * (read, nowrite, nocompare) orclaci: access to attr=(orclpasswordhintanswer) by group="cn=Common User Attributes, cn=Groups,cn=OracleContext,%subscriberdn%" (read, search, compare) by self (read,search,write,selfwrite,compare) by * (noread, nowrite, nocompare) orclaci: access to attr=(orclpasswordhint) by group="cn=Common User Attributes, cn=Groups,cn=OracleContext,%subscriberdn%" (read, search, compare) by self (read,search,write,selfwrite,compare) by group="cn=OracleUserSecurityAdmins,cn=Groups,cn=OracleContext, %subscriberdn%" (read,search,write,compare) by * (noread, nowrite, nocompare) orclaci: access to attr=(displayName, preferredlanguage, orcltimezone,orcldateofbirth,orclgender,orclwirelessaccountnumber,cn, uid,homephone,telephonenumber) by group="cn=Common User Attributes, cn=Groups,cn=OracleContext,%subscriberdn%" (read, search, compare) by group="cn=oracledasedituser, cn=groups,cn=OracleContext,%subscriberdn%" (read,search,write,compare) by self (read,search,write,selfwrite,compare) by * (read, nowrite, nocompare) - add: orclentrylevelaci orclentrylevelaci: access to entry by group="cn=oracledascreateuser, cn=groups,cn=OracleContext,%subscriberdn%" added_object_constraint= (objectclass=orcluser*) (browse, add) by * (browse) ---END LDIF file contents------
Replace %subscriberdn%
with the dn of the subscriber and %usersearch_or_createbase_dn%
with the new value of the container DN where the new user search/create base points to.
Run the ldapmodify command as follows:
ldapmodify -p oidport -h oidhost -D cn=orcladmin -w Instance Password -v \ -f user_aci.ldif
To set up access controls for the Group Search Base and the Group Creation Base:
Create an ldif (group_aci.ldif) file with the following entry:
--- BEGIN LDIF file contents--- dn: %groupsearch_or_createbase_dn% changetype: modify add: orclaci orclaci: access to entry by group="cn=IASAdmins, cn=groups,cn=OracleContext,%subscriberdn%" added_object_constraint=(objectclass=orclcontainer) (browse,add) orclaci: access to entry by group="cn=oracledascreategroup, cn=groups,cn=OracleContext,%subscriberdn%" added_object_constraint=(objectclass=orclgroup*) (browse,add) by group="cn=Common Group Attributes, cn=Groups,cn=OracleContext,%subscriberdn%" (browse) orclaci: access to entry filter=(&(objectclass=orclgroup)(orclisvisible=false)) by groupattr=(owner) (browse, add, delete) by dnattr=(owner) (browse, add, delete) by group="cn=Common Group Attributes, cn=Groups,cn=OracleContext,%subscriberdn%" (browse) by * (none) orclaci: access to entry filter=(&(objectclass=orclgroup)(!(orclisvisible=false))) by group="cn=oracledascreategroup, cn=groups,cn=OracleContext,%subscriberdn%" added_object_constraint=(objectclass=orclgroup) (browse,add) by group="cn=oracledasdeletegroup, cn=groups,cn=OracleContext,%subscriberdn%" (browse,delete) by group="cn=oracledaseditgroup, cn=Groups,cn=OracleContext,%subscriberdn%" (browse) by groupattr=(owner) ( browse, add, delete) by dnattr=(owner) (browse, add, delete) by group="cn=Common Group Attributes, cn=Groups,cn=OracleContext,%subscriberdn%" (browse) orclaci: access to attr=(*) filter=(&(objectclass=orclgroup)(orclisvisible=false)) by groupattr=(owner) (read,search,write,compare) by dnattr=(owner) (read,search,write,compare) by * (none) by group="cn=Common Group Attributes, cn=Groups,cn=OracleContext,%subscriberdn%" (read, search, compare) orclaci: access to attr=(*) filter=(&(objectclass=orclgroup)(!(orclisvisible=false))) by groupattr=(owner) (read,search,write,compare) by dnattr=(owner) (read,search,write,compare) by group="cn=oracledaseditgroup, cn=groups,cn=OracleContext,%subscriberdn%" (read,search,write,compare) by group="cn=Common Group Attributes, cn=Groups,cn=OracleContext,%subscriberdn%" (read, search, compare) - add: orclentrylevelaci orclentrylevelaci: access to entry by group="cn=oracledascreategroup, cn=groups,cn=OracleContext,%subscriberdn%" added_object_constraint=(objectclass=orclgroup) (browse, add) by group="cn=IASAdmins, cn=groups,cn=OracleContext,%subscriberdn%" added_object_constraint=(objectclass=orclcontainer) (browse,add) by * (browse) ---END LDIF file contents------
Replace %subscriberdn%
with the DN of the subscriber and %groupsearch_or_createbase_dn%
with the new value of the container DN where the new group search base or group create base points to.
Run the ldapmodify command as follows:
ldapmodify -p oidport -h oidhost -D cn=orcladmin -w instance password \ -v -f group_aci.ldif