Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

TDI 6.1 - Restricted Access to the Directory Entries

51 views
Skip to first unread message

santoshmalavade

unread,
Oct 29, 2010, 2:54:30 AM10/29/10
to
Hi,

We have IBM TDI 6.1

I have created admin group member with the following roles:

DirDataAdmin

As specified in the Admin Guide :

Members of the Admin Group who are assigned DirDataAdmin role will
gain unrestricted access to all the entries in the RDBM back-end.


However, my requirement is to restrict deletion rights.

Hence, I turned to the Access Control Lists ( ACLs ) to control the
deletion rights.

i have created an aclEntry as shown below

dn: CN=USERS,DC=IBM,DC=IN
entryowner: access-id:UID=TestDeletion,CN=USERS,DC=IBM,DC=IN
aclPropagate: TRUE
aclEntry: access-
id:UID=TestDeletion,CN=USERS,DC=IBM,DC=IN:object:a:normal:rwsc:restricted:rwsc:sensitive:rwsc:critical:rwsc:system:rsc

As per my interpretation from the admin guide, 'object:a' in the above
aclEntry, will provide child addition rights at CN=USERS,DC=IBM,DC=IN
level and will prevent entry deletion right.

However, when i try to bind, using the user
UID=TestDeletion,CN=USERS,DC=IBM,DC=IN, i am not able to bind, i am
getting the following message,

: List failed : Root error: [LDAP: error code 53 - Unwilling To
Perform]

How do I proceed ?


Rgds,

Santosh Malavade

sunny

unread,
Nov 3, 2010, 1:02:28 AM11/3/10
to
Do u have password policy enabled?
Also, I would suggest u to try with nothing included from system
attributes in the ACLs you have specified and see if it helps:-

dn: CN=USERS,DC=IBM,DC=IN
entryowner: access-id:UID=TestDeletion,CN=USERS,DC=IBM,DC=IN
aclPropagate: TRUE
aclEntry: access-
id:UID=TestDeletion,CN=USERS,DC=IBM,DC=IN:object:a:normal:rwsc:restricted:rwsc:sensitive:rwsc:critical:rwsc

(I've omitted the system:rsc part).

--Sunny

santoshmalavade

unread,
Nov 3, 2010, 8:48:03 AM11/3/10
to

hi Sunny,

thanks for your response.

i believe the global password policy is on

cn=pwdpolicy, CN=IBMPOLICIES
ibm-pwdPolicy: true
ibm-pwdGroupAndIndividualEnabled: false

i tried the option suggested by you and removed the attribute class
system from the acl.

still, i am not able to bind to the ldap server using LDAP Browser
version 2.8.2 by jarek gawor, to the base dn CN=USERS,DC=IBM,DC=IN

rgds,

santosh


Prabir Meher

unread,
Feb 20, 2013, 12:09:56 AM2/20/13
to
Hi Santosh,

You should list the operational attribute of that particular user UID=TestDeletion,CN=USERS,DC=IBM,DC=IN

with the following command:
idsldapsearch -D <AdminDN> -w <AdminPW> -s base -b "<UserEntryDN>"
objectclass=* +ibmpwdpolicy

And make sure your DN: UID=TestDeletion,CN=USERS,DC=IBM,DC=IN points to a valid password policy under cn=ibmPolicies
0 new messages