ACI Question

I would like to give all members of a group in the directory access to read all attributes except the userPassword. I have created the following ACI:
(targetattr != "userPassword")(version 3.0;acl "Read All Access"; allow (read,compare,search)
(groupdn = "ldap:///cn=Read_All_Access,ou=Groups,dc=pwcglobal,dc=com") ;)
Is this the correct syntax for this? It does not seem to be working as memebers of the group can still see the userPassword attribute.
There are no other aci's conflicting. When I remove my test user from the group it can see nothing, which is what I want.
thanks,

The ACI itself and your results are not incompatible. What your ACI says is that members of the group should be able to read all attributes other than userPassword. The observation that they can read userPassword is not in contradiction, though it is out of scope.
I see that you have asserted that there are no conflicting ACIs. If you want another few sets of eyes on that, could you paste your ACIs into the thread? As I said there is nothing in the single ACI you have pasted that would determine whether members of that group should or should not be able to read the userPassword.
Other suggestions:
1) Remove the ACI entirely and see if the group member you are testing with can still read userPassword.
2) Use the getEffectiveRights control to view ACI rights.
3) Change the ACI to allow read access to all except another, different attribute and see if the same behavior occurs.

Similar Messages

Nokia 6230 car hands free ACI question

hello there,
I was trying to connect my nokia 6230 to the car's audio AUX input in order to be able to listen to MP3.
I have a very good knowkedge in Electronics, so i did some changes in the hands-free car kit.
question is : I noticed that when the car kit is connected to the phone (& the car icon appears), the audio output becomes MONO, which means I can't really enjoy stereo MP3 (with my change I bypasssed the car kit's speaker output with relay only when call is active).
the audio out pins of the pop port are at pins 11-14.
BUT - again - when car kit is attached, output pins 13-14 are inactive (only mono from pins 11-12 is available)
does anyone know how to hack this further more so it becomes stereo ? (I guess it is something with the ACI protocol ?? (pin 3))
thanks,
TOM

The phone is only seeing your "modification" as the basic the mono headset. It needs to recognise the ACI chip in the headset, that tells the phone whats plugged in and therefore what audio paths to turn on. Unless you can mimic the ACI info (copywright infringement so be aware)the phone wont open the second audio path.Message Edited by megadodo on 06-Sep-200704:16 PM

Shipping Recalled Battery back to ACI Question

So I got my replacement battery for my powerbook and packaged up the old battery to ship it back. I looked at the label and couldn't tell what carrier sent it or who was suppose to return ship it to ACI. Am I wrong in assuming that Apple is footing the bill for the return shipping? So I read on the enclosed note that it appears that the US Postal Service is suppose to accept the prepackaged label. So I went to my local post office and the agent behind tha counter said it wasn't one of their accounts. ***? He said I could send it but I would have to pay. Then they ran the zip code on the return label and it didn't come up right either. Has anyone else had this problem? Is it suppose to go UPS or FedEx or DHL instead on USPS? HELP!!

From my understanding it is DHL.

ACI question: * allowed

Hi,
we try to simplify our ACI's.
No we have one syntax, which works on other ACI's, but unfortunately not in this one.
Can you give me a hint what's wrong?
aci: (targetattr = "every attribute") (target = "ldap:///ou=xxxou,ou=xxxadmin,l=location,c=country,o=organization") (version 3.0;acl "Allow_xxGroup_to_update_xxxou";allow (all)(groupdn = "ldap:///cn=xxGroup,ou=xxx,ou=*,l=location,c=country,o=organization");)
This xxGroup exists in different organizationalUnits in l=location,c=country,o=organization, but we've to specify an explicit ou to get it working otherwise we get the following error message:
ldap_modify: Insufficient access
ldap_modify: additional info: Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=xyz,ou=yyy,ou=xxx,ou=xxxou=xxxadmin,l=location,c=country,o=organization'.
The syntax with the * works perfect in other ACI's, but not here.
Cheers!
Edited by: rsc-ffm on 16.09.2011 10:19
bold didn't worked
Edited by: rsc-ffm on 16.09.2011 10:20
Edited by: rsc-ffm on 16.09.2011 10:21
bold don't worked again
Edited by: rsc-ffm on 16.09.2011 10:22
Edited by: rsc-ffm on 16.09.2011 10:22

