My Oracle Support Banner

OUD 11g /12c - How To Enable Anonymous Read Using Global ACIs (Doc ID 1921458.1)

Last updated on AUGUST 27, 2021

Applies to:

Oracle Unified Directory - Version 11.1.1.5.0 and later
Information in this document applies to any platform.
03/20/2016

Goal

Default Global ACI Configuration

By default, the global ACI configuration allows anonymous read access to data with the following ACIs -

$ grep -i "ldap:///anyone" config.ldif | grep -i read
ds-cfg-global-aci: (extop="1.3.6.1.4.1.26027.1.6.1 || 1.3.6.1.4.1.26027.1.6.3 || 1.3.6.1.4.1.4203.1.11.1 || 1.3.6.1.4.1.1466.20037 || 1.3.6.1.4.1.4203.1.11.3") (version 3.0; acl "Anonymous extended operation access"; allow(read) userdn="ldap:///anyone";)
ds-cfg-global-aci: (targetcontrol="2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 2.16.840.1.113894.1.8.31") (version 3.0; acl "Anonymous control access"; allow(read) userdn="ldap:///anyone";)
ds-cfg-global-aci: (target="ldap:///cn=schema")(targetscope="base")(targetattr="objectClass||attributeTypes||dITContentRules||dITStructureRules||ldapSyntaxes||matchingRules||matchingRuleUse||nameForms||objectClasses")(version 3.0; acl "User-Visible Schema Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)
ds-cfg-global-aci: (target="ldap:///")(targetscope="base")(targetattr="objectClass||namingContexts||supportedAuthPasswordSchemes||supportedControl||supportedExtension||supportedFeatures||supportedLDAPVersion||supportedSASLMechanisms||vendorName||vendorVersion")(version 3.0; acl "User-Visible Root DSE Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)
ds-cfg-global-aci: (targetattr="createTimestamp||creatorsName||modifiersName||modifyTimestamp||entryDN||entryUUID||subschemaSubentry||orclguid||nsuniqueid")(version 3.0; acl "User-Visible Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)

where "ldap:///anyone" configures an ACI that affects anonymous access -

Defining Anonymous Access Using anyone Keyword

Note: The Default Global ACIs (above) show -
- The extended operations allowed (read by anonymous user) using the the extop keyword, and
- The LDAP controls allowed (read by anonymous user) using the targetcontrol keyword.

For more info -
Targeting LDAP Controls
Targeting LDAP Extended Operations

 According to -

About Default Global ACIs

The effect of all the default global ACIs is to allow the following:

Anyone has read access to certain controls and extended operations.

Anyone has access to search, compare, and read attributes at the rootDSE level. Certain attributes require explicit access.

Authenticated users can modify a subset of the attributes in their own entries in the directory. Users are unable to delete their own entries.

Anyone has access to key operational attributes including many in the root DSE and cn=schema, as well as other attributes that show up in entries throughout the server.

 where Authenticated users can modify a subset of attributes in their own entries with the default Global ACI - Self entry read ACI -

ds-cfg-global-aci: (targetattr="userPassword||authPassword")(version 3.0; acl "Self entry read"; allow (read,search,compare) userdn="ldap:///self";)


For more info -
Defining Self Access Using self Keyword

Anonymous access is not allowed on all OUD entries since, by default, all is denied unless allowed by a Global ACI or an aci configured in the Directory Information Tree (DIT).


This article goes over how to allow anonymous access to all entries in OUD using a Global ACI.

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
 Default Global ACI Configuration
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.