156 lines
7.6 KiB
HTML
156 lines
7.6 KiB
HTML
|
<?xml version="1.0" encoding="utf-8"?>
|
||
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
||
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="dc.language" scheme="rfc1766" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow"/>
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<title>Directory Server (LDAP) - Change the ACI and entry owner values</title>
|
||
|
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="ic.css" />
|
||
|
</head>
|
||
|
<body>
|
||
|
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
|
||
|
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
|
||
|
|
||
|
|
||
|
<a name="rzahymodaci"></a>
|
||
|
<h4 id="rzahymodaci">Change the ACI and entry owner values</h4>
|
||
|
<dl>
|
||
|
<dt class="bold">Modify-replace</dt>
|
||
|
<dd>Modify-replace works the same way as all other attributes. If the attribute
|
||
|
value does not exist, create the value. If the attribute value exists, replace
|
||
|
the value.
|
||
|
<p>Given the following ACIs for an entry: </p>
|
||
|
<pre class="xmp">aclEntry: group:cn=Dept ABC,o=IBM:normal:grant:rsc
|
||
|
aclPropagate: true </pre><p class="indatacontent">perform the following change: </p>
|
||
|
<pre class="xmp">dn: cn=some entry
|
||
|
changetype: modify
|
||
|
replace: aclEntry
|
||
|
aclEntry: group:cn=Dept XYZ,o=IBM:normal:grant:rsc
|
||
|
</pre><p class="indatacontent">The resulting ACI is: </p>
|
||
|
<pre class="xmp">aclEntry: group:cn=Dept XYZ,o=IBM:normal:grant:rsc
|
||
|
aclPropagate: true </pre><p class="indatacontent">ACI values for Dept ABC are lost through the replace.</p>
|
||
|
<p>Given the following ACIs for an entry: </p>
|
||
|
<pre class="xmp">ibm-filterAclEntry: group:cn=Dept ABC,o=IBM:(cn=Manager ABC):normal
|
||
|
:grant:rsc
|
||
|
ibm-filterAclInherit: true </pre><p class="indatacontent">perform the following changes: </p>
|
||
|
<pre class="xmp">dn: cn=some entry
|
||
|
changetype: modify
|
||
|
replace: ibm-filterAclEntry
|
||
|
ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):normal
|
||
|
:grant:rsc
|
||
|
|
||
|
dn: cn=some entry
|
||
|
changetype: modify
|
||
|
replace: ibm-filterAclInherit
|
||
|
ibm-filterAclInherit: false </pre><p class="indatacontent">The resulting ACI is: </p>
|
||
|
<pre class="xmp">ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):normal
|
||
|
:grant:rsc
|
||
|
ibm-filterAclInherit: false </pre><p class="indatacontent">ACI values for Dept ABC are lost through
|
||
|
the replace.</p>
|
||
|
</dd>
|
||
|
<dt class="bold">Modify-add</dt>
|
||
|
<dd>During an ldapmodify-add, if the ACI or entryOwner does not exist, the
|
||
|
ACI or entryOwner with the specific values is created. If the ACI or entryOwner
|
||
|
exists, then add the specified values to the given ACI or entryOwner. For
|
||
|
example, given the ACI:
|
||
|
<pre class="xmp"> aclEntry: group:cn=Dept XYZ,o=IBM:normal:grant:rsc</pre>with a modification:
|
||
|
<pre class="xmp">dn: cn=some entry
|
||
|
changetype: modify
|
||
|
add: aclEntry
|
||
|
aclEntry: group:cn=Dept ABC,o=IBM:at.attribute1:grant:rsc </pre>would yield
|
||
|
an multi-valued aclEntry of:
|
||
|
<pre class="xmp">aclEntry: group:cn=Dept XYZ,o=IBM:normal:grant:rsc
|
||
|
aclEntry: group:cn=Dept ABC,o=IBM:at.attribute1:grant:rsc </pre>
|
||
|
<p>For example,
|
||
|
given the ACI: </p>
|
||
|
<pre class="xmp">Ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):normal
|
||
|
:grant:rsc </pre><p class="indatacontent">with a modification: </p>
|
||
|
<pre class="xmp">dn: cn=some entry
|
||
|
changetype: modify
|
||
|
add: ibm-filterAclEntry
|
||
|
ibm-filterAclEntry: group:cn=Dept ABC,o=IBM:(cn=Manager ABC)
|
||
|
:at.attribute1:grant:rsc </pre><p class="indatacontent">would yield an multi-valued
|
||
|
aclEntry of: </p>
|
||
|
<pre class="xmp">Ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):normal
|
||
|
:grant:rsc
|
||
|
ibm-filterAclEntry: group:cn=Dept ABC,o=IBM:(cn=Manager ABC):at.attribute1
|
||
|
:grant:rsc</pre>
|
||
|
<p>The permissions under the same attribute
|
||
|
or attribute class are considered as the basic building blocks and the actions
|
||
|
are considered as the qualifiers. If the same permission value is being added
|
||
|
more than once, only one value is stored. If the same permission value is
|
||
|
being added more than once with different action values, the last action value
|
||
|
is used. If the resulting permission field is empty (""), this permission
|
||
|
value is set to null and the action value is set to <span class="bold">grant</span></p>.