Hi,
tried to replace this ACI with the following, but also unfortunately
aci: (targetattr = "*") (target = "ldap:///ou=xxxou,ou=xxxadmin,l=location,c=country,o=organization") (version 3.0;acl "Allow_xxGroup_to_update_xxxou";allow (all)(groupdn = "ldap:///cn=xxGroup,ou=xxx,($dn),l=location,c=country,o=organization");)
ou=xxxou,ou=xxxadmin is in a separate branch, so it's not possible to do it it with macro also.
If I try to add this ACI, I get the following error message:
ldap_modify: Invalid syntax
ldap_modify: additional info: ACL Invalid Target Error(-8): Target is beyond the scope of the ACL (Scope:ou=xxxou,ou=xxxadmin,l=location,c=country,o=organization) (targetattr = \"\2a\") (version 3.0;acl \"Allow_xxGroup_to_update_xxxou\";allow (all)(groupdn = \"ldap:///cn=xxGroup,ou=xxx,($dn),l=location,c=country,o=organization\");)
It's eqal if I put this ACI on l=location or in the target DN, error message is the same....

Deny/allow aci question

I want to allow specific users certain right to an attribute but then I want to deny all others that I didnt specify. How would you do this? Lets say..
Allow(write,read,search) (userdn="ldap:///johndoe"); Then I want to deny access to te rest of the users that are not john doe. I dont even want them to have read access. Thanks. Also, is therea way to change the default access to none instead of read and search. Thanks in advance.

By default, if there are no ACIs present, there is no access. You must always explicitly allow access, otherwise, it is denied. Keep in mind, though, that the installation and instance creation process adds certain ACIs by default - you may have to remove or edit them.

ACI access/deny question

I want the members of a specific group (say, cn=Deactivated users) to be not able to access (deny all) the directory (nDS 4.x). How should the ACI be setup?
The groups are made of groupofuniquenames and members are listed in the uniquemember attribute.
TIA.

Okay...the answer is this - NO. So what to do? Install a different firmware. I installed Tomato and it blows the doors off of the standard Linksys firmware...and the supported access restriction rules are far more powerful and intuitive.

Setting ACI using Macros

Hi All,
I want to restrict access for each domain to its users emails: A user belonging to a domain has to see the users of its own domain.
Here is my ACI:
(targetattr = "*") (target = "ldap:///($dn),dc=acme,dc=net")(version 3.0;acl "Domain Restriction";deny (read,search)(userdn != "ldap:///[$dn],dc=acme,dc=net??sub?(objectclass=inetOrgPerson)");)
At my surprise, it denies the user to see everything! Can you tell me what's wrong with this ACI. If you have another method than using macros, please say it.
Note that the domains in the tree are below dc=acme,dc=net

Hi,
The matching mechanism for [$dn] is slightly different than for ($dn). The DN of the targeted resource is examined several times, each time dropping the left-most
RDN component, until a match is found.
For example, ACI in the question restrict reading and seaching in DN dc=wharever,dc=acme,dc=net and below.
IF you could create groups or roles for each domain this would be easy.
This ACI give permission to users to access the entries within their group.
targetattr = "*") (target = "ldap:///($dn),dc=acme,dc=net")(version 3.0;acl "Domain Restriction";allow (read,search,write,compare)(groupdn = "ldap:///($dn),dc=acme,dc=net and (objectclass=inetOrgPerson)")
Best Regards,
Ravi

Maximum audio sample rate and bit depth question

Anyone worked out what the maximum sample rates and bit depths AppleTV can output are?
I'm digitising some old LPs and while I suspect I can get away with 48kHz sample rate and 16 bit depth, I'm not sure about 96kHz sample rate or 24bit resolution.
If I import recordings as AIFFs or WAVs to iTunes it shows the recording parameters in iTunes, but my old Yamaha processor which accepts PCM doesn't show the source data values, though I know it can handle 96kHz 24bit from DVD audio.
It takes no more time recording at any available sample rates or bit depths, so I might as well maximise an album's recording quality for archiving to DVD/posterity as I only want to do each LP once!
If AppleTV downsamples however there wouldn't be much point streaming higher rates.
I wonder how many people out there stream uncompressed audio to AppleTV? With external drives which will hold several hundred uncompressed CD albums is there any good reason not to these days when you are playing back via your hi-fi? (I confess most of my music is in MP3 format just because i haven't got round to ripping again uncompressed for AppleTV).
No doubt there'll be a deluge of comments saying that recording LPs at high quality settings is a waste of time, but some of us still prefer the sound of vinyl over CD...
AC

