Using [This] to replace ACL Template on User object

  • 7008292
  • 05-Apr-2011
  • 26-Apr-2012

Environment

Novell eDirectory 8.8 for All Platforms
Novell eDirectory 8.7.3 for All Platforms

Situation

Reduce the number of ACLs created in tree for every user object.

Fix missing ACLs when ACL Template values are missing.


How to use Inherited ACLs to replace or suppress specific ACL values on a User added from the ACL Template definition in Schema

Resolution

The default User Class Definition includes the following ACL definitions. The special thing about the ACL Template is that during the object creation, these rights are evaluated, and if the designated Right is already present, then an additional ACL to grant that right is not added to the object.


ACL

Count: 5

Privileges

Attribute

Trustee

Supervisor, Inherit(implied)

[Entry Rights]

.admin.novell.TEST-TREE.

Browse, Inherit(implied)

[Entry Rights]

.[Public].

Write, Self, Inherit

nsimHint

.[This].

Write, Self, Inherit

nsimPasswordReminder

.[This].

Read

sssActiveServerList

.[Public].

Screen capture from iMonitor of the Tree root object

In a default installation, the Tree root object will have the ACLs shown above. The first grants the Admin object Supervisor rights for the whole tree. The second grants [Public] (any non-authenticated connection, such as an LDAP anonymous bind) the right to browse entries, or in other words, see the names of the objects in the tree. This only allows the such a client to see the names of objects, and also the ability to read any attributes flagged in schema as “Public Read”. The other three ACLs are feature specific ACLs. The third and fourth ACLs here use a special trustee target of [This]. Like [Public], [This] is not a real object. What it refers to is the specific object where rights are being evaluated. So these next two ACLs grant Write rights (Self is not meaningful here) to the nsimHint and nsimPasswordReminder attributes for individual objects. This means that every user (or other object) can modify their own nsimHint attribute, but not see or modify any other user's nsimHint attribute, for example. The last ACL grants [Public] the right to read the sssActiveServerList attribute, which allows unauthenticated connections the ability to find a Server running SecretStore to finish the login process.

The original ACL Template on a User Object contains the following:

Default ACLs

Privileges

Attribute

Trustee

Read, Inherit(implied)

[All Attributes Rights]

.[Self].

Read, Write

Login Script

.[Self].

Browse, Inherit(implied)

[Entry Rights]

.[Root Template].

Read

Message Server

.[Public].

Read

Group Membership

.[Root Template].

Read, Write

Print Job Configuration

.[Self].

Read

Network Address

.[Root Template].

Screen capture from iMonitor of the ACL Template section of the User class definition

Some of these rights are generic, thus the rights for [Root Template], which will translate to the Tree root object, are the same on every object. But the rights for [Self] which is a special target meaning the object itself, end up creating an ACL with the object itself as the trustee for its own attribute.


Creating a new user One.test.novell with default ACL templates as above will generate the following set of ACLs:

ACL 

Count: 6

Privileges

Attribute

Trustee

Read, Inherit(implied)

[All Attributes Rights]

.One.test.novell.TEST-TREE.

Read, Write

Login Script

.One.test.novell.TEST-TREE.

Read

Message Server

.[Public].

Read

Group Membership

.TEST-TREE.

Read, Write

Print Job Configuration

.One.test.novell.TEST-TREE.

Read

Network Address

.TEST-TREE.

Screen capture of ACLs section of the One.test.novell object

Note that there is a specific ACL created for each of the values from the ACL Template, except for the third value, which grants [Entry] Browse rights to [Root]. This ACL is suppressed, because of the already existing ACL on the tree root granting [Entry] Browse rights to [Public]. Thus an additional ACL is not needed for any object to receive that particular right.

With that knowledge, we can grant new inheritable ACLs at the Tree root, and suppress all the initial ACLs, or replace the rights granted individually on each object with inheritable rights for all objects, which cuts down dramatically on the number of ACLs present in the tree, and the number needed to be evaluated to determine appropriate rights for any given operation.

We can use the special ACL target [This] in place of the ACL template target [Self]. Thus if we add new ACLS to the Tree root object to make it look as follows (new ACLs from the Message Server down):

ACL 

Count: 12

Privileges

Attribute

Trustee

Supervisor, Inherit(implied)

[Entry Rights]

.admin.novell.TEST-TREE.

Browse, Inherit(implied)

[Entry Rights]

.[Public].

Write, Self, Inherit

nsimHint

.[This].

Write, Self, Inherit

nsimPasswordReminder

.[This].

Read

sssActiveServerList

.[Public].

Read, Inherit

Message Server

.[Public].

Read, Inherit(implied)

[All Attributes Rights]

.[This].

Read, Write, Inherit

Login Script

.[This].

Read, Write, Inherit

Print Job Configuration

.[This].

Browse, Inherit(implied)

[Entry Rights]

.TEST-TREE.

Read, Inherit

Group Membership

.TEST-TREE.

Read, Inherit

Network Address

.TEST-TREE.

Screen capture from iMonitor of newly added inheritable ACLs

Note that this shows a line for Browse [Entry Rights] for [Public] and a line for Browse [Entry Rights] for the Tree Root object. Rights for the Tree Root object mean that any logged in connection will have those rights, whereas [Public] rights are given even to not logged in connections. In this case, the rights for the Tree Root object are extraneous, since the [Public] rights are greater. That particular ACL was added just to show how to match the original rights from the ACL template.  Also, unless you are still using the now ancient queue based NetWare printing, you likely don't need the ACL for "Print Job Configuration".

Now creating a new user Two.test.novell generates no ACLs on the user object, but yet Two still has the exact same rights as the One user created earlier. Note that if you change your mind, and decide to go back to using the ACL template and having specific ACLs on the user objects (which means removing the ACLs just added on the Tree Root object) that any object created while those ACLs were in effect will now not have the desired rights. You will have to go and manually add the necessary rights to restore the missing rights.