OUD 11g /12c - How to Enable Anonymous Read Using Global ACIs
(Doc ID 1921458.1)
Last updated on MAY 17, 2023
Applies to:
Oracle Unified Directory - Version 11.1.1.5.0 and laterInformation in this document applies to any platform.
03/20/2016
Goal
Default Global ACI Configuration
By default, the global ACI configuration allows anonymous read access to data with the following ACIs -
ds-cfg-global-aci: (extop="1.3.6.1.4.1.26027.1.6.1 || 1.3.6.1.4.1.26027.1.6.3 || 1.3.6.1.4.1.4203.1.11.1 || 1.3.6.1.4.1.1466.20037 || 1.3.6.1.4.1.4203.1.11.3") (version 3.0; acl "Anonymous extended operation access"; allow(read) userdn="ldap:///anyone";)
ds-cfg-global-aci: (targetcontrol="2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16 || 2.16.840.1.113894.1.8.31") (version 3.0; acl "Anonymous control access"; allow(read) userdn="ldap:///anyone";)
ds-cfg-global-aci: (target="ldap:///cn=schema")(targetscope="base")(targetattr="objectClass||attributeTypes||dITContentRules||dITStructureRules||ldapSyntaxes||matchingRules||matchingRuleUse||nameForms||objectClasses")(version 3.0; acl "User-Visible Schema Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)
ds-cfg-global-aci: (target="ldap:///")(targetscope="base")(targetattr="objectClass||namingContexts||supportedAuthPasswordSchemes||supportedControl||supportedExtension||supportedFeatures||supportedLDAPVersion||supportedSASLMechanisms||vendorName||vendorVersion")(version 3.0; acl "User-Visible Root DSE Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)
ds-cfg-global-aci: (targetattr="createTimestamp||creatorsName||modifiersName||modifyTimestamp||entryDN||entryUUID||subschemaSubentry||orclguid||nsuniqueid")(version 3.0; acl "User-Visible Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)
where "ldap:///anyone" configures an ACI that affects anonymous access -
Defining Anonymous Access Using anyone Keyword
- The extended operations allowed (read by anonymous user) using the the extop keyword, and
- The LDAP controls allowed (read by anonymous user) using the targetcontrol keyword.
For more info -
Targeting LDAP Controls
Targeting LDAP Extended Operations
According to -
Anyone has read access to certain controls and extended operations.
Anyone has access to search, compare, and read attributes at the rootDSE level. Certain attributes require explicit access.
Authenticated users can modify a subset of the attributes in their own entries in the directory. Users are unable to delete their own entries.
Anyone has access to key operational attributes including many in the root DSE and cn=schema, as well as other attributes that show up in entries throughout the server.
where Authenticated users can modify a subset of attributes in their own entries with the default Global ACI - Self entry read ACI -
For more info -
Defining Self Access Using self Keyword
Anonymous access is not allowed on all OUD entries since, by default, all is denied unless allowed by a Global ACI or an aci configured in the Directory Information Tree (DIT).
This article goes over how to allow anonymous access to all entries in OUD using a Global ACI.
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Goal |
Default Global ACI Configuration |
Solution |
References |