I guess the answer to this question relies on someone having an external digital amp/decoder/processor that can display the source sample rate and bit depth during playback, together with some suitable 'demo' files.
AC

ACI, 2 BD´s and 2 EPGs in L2 mode won´t talk even with contract supplied

Hi experts
I tried to make a L2 connection between 2 EPG in different BD, both BD are in L2 mode and in the same Private network, I saw in the sniffer that the traffic was send between the EPG ( hosts)  but the "ping" between the hosts did not got answered. we had a contract between the EPG´s that was allow any in both directions.
the connection works between the 2 host  with the 2 EPG´s in the same BD with the same any contract.
is it intended that 2 BDS won´t let 2 EPG´s talk in L2 mode ( Floodmode ) ?.
And I read that the L2 external is not a separate BD but 2 EPG´s in a " L2 construct"  with a contract between and the AEP stuff to get physical to work
/Ola

Just to understand, you created two BDs in flood and L2 mode and two EPGs. The two hosts are using the same subnet/address space to talk to each other and you have a contract in between the two EPGs yet the communication is not working.
When you put the two EPGs in the same BD it works? correct?
Its a very interesting question, but there is something you must remember about ACI. The BD is the flood/forwarding boundary. Since you are using two different flood domains and no routing (unicast off and no subnet/SVI on the BD), ARPs and general data flood/packets will not traverse the flood domains, even with a contract.
What other questions do you have? Thanks for using Support Forums, hope that helps!

ACI Alert - Application Sharing

Hello All,
Has anyone see the following alert when launching Application Sharing on NW SP12?
<b>ACI Alert
ACI Error: The communication with the server has been disconnected, you have to login again. (1101)</b>
To generate this error, I go through the CLP, select the Contact that I want to share the application with, I then select the application at which point I get the error.
My system pretty much freezes up and I have to forcefully close my Internet Explorer session.
My Application Sharing parameters are:
SecureMode = 1
ServerName = <fully qualified domain of server)
ServerPath = streamingserver/servlet/streamingserver
ServerPort = 50000
Version = 1729
I've searched for this error in the Forum logs but have not found anything.
Can anyone provide assistance?
Thanks in advance for your help!
~H

Hi Guy,
Thanks for your feedback;
One quick question; I do not have the "SAPPortals" entry on my either of my client PC's underl
HKLM\Software; does that have to be added as well?
With regards to request b.), I did navigate to the URL you provided and received the status page you mentioned. The results are as follows:
Application Sharing Server
General Information:
URL : /streamingserver/servlet/streamingserver
Server protocol : HTTP/1.1
Server version : NW04
Registered sessions: 0
Onging Sessions Information:
Session id Status Sharer Name Participants Count
Threads Count Properties:
Property Name Value
SAP J2EE Engine max application threads count 40
SAP J2EE Engine max system threads count 100
Application Sharing Server max threads count 20
Application Sharing Server currently in use threads count 0
Thanks again; please let me know if I need to add the Registry Entry "SAPPortals" and I'll get that information to you right away.
~H

Default acis on DS 5.2

Hello everyone.
I have recently set up DS 5.2. I plan to not allow anonymous access. I noticed however that on o=Netscaperoot and below, anonymous access is enabled by default. I would like to ask if it is ok to remove these acis, or this could cause problems.
thank you in advance.

2) Your aci assumes that "targetattr !=" means all
attributes except the following. That's not the way
access control works. By default, the DS denies
access to everything unless access is explicitly
granted. So, unless you have another aci that allows
access to (targetattr = "*"), this won't work.That's what I thought, too, but I tested an ACI that allowed access to all fields, and in fact retrieved everything including those explicitly disallowed by the first ACI. So I looked back at my original attempt and noticed it still had the string "aci:" in front. when I removed that (and the "all permission" ACI) the directory server started behaving as expected. Problem apparently solved, except "why did the ACI syntax checker not barf on that ACI?"
A now-rhetorical question... thanks!

