beautypg.com

Removal of the o=netscaperoot suffix, Changes to acis, Changes in the aci scope – Sun Microsystems 8190994 User Manual

Page 70: Changes in suffix-level acis

background image

Removal of the o=netscapeRoot Suffix

In previous versions of Directory Server, centralized administration information was kept in
o=netscapeRoot

. In the new administration model, the concept of a configuration directory

server no longer exists. The o=netscapeRoot suffix is no longer required, and the netscapeRoot
database files are therefore not migrated. The configuration data for this suffix can be migrated,
if it is specifically required.

Changes to ACIs

The following changes have been made to ACIs in Directory Server 6.0.

Changes in the ACI Scope

In Directory Server 5.2 ACIs on the root DSE had base scope. In Directory Server 6.0, ACIs on
the root DSE have global scope by default, equivalent to targetscope="subtree".

To reproduce the same behavior as Directory Server 5.2, add targetscope="base" to ACIs on
the root DSE. If you use dsmig to migrate the configuration, this is done automatically.

Changes in Suffix-Level ACIs

In Directory Server 5.2, the following ACI was provided, at the suffix level:

aci: (targetattr != "nsroledn || aci || nsLookThroughLimit ||

nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ||

passwordExpirationTime || passwordExpWarned || passwordRetryCount ||

retryCountResetTime || acc ountUnlockTime || passwordHistory ||

passwordAllowChangeTime")(version 3.0; acl "Allow self entry modification

except for nsroledn, aci, resource limit attributes, passwordPolicySubentry

and password policy state attributes"; allow (write)userdn ="ldap:///self";)

This ACI allowed self-modification of user passwords, among other things. This ACI is no
longer provided in Directory Server 6.0. Instead, the following global ACIs are provided by
default:

aci: (targetattr != "aci") (targetscope = "base") (version 3.0;

aci "Enable read access to rootdse for anonymous users";

allow(read,search,compare) user dn="ldap:///anyone"; )

aci: (targetattr = "*") (version 3.0; acl "Enable full access

for Administrators group";

allow (all)(groupdn =

"ldap:///cn=Administrators,cn=config"); )

Changes to ACIs

Sun Java System Directory Server Enterprise Edition 6.0 Migration Guide • March 2007

70

Sun Confidential: Registered

See also other documents in the category Sun Microsystems Computers: