Apply Security Verify Access ACLs to new LDAP suffixes
The LDAP naming model is maintained in a hierarchical namespace known as the Directory Information Tree (DIT).
Many LDAP server products, such as Security Directory Server, which is included with ISAM, and the Sun Java™ System Directory Server and Novell eDirectory, maintain the data of the DIT in a hierarchical namespace that is often represented as a tree structure. The top of the tree is termed a naming context. Sometimes, this naming context is called a suffix because it represents the ending portion of a distinguished name (DN). For example, the c=us suffix might be created to represent country-specific data within an organization. An entry within this suffix might have a DN similar to cn=Joe Williams,ou=austin,o=ibm,c=us. The set of suffixes that is maintained by the LDAP server can be configured with the vendor-specific LDAP administration tools. When the ISAM policy server is configured, it attempts to apply appropriate access controls in the form of Access Control Lists (ACLs) to each LDAP suffix that is in the LDAP server. This access control gives appropriate permissions to allow Security Verify Access to create and manage user and group information in these suffixes. The ISAM policy server does not attempt to apply ACLs to each LDAP suffix when AD LDS is used as the user registry. Access to AD LDS registry entries is controlled by administration groups within AD LDS.
For LDAP server types other than AD LDS, an LDAP administrator might add an LDAP suffix after Security Verify Access is configured. To have Security Verify Access to manage users and groups in this new suffix, the administrator must apply the appropriate ACLs to the new suffix. To apply the appropriate access controls to a newly created LDAP suffix, use the ivrgy_tool utility with the add-acls parameter. For information, see "ivrgy_tool" in the IBM Security Verify Access for Web: Command Reference. Alternately, we can manually apply the following ACLs to each new suffix:
- cn=SecurityGroup,secAuthority=Default
- Full access
- cn=ivacld-servers,cn=SecurityGroups,secAuthority=Default
- read
- search
- compare
- write for the following attributes:
- secAcctValid
- secPwdFailCountTime
- secPwdFailures
- secPwdLastChanged
- secPwdLastFailed
- secPwdLastUsed
- secPwdUnlockTime
- secPwdValid
- cn=remote-acl-users,cn=SecurityGroups,secAuthority=Default
- read
- search
- compare
- write for the following attributes:
- secAcctValid
- secPwdFailCountTime
- secPwdFailures
- secPwdLastChanged
- secPwdLastFailed
- secPwdLastUsed
- secPwdUnlockTime
- secPwdValid
When using a generic LDAP server, give the same access controls to the specified groups. For information about how to set access control for a generic LDAP server, see the documentation associated with the generic LDAP server. If an ISAM administrator created a domain other than the initial \Management domain, created during the configuration of the policy server, apply the following additional ACLs to the new suffix for each domain:
- cn=SecurityGroup,secAuthority=domain_name,cn=Subdomains, secAuthority=Default
- Full access
- cn=ivacld-servers,cn=SecurityGroups,secAuthority=domain_name,cn=Subdomains, secAuthority=Default
- read
- search
- compare
- write for the following attributes:
- secAcctValid
- secPwdFailCountTime
- secPwdFailures
- secPwdLastChanged
- secPwdLastFailed
- secPwdLastUsed
- secPwdUnlockTime
- secPwdValid
- cn=remote-acl-users,cn=SecurityGroups,secAuthority=domain_name, cn=Subdomains,secAuthority=Default
- read
- search
- compare
- write for the following attributes:
- secAcctValid
- secPwdFailCountTime
- secPwdFailures
- secPwdLastChanged
- secPwdLastFailed
- secPwdLastUsed
- secPwdUnlockTime
- secPwdValid
Where domain_name is the name of the additional administrative domain. For a list of domains, use the domain list command.
- Example procedures
We can use these example procedures for either Security Directory Server or Sun Java System Directory Server, depending on the LDAP server type used.
Parent topic: LDAP-specific tasks