DS 5.2 targetfilter with add permission - ACI eval

When you have a ACI with targetfilter and grants add to a user , is the targetfilter is evalualted with respect to the new entry being created ?
for example
(targetattr = "*") (target = "ldap:///ou=books,o=test") (targetfilter = (objectclass=classicbooks)) (version 3.0;acl "addtf";allow (read,compare,search,write,delete,add)(userdn = "ldap:///uid=tbook,o=test");)
The examples in the documentation [targetfilter] all show read,search,compare and leads to think that the entries must exist for the targetfilter to evaluate
Thanks

Hi
Read ACI Placement" at "http://docs.sun.com/source/817-7613/aci.html
You can create an ACI on an entry that does not apply directly to that entry but to some or all of the entries in the subtree below it. So when you create the subentry the ACI will apply if it matches. If you do not specify a target the ACI applies to the entry where the ACI is put.
Or did I missunderstand the question?
Regards
/Per-Olov

ACI Setup - How to Configure Data Warehouse Database - Partitoning

After reading the ACI Install Guide & Data Warehouse documentation, I have some questions regarding how to setup the database:
- Should database partitioning be setup? If so, what tables should be partitioned and what should they be partitioned by?
- Are there any other best practices or tips for setting up & tuning the database?
We are trying to avoid the (painful) situation of having to add partitioning later on; it is much easier to add it up front (if done correctly up front).
Thanks in advance for any advice!

On the tables recommended for partitioning, the partition key is nullable. If ATG inserts a null value into the timestamp column of one of the partitioned tables, we'll receive an ORA-14300 or ORA-14440 error. Oracle isn't able to figure out what partition to map that record to.
Can the columns be changed to NOT NULL? Or, can the application guarantee a nullable value won't be inserted?
Here are some example columns:
ARF_SITE_VISIT.START_VISIT_TIMESTAMP --> TIMESTAMP(6) null
ARF_REGISTRATION.REGISTRATION_TIMESTAMP --> TIMESTAMP(6) null
ARF_LINE_ITEM.SUBMIT_TIMESTAMP --> TIMESTAMP(6) null
ARF_PROMOTION_USAGE.USAGE_TIMESTAMP --> TIMESTAMP(6) null
ARF_RETURN_ITEM.SUBMIT_TIMESTAMP --> TIMESTAMP(6) null
Thanks

Multi-master replication questions for iPlanet 5.0, gurus out there?

hi:
I'm using iPlanet Dir Server 5.0 and I note that many gurus out there has
been able
to get this to work, that's good, but I have yet to. I have several
questions, maybe
someone can spend a few minutes and save me hours...
I have a suffix called dc=calient,dc=net. I followed the suggestions in
the
iPlanet install guide and created 2 directory servers
a) suffix o=NetscapeRoot, at some arbitrary port, 4601
b) suffix dc=calient,dc=net, at the usual port 389.
All my searches/create/delete work fine. However, when I try to replicate
with multi-master between 2 machines, I keep getting into problems.
Here's one set of questions...
Q1: do people out there really split their tree from the o=NetscapeRoot
tree?
Q2: The admin guide says the the unit of replication is a database, and
that each replication can only have 1 suffix. Is this true? Can
a replicated db have more than 1 suffix?
Q3: If I also want to replicate the o=NetscapeRoot tree, I have to set
up yet 2 more replication agreements. Isn't this more work? If
I just lump the 2 suffixes together, wouldn't it be easier? But would
it work?
Q4: I followed the instructions to enable replicas on the masters.
But then I tried to create this cn=Replication Manager, cn=config
object.
But what is the object class of this entry? An iPlanet user has uid
as its RDN... I tried a person object class, and I added a password.
But then I keep getting error code 32, object not found in the error
log. What gives? such as
WARNING: 'get_entry' can't find entry 'cn=replication
manager,cn=config', err 32
Q5: Also, are there any access control issues with this cn=Replication
Manager,
cn=config object? By this I mean, I cannot seem to see this object
using
ldapsearch, I can only see cn=SNMP, cn=config. Also, do I have
to give all access via aci to my suffix dc=calient,dc=net? Also,
given the fact that my o=NetscapeRoot tree is at a different port (say
4601),
not 389, could this be an issue?
Q6: when replication fails, should the Dir Server still come up? Mine does
not anymore
which is strange. I keep getting things like this in my log file
[08/Nov/2001:21:49:13 -0800] NSMMReplicationPlugin - Could not send consumer
mufasa.chromisys.com:389 the bind request
[08/Nov/2001:21:49:13 -0800] NSMMReplicationPlugin - Failed to connect to
replication consumer mufasa.chromisys.com:389
But why shouldn't the dir server itself come up even if replication
fails?
steve