|
||
|
<p>For example, given the following ACI: </p>
|
||
|
<pre class="xmp"> aclEntry: group:cn=Dept XYZ,O=IBM:normal:grant:rsc
|
||
|
</pre><p class="indatacontent">with a modification: </p>
|
||
|
<pre class="xmp">dn: cn=some entry
|
||
|
changetype: modify
|
||
|
add: aclEntry
|
||
|
aclEntry: group:cn=Dept XYZ,o=IBM:normal:deny:r:critical:deny::sensitive
|
||
|
:grant:r
|
||
|
</pre><p class="indatacontent">yields an aclEntry of: </p>
|
||
|
<pre class="xmp">aclEntry: group:cn=Dept XYZ,O=IBM:normal:grant:sc:normal:deny:r:critical
|
||
|
:grant::sensitive:grant:r
|
||
|
</pre>
|
||
|
<p>For example, given the following ACI: </p>
|
||
|
<pre class="xmp">Ibm-filterAclEntry: group:cn=Dept XYZ,O=IBM:(cn=Manager XYZ):normal
|
||
|
:grant:rsc </pre><p class="indatacontent">with a modification: </p>
|
||
|
<pre class="xmp">dn: cn=some entry
|
||
|
changetype: modify
|
||
|
add: ibm-filterAclEntry
|
||
|
ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):normal
|
||
|
:deny:r:critical:deny::sensitive:grant:r</pre><p class="indatacontent">yields an
|
||
|
aclEntry of: </p>
|
||
|
<pre class="xmp">ibm-filterAclEntry: group:cn=Dept XYZ,O=IBM:(cn=Manager XYZ):normal
|
||
|
:grant:sc:normal:deny:r:critical:grant::sensitive
|
||
|
:grant:r </pre>
|
||
|
</dd>
|
||
|
<dt class="bold">Modify-delete</dt>
|
||
|
<dd>To delete a particular ACI value, use the regular ldapmodify-delete
|
||
|
syntax.
|
||
|
<p>Given an ACI of: </p>
|
||
|
<pre class="xmp">aclEntry: group:cn=Dept XYZ,o=IBM:object:grant:ad
|
||
|
aclEntry: group:cn=Dept XYZ,o=IBM:normal:grant:rwsc
|
||
|
|
||
|
dn: cn = some entry
|
||
|
changetype: modify
|
||
|
delete: aclEntry
|
||
|
aclEntry: group:cn=Dept XYZ,o=IBM:object:grant:ad </pre><p class="indatacontent">yields a remaining
|
||
|
ACI on the server of :</p>
|
||
|
<pre class="xmp">aclEntry: group:cn=Dept XYZ,o=IBM:normal:grant:rwsc
|
||
|
</pre>
|
||
|
<p>Given an ACI of: </p>
|
||
|
<pre class="xmp">ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):object
|
||
|
:grant:ad
|
||
|
ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):normal
|
||
|
:grant:rwsc
|
||
|
|
||
|
dn: cn = some entry
|
||
|
changetype: modify
|
||
|
delete: ibm-filterAclEntry
|
||
|
ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):object
|
||
|
:grant:ad </pre><p class="indatacontent">yields a remaining ACI on the server of: </p>
|
||
|
<pre class="xmp">ibm-filterAclEntry: group:cn=Dept XYZ,o=IBM:(cn=Manager XYZ):normal
|
||
|
:grant:rwsc </pre>
|
||
|
<p>Deleting an ACI or entryOwner value
|
||
|
that does not exist results in an unchanged ACI or entryOwner and a return
|
||
|
code specifying that the attribute value does not exist.</p>
|
||
|
</dd>
|
||
|
</dl>
|
||
|
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
|
||
|
</body>
|
||
|
</html>
|