How to Modify the default ACL Templates in Schema

  • 7006754
  • 30-Aug-2010
  • 26-Apr-2012

Environment

Novell eDirectory 8.7 for All Platforms
Novell eDirectory 8.7.1 for All Platforms
Novell eDirectory 8.7.3 for All Platforms
Novell eDirectory 8.8 for All Platforms

Situation

Beginning with eDirectory 8.7, it is possible to modify the default ACL Templates for existing class definitions.  This is not an officially supported feature, because it is possible to remove rights that are critical for the proper operation of applications by doing this.  For some installations, they may not need or want some specific default ACLs to be created when objects are created.  In this case, it is possible to modify a class definition to remove some of the default ACL Templates and change the rights a new object will be created with.  It is also possible to add new ACL templates and grant additional rights, if desired.

How to Modify the default ACL Templates in Schema

Objects created with more default rights than desired

Resolution

It is not possible to give an specific mechanism that will work on any generic tree, because every tree has different schema installed.  This is an example of how to create the necessary LDIF file that can be used to modify the ACL Templates for an object.  This example shows how to delete two ACL templates from the user class definition in a sample eDirectory tree with minimal extra schema installed. To delete one or more ACL Template values from the User class definition using ICE, do the following steps.

1. Export the user class definition using ICE from iManager:

        a. On the first screen in ICE, select the export data radio button
        b. On the second screen, fill in the server IP address, leave all other defaults as is
        c. On the third screen, set Base DN box value to "cn=schema", click the "Base" radio button,set the Search Filter box to "objectclasses=inetOrgPerson", leave all user attributes radio button selected.
        d. On the fourth screen, leave file type as LDIF
        e. On the fifth screen, click finish


When complete, a file named export.ldf will be created in sys:tomcat\4\webapps\nps\WEB_INF\temp\<random ice directory>\.  With iManager 2.7, you should see a download export file link to you can click to get the output file, rather than having to get it from the tomcat subdirectory.  The file should look something like this (Note that the list of attributes following MAY will likely be somewhat different, and could be much different depending on the products that have been installed in your tree. This example is from a tree with only NetWare 6.5 installed and no additional products):


#This LDIF file was generated by Novell's ICE and the LDIF destination handler. version: 1

dn: cn=schema
changetype: add
objectClasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' SUP ( organizati
 onalPerson $ ndsLoginProperties ) STRUCTURAL MAY ( groupMembership $ ndsHome
 Directory $ loginAllowedTimeMap $ loginDisabled $ loginExpirationTime $ logi
 nGraceLimit $ loginGraceRemaining $ loginIntruderAddress $ loginIntruderAtte
 
mpts $ loginIntruderResetTime $ loginMaximumSimultaneous $ loginScript $ log
 
inTime $ networkAddressRestriction $ networkAddress $ passwordsUsed $ passwo
 rdAllowChange $ passwordExpirationInterval $ passwordExpirationTime $ passwo
 rdMinimumLength $ passwordRequired $ passwordUniqueRequired $ printJobConfig
 uration $ privateKey $ Profile $ publicKey $ securityEquals $ accountBalance
 $ allowUnlimitedCredit $ minimumAccountBalance $ messageServer $ Language $
 
lockedByIntruder $ serverHolds $ lastLoginTime $ typeCreatorMap $ higherPri
 vileges $ printerControl $ securityFlags $ profileMembership $ Timezone $ sA
 SServiceDN $ sASSecretStore $ sASSecretStoreKey $ sASSecretStoreData $ sASPK
 IStoreKeys $ userCertificate $ nDSPKIUserCertificateInfo $ nDSPKIKeystore $
 
rADIUSActiveConnections $ rADIUSAttributeLists $ rADIUSConcurrentLimit $ rAD
 IUSConnectionHistory $ rADIUSDefaultProfile $ rADIUSDialAccessGroup $ rADIUS
 EnableDialAccess $ rADIUSPassword $ rADIUSServiceList $ audio $ businessCate
 gory $ carLicense $ departmentNumber $ employeeNumber $ employeeType $ displ
 ayName $ givenName $ homePhone $ homePostalAddress $ initials $ jpegPhoto $
 
labeledUri $ mail $ manager $ mobile $ o $ pager $ ldapPhoto $ preferredLang
 uage $ roomNumber $ secretary $ uid $ userSMIMECertificate $ x500UniqueIdent
 ifier $ userPKCS12 $ nRDRegistryData $ nRDRegistryIndex $ nDPSControlFlags $
 
nDPSDefaultPrinter $ nDPSDefaultPublicPrinter $ nDPSPrinterInstallList $ nD
 PSPublicPrinterInstallList $ nDPSPrinterInstallTimestamp $ nDPSReplaceAllCli
 entPrinters $ nrmGroupMonitorData $ nisUserGroupDomain $ userPassword ) X-ND
 S_NAME 'User' X-NDS_NOT_CONTAINER '1' X-NDS_NONREMOVABLE '1' X-NDS_
ACL_TEMPL
 ATES ( '2#subtree#[Self]#[All Attributes Rights]' '6#entry#[Self]#loginScrip
 t' '1#subtree#[Root Template]#[Entry Rights]' '2#entry#[Public]#messageServe
 r' '2#entry#[Root Template]#groupMembership''6#entry#[Self]#printJobConfigur
 ation' '2#entry#[Root Template]#networkAddress') )