Hi Steve,
First, please read the 'Deployment Guide'. I think that is easier to
understand when you want to setup multi-master replication. The
'Administrator's Guide' gives you step-by-step instructions, but it may
not help you to understand how to design your directory services.
Stephen Tsun wrote:
I have a suffix called dc=calient,dc=net. I followed the suggestions in
the
iPlanet install guide and created 2 directory servers
a) suffix o=NetscapeRoot, at some arbitrary port, 4601
b) suffix dc=calient,dc=net, at the usual port 389.
All my searches/create/delete work fine. However, when I try to replicate
with multi-master between 2 machines, I keep getting into problems.I don't understand something: which backend do you want to replicate?
The one holding 'o=NetscapeRoot' or the one holding 'dc=calient,dc=net'?
Do you want to setup replication between these two instances of the
directory server (i.e. between port 4601 and 389 in your example)?
Q1: do people out there really split their tree from the o=NetscapeRoot
tree?If you have multiple directory servers installed in your environment, it
is probably worth dedicating (at least) one directory server for the
o=netscaperoot tree.
Q2: The admin guide says the the unit of replication is a database, and
that each replication can only have 1 suffix. Is this true? Can
a replicated db have more than 1 suffix?Well, it is normal, since in iDS 5.x you have 1 suffix per database.
You can, however, replicate multiple databases.
Q3: If I also want to replicate the o=NetscapeRoot tree, I have to set
up yet 2 more replication agreements. Isn't this more work? If
I just lump the 2 suffixes together, wouldn't it be easier? But would
it work?You can't lump the 2 suffixes together, because each backend has 1
suffix associated with.
Q4: I followed the instructions to enable replicas on the masters.
But then I tried to create this cn=Replication Manager, cn=config
object.
But what is the object class of this entry?Usually, it is organizationalperson or inetorgperson. In most of the
cases you want an objectclass which can have userPassword attribute.
An iPlanet user has uid
as its RDN... I tried a person object class, and I added a password.
But then I keep getting error code 32, object not found in the error
log. What gives? such asYou must have misconfigured something. Or perhaps, it is not
cn=replication manager, cn=config, but 'uid=replication manager,cn=config'
Q5: Also, are there any access control issues with this cn=Replication
Manager,
cn=config object? By this I mean, I cannot seem to see this object
using
ldapsearch, I can only see cn=SNMP, cn=config.The configuration tree is protected by ACIs, so you can not see them
using anonymous BINDs. Try binding as 'directory manager' and you will
find your entry.
Also, do I have
to give all access via aci to my suffix dc=calient,dc=net?For what purpose? For replication, it is enough to set user DN in the
replication agreement and this user can update the replicated backend.
Q6: when replication fails, should the Dir Server still come up?Yes.
Bertold

ACI Normalization

Two quick questions for you "employees" out there.
Does adding ACIs to the directory in their normalized format cause a performance gain, even if it's slight? In other words, can we avoid or minimize the need for the server to normalize every time it reads an ACI if we enter them properly up front?
Secondly, what exactly is that normalized format? We are trying to standardize our ACI format across corporate directory instances, and would like to know what the directory considers normalized.
Here's what we use now (with _ indicating a single space):
(targetattr="attr1_||_attr2")(targetfilter="(attr=val)")(version_3.0;acl_"ACL_Name";allow(read,search)_userdn="ldap:///uid=abc,dc=domain,dc=com";)Thanks in advance!

ACI is a paradigm shift in data centre designs.
According to this solution overview ACI is the next generation of Software Defined Networking:
http://www.cisco.com/c/en/us/products/collateral/switches/nexus-9000-series-switches/guide-c07-731461.html
Having worked with Nexus switches for a couple of years now I haven't encountered any serious drawbacks with these devices.

ACI Question

Similar Messages

Maybe you are looking for