OUD - After First Virtual ACI Created Even After ACI Deleted the Default Behavior of Deny All Applies (Doc ID 2451409.1)

Last updated on MAY 02, 2019

Applies to:

Goal

OUD Proxy uses Virtual ACIs to allow /deny access to its data sources.

Virtual ACIs are created by -

1) Creating an Access Control Group
2) Associating/Configuring the Access Control Group in a workflow
3) Configuring virtual-aci-mode to true in that workflow

At that point, when running ldapsearch against the OUD Proxy Admin port when searching under the "cn=virtual acis" suffix there will be no ACIs configured (unless there were others configured previously), and the Directory Information Tree (DIT) under that suffix does not exist. Because of that, by default all will be allowed.

4) Adding ACIs
After adding ACIs, the structure will be something like this based on the suffix configured as the ACI target -

dn: cn=virtual acis

dn: cn=<AccessControlGroupName>,cn=virtual acis

dn: dc=com,cn=<AccessControlGroupName>,cn=virtual acis

dn: dc=example,dc=com,cn=<AccessControlGroupName>,cn=virtual acis
aci: <aci #1>
aci: <aci #2>

...

And after the ACIs are added and the DIT structure under "cn=virtual acis" has been created, by default all is denied other than the ACIs configured.

If an ACI with an explicit deny is removed, then the behavior will be the same since by default all is denied.

This article explains how to give access to users through Virtual ACIs and possible inconsistencies between access to data sources and the Virtual ACI configuration.

Solution

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.