Tambahkan izin untuk mengubah atribut yang dinonaktifkan oleh ds-pwp-akun


0

Saya OpenAM untuk SSO dan OpenDJ sebagai direktori pengguna. Aplikasi kami menggunakan openssouser yang dihasilkan untuk memodifikasi direktori pengguna. Namun, pengguna ini tidak dapat memperbarui atribut ds-pwp-account-disabled .

Saya tidak melihat apa pun di global acis default yang akan mencegah modifikasi atribut ini

ds-cfg-global-aci: (extop="1.3.6.1.4.1.26027.1.6.1 || 1.3.6.1.4.1.26027.1.6.3 || 1.3.6.1.4.1.4203.1.11.1 || 1.3.6.1.4.1.1466.20037 || 1.3.6.1.4.1.4203.1.11.3") (version 3.0; acl "Anonymous extended operation access"; allow(read) userdn="ldap:///anyone";)
ds-cfg-global-aci: (targetcontrol="2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16") (version 3.0; acl "Anonymous control access"; allow(read) userdn="ldap:///anyone";)
ds-cfg-global-aci: (targetcontrol="1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.840.113556.1.4.319 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9") (version 3.0; acl "Authenticated users control access"; allow(read) userdn="ldap:///all";)
ds-cfg-global-aci: (targetattr!="userPassword||authPassword||changes||changeNumber||changeType||changeTime||targetDN||newRDN||newSuperior||deleteOldRDN||targetEntryUUID||targetUniqueID||changeInitiatorsName||changeLogCookie")(version 3.0; acl "Anonymous read access"; allow (read,search,compare) userdn="ldap:///anyone";)
ds-cfg-global-aci: (targetattr="audio||authPassword||description||displayName||givenName||homePhone||homePostalAddress||initials||jpegPhoto||labeledURI||mobile||pager||postalAddress||postalCode||preferredLanguage||telephoneNumber||userPassword")(version 3.0; acl "Self entry modification"; allow (write) userdn="ldap:///self";)
ds-cfg-global-aci: (targetattr="userPassword||authPassword")(version 3.0; acl "Self entry read"; allow (read,search,compare) userdn="ldap:///self";)
ds-cfg-global-aci: (target="ldap:///cn=schema")(targetscope="base")(targetattr="objectClass||attributeTypes||dITContentRules||dITStructureRules||ldapSyntaxes||matchingRules||matchingRuleUse||nameForms||objectClasses")(version 3.0; acl "User-Visible Schema Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)
ds-cfg-global-aci: (target="ldap:///")(targetscope="base")(targetattr="objectClass||namingContexts||supportedAuthPasswordSchemes||supportedControl||supportedExtension||supportedFeatures||supportedLDAPVersion||supportedSASLMechanisms||vendorName||vendorVersion")(version 3.0; acl "User-Visible Root DSE Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)
ds-cfg-global-aci: (targetattr="createTimestamp||creatorsName||modifiersName||modifyTimestamp||entryDN||entryUUID||subschemaSubentry")(version 3.0; acl "User-Visible Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)
ds-cfg-global-aci: (target="ldap:///dc=replicationchanges")(targetattr="*")(version 3.0; acl "Replication backend access"; deny (all) userdn="ldap:///anyone";)

Ini adalah acis yang ditambahkan oleh instalasi OpenAM.

aci: (target="ldap:///dc=testbase")(targetattr="*")(version 3.0; acl "OpenSSO datastore configuration bind  user all rights under the root suffix"; allow (all) userdn = "ldap:///cn=openssouser,ou=opensso adminusers,dc=testbase"; )
aci: (target="ldap:///dc=testbase")(targetattr="*")(version 3.0; acl "OpenSSO Authn bind ldap user rights"; allow (read,search) userdn = "ldap:///cn=ldapuser,ou=opensso adminusers,dc=testbase"; )
aci: (targetcontrol = "2.16.840.1.113730.3.4.3")(version 3.0; acl "Allow Persistent Search for the OpenSSO datastore config bind user"; allow (all) userdn = "ldap:///cn=openssouser,ou=opensso adminusers,dc=testbase";)
aci: (targetattr = "objectclass || inetuserstatus || ds-pwp-account-disabled || iplanet-am-user-login-status || iplanet-am-user-account-life || iplanet-am-session-quota-limit || iplanet-am-user-alias-list ||  iplanet-am-session-max-session-time || iplanet-am-session-max-idle-time || iplanet-am-session-get-valid-sessions || iplanet-am-session-destroy-sessions || iplanet-am-session-add-session-listener-on-all-sessions || iplanet-am-user-admin-start-dn || iplanet-am-auth-post-login-process-class || iplanet-am-user-federation-info || iplanet-am-user-federation-info-key || sun-fm-saml2-nameid-info || sun-fm-saml2-nameid-infokey || sunAMAuthInvalidAttemptsData || memberof || member")(targetfilter="(!(userdn=cn=openssouser,ou=opensso adminusers,dc=testbase))")(version 3.0; acl "OpenSSO User self modification denied for these attributes"; deny (write) userdn ="ldap:///self";)

Saya mencoba menambahkan aci ini tanpa hasil

aci: (targetattr = "ds-pwp-account-disabled")(targetfilter="(&(userdn=cn=openssouser,ou=opensso adminusers,dc=testbase))")(version 3.0; acl "OpenSSO User allow modification of ds-pwp-account-disabled"; allow (read,write) userdn ="ldap:///self";)

Jika saya menambahkan ds-privilege-name: bypass-acl ke openssouser , saya dapat memodifikasi atribut itu. Namun, saya enggan menambahkan hak istimewa ini karena saya tidak sepenuhnya menyadari konsekuensi potensial. Ada solusi lain?

Jawaban:


0

Apakah aci saya salah. Seharusnya:

aci: (targetattr = "ds-pwp-account-disabled")(version 3.0; acl "OpenSSO User allow modification of ds-pwp-account-disabled"; allow (read,write) userdn = "ldap:///cn=openssouser,ou=opensso adminusers,dc=testbase";)

Masih tidak yakin aci mana yang mencegah modifikasi ini pada awalnya?


dapatkah Anda menyarankan cara memperbarui ACI ini di OPenDJ
Gautam
Dengan menggunakan situs kami, Anda mengakui telah membaca dan memahami Kebijakan Cookie dan Kebijakan Privasi kami.
Licensed under cc by-sa 3.0 with attribution required.