OUD - When No Virtual ACIs Configured, Default is Allow All; After First Virtual ACI Created Even After ACI Deleted the Behavior of Deny All Applies / How Global ACIs Affect Access With a Virtual ACI Configuration
(Doc ID 2451409.1)
Last updated on SEPTEMBER 30, 2020
Applies to:Oracle Unified Directory - Version 220.127.116.11.0 and later
Information in this document applies to any platform.
OUD Proxy uses Virtual ACIs to allow /deny access to its data sources.
Virtual ACIs are created by -
1) Creating an Access Control Group
2) Associating/Configuring the Access Control Group in a workflow
3) Configuring virtual-aci-mode to true in that workflow
At that point, when running ldapsearch against the OUD Proxy Admin port when searching under the "cn=virtual acis" suffix there will be no ACIs configured (unless there were others configured previously), and the Directory Information Tree (DIT) under that suffix does not exist. Because of that, by default all will be allowed.
4) Adding ACIs
After adding ACIs, the structure will be something like this based on the suffix configured as the ACI target -
dn: cn=virtual acis
dn: cn=<AccessControlGroupName>,cn=virtual acis
dn: dc=com,cn=<AccessControlGroupName>,cn=virtual acis
dn: dc=example,dc=com,cn=<AccessControlGroupName>,cn=virtual acis
aci: <aci #1>
aci: <aci #2>
And after the ACIs are added and the DIT structure under "cn=virtual acis" has been created, by default all is denied other than the ACIs configured.
If an ACI with an explicit deny is removed, then the behavior will be the same since by default all is denied.
This article explains how to give access to users through Virtual ACIs and possible inconsistencies between access to data sources and the Virtual ACI configuration.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document
|- Configuring the userdn in the Bind Rule|
|- Using Wildcards in the LDAP URL|
|- Global ACIs|