2. Modify the output file to delete the desired ACL templates (the highlighted values in this case). In this case, we are deleting [Root]'s rights (essentially, anyone logged into the tree) to read the 'groupMembership' attribute and the 'networkAddress' Edit the file to look something like this:

version: 1

dn: cn=schema
changetype: modify
delete:
objectClasses
objectClasses: ( 2.16.840.1.113730.3.2.2 )
-
add:
objectClasses
objectClasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' SUP organization
 
alPerson STRUCTURAL MAY ( groupMembership $ ndsHomeDirectory $ loginAllowedT
 imeMap $ loginDisabled $ loginExpirationTime $ loginGraceLimit $ loginGraceR
 emaining $ loginIntruderAddress $ loginIntruderAttempts $ loginIntruderReset
 Time $ loginMaximumSimultaneous $ loginScript $ loginTime $ networkAddressRe
 striction $ networkAddress $ passwordsUsed $ passwordAllowChange $ passwordE
 xpirationInterval $ passwordExpirationTime $ passwordMinimumLength $ passwor
 dRequired $ passwordUniqueRequired $ printJobConfiguration $ privateKey $ Pr
 
ofile $ publicKey $ securityEquals $ accountBalance $ allowUnlimitedCredit $
 
minimumAccountBalance $ messageServer $ Language $ UID $ lockedByIntruder $
 
serverHolds $ lastLoginTime $ typeCreatorMap $ higherPrivileges $ printerCo
 ntrol $ securityFlags $ profileMembership $ Timezone $ sASServiceDN $ sASSec
 retStore $ sASSecretStoreKey $ sASSecretStoreData $ sASPKIStoreKeys $ userCe
 rtificate $ nDSPKIUserCertificateInfo $ nDSPKIKeystore $ rADIUSActiveConnect
 ions $ rADIUSAttributeLists $ rADIUSConcurrentLimit $ rADIUSConnectionHistor
 y $ rADIUSDefaultProfile $ rADIUSDialAccessGroup $ rADIUSEnableDialAccess $
 
rADIUSPassword $ rADIUSServiceList $ audio $ businessCategory $ carLicense $
 
departmentNumber $ employeeNumber $ employeeType $ displayName $ givenName
 $
homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledUri $ mail $
 manager $ mobile $
o $ pager $ ldapPhoto $ preferredLanguage $ roomNumber $
 secretary $
uid $ userSMIMECertificate $ x500UniqueIdentifier $ userPKCS12
 $
nRDRegistryData $ nRDRegistryIndex $ nDPSControlFlags $ nDPSDefaultPrinter
 $ nDPSDefaultPublicPrinter $ nDPSPrinterInstallList $ nDPSPublicPrinterInst
 allList $ nDPSPrinterInstallTimestamp $ nDPSReplaceAllClientPrinters $ nrmGr
 oupMonitorData $ userPassword $ nisUserGroupDomain ) X-NDS_NAME 'User' X-NDS
 _NOT_CONTAINER '1' X-NDS_NONREMOVABLE '1' X-NDS_
ACL_TEMPLATES ( '2#subtree#[
 Self]#[All Attributes Rights]' '6#entry#[Self]#
loginScript' '1#subtree#[Root
 Template]#[Entry Rights]' '2#entry#[Public]#
messageServer'
 '6#entry#[Self]#
printJobConfiguration' ) )

Note that the differences here is that a delete operation was inserted before the add operation, and that the highlighted values were removed. This file can now be used as input to ICE to remove the two desired ACL templates from the User class definition.

3. Delete the ACL Templates using ICE from iManager:

a. On the first screen in ICE, select the import data radio button

b. On the second screen, browse to and select the file you just created above.

c. On the third screen, enter the IP address of the server to make the change on. Note that this server must hold a replica of the Root partition. You can read the schema without being authenticated, but you can not modify it unless you are a Tree Admin. Select the authenticated login radio button, then fill in the dn of the admin, e.g. “cn=admin,o=novell”. Then enter the password, and deselect the LBURP checkbox.

d. On the fourth screen, click finish. This will execute the LDIF command, and remove the two ACL templates from the User class definition.

 

If you go through the first step again to read the user class definition, you will see that the two ACL templates have been removed..

Additional Information

WARNING:  Changing the Default ACL Templates is a potentially very serious operation.  If not done properly, either too many rights or insufficient rights can be granted to all new objects created after the corresponding ACL Template has been changed.   There may be applications that depend on the rights that are already present, if you choose to remove any of the existing ACL Templates.  Given this information, if you don't know exactly what you are trying to accomplish, and what the actual effects of modifying/adding/removing any ACL Templates, then you should not attempt to make any changes.
Note that this will only succeed on a server running eDirectory 8.7 or later.  The changes will synchronize throughout the tree, including to any older versions of eDirectory.  If you run DSRepair, and select the Rebuild Operational Schema option on 8.7 or later server, it will not modify the changes you make.  However, if you run that option on any earlier version, the original default ACL templates will be restored to any modified base schema elements, such as the User class definition modified in this example.
Formerly known as TID# 10092621

Feedback service temporarily unavailable. For content questions or problems, please contact Support.