OUD - How Global ACIs Affect Access with a Virtual ACI Configuration (Doc ID 2451409.1)

Last updated on DECEMBER 27, 2023

Applies to:

Goal

OUD Proxy uses Virtual ACIs to allow /deny access to its data sources.

Virtual ACIs are created by -

1) Creating an Access Control Group
2) Associating/Configuring the Access Control Group in a workflow
3) Configuring virtual-aci-mode to true in that workflow

At this point when running the ldapsearch command against the OUD Proxy Admin port and searching under the "cn=virtual acis" suffix there will be no ACIs configured.  (That is, unless there were others configured previously)  The Directory Information Tree (DIT) under that suffix does not exist.   Because of this the default of ALL will be allowed.

4) Adding ACIs
After adding ACIs, the structure will be based on the suffix configured as the ACI target and will be something like the below:

dn: cn=virtual acis

dn: cn=<AccessControlGroupName>,cn=virtual acis

dn: dc=com,cn=<AccessControlGroupName>,cn=virtual acis

dn: dc=SUFFIX,dc=com,cn=<AccessControlGroupName>,cn=virtual acis
aci: <aci #1>
aci: <aci #2>

...

And after the ACIs are added and the DIT structure under "cn=virtual acis" has been created, by default ALL are denied other than the ACIs configured.

If an ACI with an explicit deny is removed, then the behavior will be the same since by default ALL are denied.

This article explains how to give access to users through Virtual ACIs and possible inconsistencies between access to data sources and the Virtual ACI configuration.

Solution

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.