OUD - When No Virtual ACIs Configured, Default is Allow All; After First Virtual ACI Created Even After ACI Deleted the Behavior of Deny All Applies / How Global ACIs Affect Access With a Virtual ACI Configuration (Doc ID 2451409.1)

Last updated on SEPTEMBER 30, 2020

Applies to:

Goal

OUD Proxy uses Virtual ACIs to allow /deny access to its data sources.

Virtual ACIs are created by -

1) Creating an Access Control Group
2) Associating/Configuring the Access Control Group in a workflow
3) Configuring virtual-aci-mode to true in that workflow

At that point, when running ldapsearch against the OUD Proxy Admin port when searching under the "cn=virtual acis" suffix there will be no ACIs configured (unless there were others configured previously), and the Directory Information Tree (DIT) under that suffix does not exist. Because of that, by default all will be allowed.

4) Adding ACIs
After adding ACIs, the structure will be something like this based on the suffix configured as the ACI target -

dn: cn=virtual acis

dn: cn=<AccessControlGroupName>,cn=virtual acis

dn: dc=com,cn=<AccessControlGroupName>,cn=virtual acis

dn: dc=example,dc=com,cn=<AccessControlGroupName>,cn=virtual acis
aci: <aci #1>
aci: <aci #2>

...

And after the ACIs are added and the DIT structure under "cn=virtual acis" has been created, by default all is denied other than the ACIs configured.

If an ACI with an explicit deny is removed, then the behavior will be the same since by default all is denied.

This article explains how to give access to users through Virtual ACIs and possible inconsistencies between access to data sources and the Virtual ACI configuration.

Solution

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.