我是 OpenAM 的 SSO 和 OpenDJ 的用户目录。我们的应用程序使用生成的开放空间修改用户目录。但是,此用户无法更新ds-pwp-帐户已禁用属性。
我没有在默认全局 acis 中看到任何可以阻止修改此属性的内容
ds-cfg-global-aci: (extop="1.3.6.1.4.1.26027.1.6.1 || 1.3.6.1.4.1.26027.1.6.3 || 1.3.6.1.4.1.4203.1.11.1 || 1.3.6.1.4.1.1466.20037 || 1.3.6.1.4.1.4203.1.11.3") (version 3.0; acl "Anonymous extended operation access"; allow(read) userdn="ldap:///anyone";)
ds-cfg-global-aci: (targetcontrol="2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16") (version 3.0; acl "Anonymous control access"; allow(read) userdn="ldap:///anyone";)
ds-cfg-global-aci: (targetcontrol="1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.840.113556.1.4.319 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9") (version 3.0; acl "Authenticated users control access"; allow(read) userdn="ldap:///all";)
ds-cfg-global-aci: (targetattr!="userPassword||authPassword||changes||changeNumber||changeType||changeTime||targetDN||newRDN||newSuperior||deleteOldRDN||targetEntryUUID||targetUniqueID||changeInitiatorsName||changeLogCookie")(version 3.0; acl "Anonymous read access"; allow (read,search,compare) userdn="ldap:///anyone";)
ds-cfg-global-aci: (targetattr="audio||authPassword||description||displayName||givenName||homePhone||homePostalAddress||initials||jpegPhoto||labeledURI||mobile||pager||postalAddress||postalCode||preferredLanguage||telephoneNumber||userPassword")(version 3.0; acl "Self entry modification"; allow (write) userdn="ldap:///self";)
ds-cfg-global-aci: (targetattr="userPassword||authPassword")(version 3.0; acl "Self entry read"; allow (read,search,compare) userdn="ldap:///self";)
ds-cfg-global-aci: (target="ldap:///cn=schema")(targetscope="base")(targetattr="objectClass||attributeTypes||dITContentRules||dITStructureRules||ldapSyntaxes||matchingRules||matchingRuleUse||nameForms||objectClasses")(version 3.0; acl "User-Visible Schema Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)
ds-cfg-global-aci: (target="ldap:///")(targetscope="base")(targetattr="objectClass||namingContexts||supportedAuthPasswordSchemes||supportedControl||supportedExtension||supportedFeatures||supportedLDAPVersion||supportedSASLMechanisms||vendorName||vendorVersion")(version 3.0; acl "User-Visible Root DSE Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)
ds-cfg-global-aci: (targetattr="createTimestamp||creatorsName||modifiersName||modifyTimestamp||entryDN||entryUUID||subschemaSubentry")(version 3.0; acl "User-Visible Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)
ds-cfg-global-aci: (target="ldap:///dc=replicationchanges")(targetattr="*")(version 3.0; acl "Replication backend access"; deny (all) userdn="ldap:///anyone";)
这些是 OpenAM 安装添加的 acis。
aci: (target="ldap:///dc=testbase")(targetattr="*")(version 3.0; acl "OpenSSO datastore configuration bind user all rights under the root suffix"; allow (all) userdn = "ldap:///cn=openssouser,ou=opensso adminusers,dc=testbase"; )
aci: (target="ldap:///dc=testbase")(targetattr="*")(version 3.0; acl "OpenSSO Authn bind ldap user rights"; allow (read,search) userdn = "ldap:///cn=ldapuser,ou=opensso adminusers,dc=testbase"; )
aci: (targetcontrol = "2.16.840.1.113730.3.4.3")(version 3.0; acl "Allow Persistent Search for the OpenSSO datastore config bind user"; allow (all) userdn = "ldap:///cn=openssouser,ou=opensso adminusers,dc=testbase";)
aci: (targetattr = "objectclass || inetuserstatus || ds-pwp-account-disabled || iplanet-am-user-login-status || iplanet-am-user-account-life || iplanet-am-session-quota-limit || iplanet-am-user-alias-list || iplanet-am-session-max-session-time || iplanet-am-session-max-idle-time || iplanet-am-session-get-valid-sessions || iplanet-am-session-destroy-sessions || iplanet-am-session-add-session-listener-on-all-sessions || iplanet-am-user-admin-start-dn || iplanet-am-auth-post-login-process-class || iplanet-am-user-federation-info || iplanet-am-user-federation-info-key || sun-fm-saml2-nameid-info || sun-fm-saml2-nameid-infokey || sunAMAuthInvalidAttemptsData || memberof || member")(targetfilter="(!(userdn=cn=openssouser,ou=opensso adminusers,dc=testbase))")(version 3.0; acl "OpenSSO User self modification denied for these attributes"; deny (write) userdn ="ldap:///self";)
我尝试添加这个 aci 但没有成功
aci: (targetattr = "ds-pwp-account-disabled")(targetfilter="(&(userdn=cn=openssouser,ou=opensso adminusers,dc=testbase))")(version 3.0; acl "OpenSSO User allow modification of ds-pwp-account-disabled"; allow (read,write) userdn ="ldap:///self";)
如果我添加ds-权限名称:bypass-acl到开放空间,我可以修改该属性。但是,我不太愿意添加此权限,因为我不完全了解潜在的后果。还有其他解决方案吗?
答案1
我的 aci 错了。应该是:
aci: (targetattr = "ds-pwp-account-disabled")(version 3.0; acl "OpenSSO User allow modification of ds-pwp-account-disabled"; allow (read,write) userdn = "ldap:///cn=openssouser,ou=opensso adminusers,dc=testbase";)
仍然不确定哪个 aci 最初阻止了这种修改?