# oidctxupg82.ldif Created 7/29/00 # # Modified: # 05/15/01 nlewis Make some attrs in the DBSEC container readable # 04/19/01 nlewis Remove extraneous orclprivilegegroups # 04/19/01 nlewis Add default value to dbauthtypes for def domain # 08/21/00 akolli Make the OracleDefaultDomain a group # 08/21/00 akolli Move the AQ specific stuff here # 08/16/00 akolli Add UserSecurityAdmins group # 08/16/00 nlewis Add variables for Context DN and current user # 08/01/00 nlewis Update ACL for default domain # 07/29/00 nlewis Creation # # This ldif file updates the standard objects for an Oracle context, # including: # add a new groups container # add a new services container # add new Net, ESM, and Common containers under Products # add a new context admins group # add admin group under the default domain # change the ACL in the DBSecurityAdmins group entry # change the ACL in the DBSecurity container # add new 8.2 objectclass to default domain # change the default domain ACL to allow access to self, and the new group # change the ACL in the context entry to give context admins root # # Please note that this file # is really a SAMPLE file, and is only used directly by the RDBMS regression # tests. There is a separate version of this file for each directory other # than OID - for example, adctxupg82.ldif for Microsoft Active Directory. # # # *********************** oidctxupg82.ldif ************************** # # Create the additional attributes required for the context # dn: %s_OracleContextDN% changetype: modify add: objectclass objectclass: orclContextAux82 - add: orclVersion orclVersion: 90000 # # Create Groups container object under the context # dn: cn=Groups,%s_OracleContextDN% changetype: add cn: Groups objectclass: top objectclass: orclContainer # # Create Services container object under the context # dn: cn=Services,%s_OracleContextDN% changetype: add cn: Services objectclass: top objectclass: orclContainer # # Create Net container object under Products # dn: cn=Net,cn=Products,%s_OracleContextDN% changetype: add cn: Net objectclass: top objectclass: orclContainer # # Create ESM container object under Products # dn: cn=ESM,cn=Products,%s_OracleContextDN% changetype: add cn: ESM objectclass: top objectclass: orclContainer # # Create Common container object under Products # dn: cn=Common,cn=Products,%s_OracleContextDN% changetype: add cn: Common orclCommonNickNameAttribute: uid orclCommonApplicationGuidAttribute: orclGlobalID orclCommonUserSearchBase: %s_OracleContextParentDN% orclCommonGroupSearchBase: %s_OracleContextParentDN% orclVersion: 90000 objectclass: top objectclass: orclCommonAttributes # # Create new context admin group under Groups container # dn: cn=OracleContextAdmins,cn=Groups,%s_OracleContextDN% changetype: add cn: OracleContextAdmins uniquemember: %s_CurrentUserDN% objectclass: top objectclass: groupofUniqueNames objectclass: orclPrivilegeGroup # # Create new user security admin group under Groups container # dn: cn=OracleUserSecurityAdmins,cn=Groups,%s_OracleContextDN% changetype: add cn: OracleUserSecurityAdmins uniquemember: %s_CurrentUserDN% objectclass: top objectclass: groupofUniqueNames objectclass: orclPrivilegeGroup # # Create new password-accessible domains group under Groups container # dn: cn=OraclePasswordAccessibleDomains,cn=Groups,%s_OracleContextDN% changetype: add cn: OraclePasswordAccessibleDomains uniquemember: cn=OracleDBSecurityAdmins,%s_OracleContextDN% objectclass: top objectclass: groupofUniqueNames objectclass: orclPrivilegeGroup orclaci: access to entry by group="cn=OracleDBSecurityAdmins,%s_OracleContextDN%" (browse,add,delete) by * (none) orclaci: access to attr=(*) by group="cn=OracleDBSecurityAdmins,%s_OracleContextDN%" (read,search,compare,selfwrite,write) by * (none) # # Create new default domain admin group under Default Domain # dn: cn=OracleDomainAdmins,cn=OracleDefaultDomain,cn=OracleDBSecurity,cn=Products,%s_OracleContextDN% changetype: add cn: OracleDomainAdmins uniquemember: %s_CurrentUserDN% objectclass: top objectclass: groupofUniqueNames objectclass: orclPrivilegeGroup # # Set up ACLs on the new context admin group. We don't need to set up ACLs on # the new domain admin group, since they are inherited from the domain entry # itself (that we will update). # dn: cn=OracleContextAdmins,cn=Groups,%s_OracleContextDN% changetype: modify replace: orclaci orclaci: access to entry by * (none) orclaci: access to attr=(*) by * (none) # # Update DBSecurityAdmins group # ACLs since they no longer act as root, including having automatic # access to their own groups. Note that ContextAdmins will have full # privileges on all groups inherited from the Oracle Context object ACI. # Don't remove any customer-generated ACLs. # dn: cn=OracleDBSecurityAdmins,%s_OracleContextDN% changetype: modify add: orclaci orclaci: access to entry by group="cn=OracleDBSecurityAdmins,%s_OracleContextDN%" (browse,add,delete) by * (none) orclaci: access to attr=(*) by group="cn=OracleDBSecurityAdmins,%s_OracleContextDN%" (read,search,compare,selfwrite,write) by * (none) # # Update ACL on DB Security container object so DBSecurityAdmins have privs. # Don't remove DBCreators permissions, or any other the customer has created. # Need to first delete the old ACI, and then add back in a whole new one, so # DB security admins don't fall into * category. This can be simplified once # OID ER #1368447. # dn: cn=OracleDBSecurity,cn=Products,%s_OracleContextDN% changetype: modify delete: orclaci orclaci: access to entry by group="cn=OracleDBCreators,%s_OracleContextDN%" (browse) by * (none) orclaci: access to attr=(*) by group="cn=OracleDBCreators,%s_OracleContextDN%" (read,search,compare) by * (none) dn: cn=OracleDBSecurity,cn=Products,%s_OracleContextDN% changetype: modify add: orclaci orclaci: access to entry by group="cn=OracleDBSecurityAdmins,%s_OracleContextDN%" (browse,add,delete) by group="cn=OracleDBCreators,%s_OracleContextDN%" (browse) by * (none) orclaci: access to attr=(*) by group="cn=OracleDBSecurityAdmins,%s_OracleContextDN%" (read,search,compare,selfwrite,write) by group="cn=OracleDBCreators,%s_OracleContextDN%" (read,search,compare) by * (none) # # Add orclDBSecConfig aux class to OracleDBSecurity container # (requested by nlewis and added by akolli) dn: cn=OracleDBSecurity,cn=Products,%s_OracleContextDN% changetype: modify add: objectclass objectclass: orclDBSecConfig dn: cn=OracleDBSecurity,cn=Products,%s_OracleContextDN% changetype: modify add: orclDBVersionCompatibility orclDBVersionCompatibility: 81000 # set the ACLs on OracleDBSecurity contained for letting public access to this dn: cn=OracleDBSecurity,cn=Products,%s_OracleContextDN% changetype: modify add: orclentrylevelaci orclentrylevelaci: access to entry by * (browse,noadd,nodelete) orclentrylevelaci: access to attr=(orcldbversioncompatibility,objectclass) by * (read,search,compare,nowrite,noselfwrite) orclentrylevelaci: access to attr!=(orcldbversioncompatibility,objectclass) by * (noread,nosearch,nocompare,nowrite,noselfwrite) # # Add 8.2 upgrades to default domain # *****Add orcldbentdom82 from oidctx.ldif once another # OID bug is fixed. # dn: cn=OracleDefaultDomain,cn=OracleDBSecurity,cn=Products,%s_OracleContextDN% changetype: modify add: objectclass objectclass: orclDBEnterpriseDomain_82 - add: uniquemember uniquemember: cn=OracleDBSecurity,cn=Products,%s_OracleContextDN% - add: orcldbauthtypes orcldbauthtypes: ALL # # # Change ACL on default domain so members of the new domain admin group # automatically have full access, and you don't have to add new domain # admins to the ACLs (just add them to the group). No change to the # old entry level ACI because we don't want DBcreators to have write access # to the underlying roles and mappings. Note that (No change from 8.1) # when a DB is added to this domain, the ACI would be modified to # include a new orclACI that allows the server browse and read access. Now, # since the new DB is in the uniquemember attribute, it automatically gets # read access by virtue of the read access granted to the domain itself # (viewed as a group). The following ACI is therefore no longer necessary # in 8.2: # orclaci: access to entry by dn="cn=server1,cn=OracleContext,ou=Americas, # o=Oracle,c=US" (browse) # orclaci: orclaci: access to attr=(*) by dn="cn=server1,cn=OracleContext, # ou=Americas,o=Oracle,c=US" (read,search,compare) # # This next ACI must be inherited so the DB can view the underlying roles and # mapping objects. # dn: cn=OracleDefaultDomain,cn=OracleDBSecurity,cn=Products,%s_OracleContextDN% changetype: modify add: orclaci orclaci: access to entry by group="cn=OracleDomainAdmins,cn=OracleDefaultDomain,cn=OracleDBSecurity,cn=Products,%s_OracleContextDN%" (browse,add,delete) by group="cn=OracleDefaultDomain,cn=OracleDBSecurity,cn=Products,%s_OracleContextDN%" (browse) orclaci: access to attr=(*) by group="cn=OracleDomainAdmins,cn=OracleDefaultDomain,cn=OracleDBSecurity,cn=Products,%s_OracleContextDN%" (read,search,compare,selfwrite,write) by group="cn=OracleDefaultDomain,cn=OracleDBSecurity,cn=Products,%s_OracleContextDN%" (read,search,compare) ########################################################## ## AQ specific changes ########################################################## dn: cn=OracleDBAQUsers, %s_OracleContextDN% changetype: add cn: OracleDBAQUsers uniquemember: %s_CurrentUserDN% objectclass: top objectclass: groupofUniqueNames objectclass: orclPrivilegeGroup # # # Create Registration container object to hold registrations # dn: cn=OracleDBRegistration,cn=Products,%s_OracleContextDN% changetype: add cn: OracleDBRegistration objectclass: top objectclass: orclContainer # create the privilige group that has access to OracleDBRegistration dn: cn=OracleDBSubscribers,cn=OracleDBRegistration,cn=Products,%s_OracleContextDN% changetype:add cn: OracleDBSubscribers uniquemember: cn=OracleDBAQUsers, %s_OracleContextDN% objectclass: top objectclass: GroupOfUniqueNames objectclass: orclprivilegegroup # set ACLs for AQ users dn: cn=OracleDBAQUsers, %s_OracleContextDN% changetype: modify replace: orclaci orclaci: access to entry by group="cn=OracleDBAQUsers,%s_OracleContextDN%" (browse) by * (none) orclaci: access to attr=(*) by group="cn=OracleDBAQUsers,%s_OracleContextDN%" (read,search,compare) by * (none) # Set up ACLs on Registration container dn: cn=OracleDBRegistration,cn=Products,%s_OracleContextDN% changetype: modify replace:orclaci orclaci: access to entry by group="cn=OracleDBSubscribers,cn=OracleDBRegistration,cn=Products,%s_OracleContextDN%" (browse, add, delete) by * (none) orclaci: access to attr=(*) by group="cn=OracleDBSubscribers,cn=OracleDBRegistration,cn=Products,%s_OracleContextDN%" (read, search, compare, write, selfwrite) by * (none) # Set up ACLs on Subscriber privilege group. DBSecurityAdmin have full # privileges on this group inherited from the Oracle Context object ACI. dn: cn=OracleDBSubscribers,cn=OracleDBRegistration,cn=Products,%s_OracleContextDN% changetype:modify replace: orclaci orclaci: access to entry by group="cn=OracleDBSubscribers,cn=OracleDBRegistration,cn=Products,%s_OracleContextDN%" (browse) by * (none) orclaci: access to attr=(*) by group="cn=OracleDBSubscribers,cn=OracleDBRegistration,cn=Products,%s_OracleContextDN%" (read, search, compare) by * (none) ########################################################## # End of AQ specific stuff ########################################################## # # Update ACLs on the OracleContext object: remove the OracleDBSecurityAdmins # root privileges, and grant those privs to OracleContextAdmins instead. # Also, change all privs to net objects from DBSecurityAdmins to Context # admins. # # First, delete all offending ACIs. # dn: %s_OracleContextDN% changetype: modify delete: orclaci orclaci: access to entry by group="cn=OracleDBSecurityAdmins,%s_OracleContextDN%" (browse,add,delete) by * (browse,noadd,nodelete) orclaci: access to attr=(*) by group="cn=OracleDBSecurityAdmins,%s_OracleContextDN%" (read,search,write,selfwrite,compare) by * (read,search,nowrite,noselfwrite,compare) orclaci: access to entry filter=(objectclass=orclNetService) by group="cn=OracleDBSecurityAdmins,%s_OracleContextDN%" (browse,add,delete) by group="cn=OracleNetAdmins,%s_OracleContextDN%" (browse,add,delete) by * (browse,noadd,nodelete) orclaci: access to entry filter=(objectclass=orclNetDescriptionList) by group="cn=OracleDBSecurityAdmins,%s_OracleContextDN%" (browse,add,delete) by group="cn=OracleNetAdmins,%s_OracleContextDN%" (browse,add,delete) by * (browse,noadd,nodelete) orclaci: access to entry filter=(objectclass=orclNetDescription) by group="cn=OracleDBSecurityAdmins,%s_OracleContextDN%" (browse,add,delete) by group="cn=OracleNetAdmins,%s_OracleContextDN%" (browse,add,delete) by * (browse,noadd,nodelete) orclaci: access to entry filter=(objectclass=orclNetAddressList) by group="cn=OracleDBSecurityAdmins,%s_OracleContextDN%" (browse,add,delete) by group="cn=OracleNetAdmins,%s_OracleContextDN%" (browse,add,delete) by * (browse,noadd,nodelete) orclaci: access to entry filter=(objectclass=orclNetAddress) by group="cn=OracleDBSecurityAdmins,%s_OracleContextDN%" (browse,add,delete) by group="cn=OracleNetAdmins,%s_OracleContextDN%" (browse,add,delete) by * (browse,noadd,nodelete) orclaci: access to attr=(*) filter=(objectclass=orclNetService) by group="cn=OracleDBSecurityAdmins,%s_OracleContextDN%" (read,search,write,selfwrite,compare) by group="cn=OracleNetAdmins,%s_OracleContextDN%" (compare,search,read,write) by * (read,search,compare,nowrite,noselfwrite) orclaci: access to attr=(*) filter=(objectclass=orclNetDescriptionList) by group="cn=OracleDBSecurityAdmins,%s_OracleContextDN%" (read,search,write,selfwrite,compare) by group="cn=OracleNetAdmins,%s_OracleContextDN%" (compare,search,read,write) by * (read,search,compare,nowrite,noselfwrite) orclaci: access to attr=(*) filter=(objectclass=orclNetDescription) by group="cn=OracleDBSecurityAdmins,%s_OracleContextDN%" (read,search,write,selfwrite,compare) by group="cn=OracleNetAdmins,%s_OracleContextDN%" (compare,search,read,write) by * (read,search,compare,nowrite,noselfwrite) orclaci: access to attr=(*) filter=(objectclass=orclNetAddressList) by group="cn=OracleDBSecurityAdmins,%s_OracleContextDN%" (read,search,write,selfwrite,compare) by group="cn=OracleNetAdmins,%s_OracleContextDN%" (compare,search,read,write) by * (read,search,compare,nowrite,noselfwrite) orclaci: access to attr=(*) filter=(objectclass=orclNetAddress) by group="cn=OracleDBSecurityAdmins,%s_OracleContextDN%" (read,search,write,selfwrite,compare) by group="cn=OracleNetAdmins,%s_OracleContextDN%" (compare,search,read,write) by * (read,search,compare,nowrite,noselfwrite) orclaci: access to attr=(orclNetDescString, orclNetDescName) filter=(objectclass=orclService) by group="cn=OracleDBSecurityAdmins,%s_OracleContextDN%" (read,search,write,selfwrite,compare) by group="cn=OracleNetAdmins,%s_OracleContextDN%" (compare,search,read,write) by * (read,search,compare,nowrite,noselfwrite) # # Now, add them back in with the changes. # dn: %s_OracleContextDN% changetype: modify add: orclaci orclaci: access to entry by group="cn=OracleContextAdmins,cn=Groups,%s_OracleContextDN%" (browse,add,delete) by * (browse,noadd,nodelete) orclaci: access to attr=(*) by group="cn=OracleContextAdmins,cn=Groups,%s_OracleContextDN%" (read,search,write,selfwrite,compare) by * (read,search,nowrite,noselfwrite,compare) orclaci: access to entry filter=(objectclass=orclNetService) by group="cn=OracleDBSecurityAdmins,%s_OracleContextDN%" (browse,add,delete) by group="cn=OracleNetAdmins,%s_OracleContextDN%" (browse,add,delete) by * (browse,noadd,nodelete) orclaci: access to entry filter=(objectclass=orclNetDescriptionList) by group="cn=OracleContextAdmins,cn=Groups,%s_OracleContextDN%" (browse,add,delete) by group="cn=OracleNetAdmins,%s_OracleContextDN%" (browse,add,delete) by * (browse,noadd,nodelete) orclaci: access to entry filter=(objectclass=orclNetDescription) by group="cn=OracleContextAdmins,cn=Groups,%s_OracleContextDN%" (browse,add,delete) by group="cn=OracleNetAdmins,%s_OracleContextDN%" (browse,add,delete) by * (browse,noadd,nodelete) orclaci: access to entry filter=(objectclass=orclNetAddressList) by group="cn=OracleContextAdmins,cn=Groups,%s_OracleContextDN%" (browse,add,delete) by group="cn=OracleNetAdmins,%s_OracleContextDN%" (browse,add,delete) by * (browse,noadd,nodelete) orclaci: access to entry filter=(objectclass=orclNetAddress) by group="cn=OracleContextAdmins,cn=Groups,%s_OracleContextDN%" (browse,add,delete) by group="cn=OracleNetAdmins,%s_OracleContextDN%" (browse,add,delete) by * (browse,noadd,nodelete) orclaci: access to attr=(*) filter=(objectclass=orclNetService) by group="cn=OracleContextAdmins,cn=Groups,%s_OracleContextDN%" (read,search,write,selfwrite,compare) by group="cn=OracleNetAdmins,%s_OracleContextDN%" (compare,search,read,write) by * (read,search,compare,nowrite,noselfwrite) orclaci: access to attr=(*) filter=(objectclass=orclNetDescriptionList) by group="cn=OracleContextAdmins,cn=Groups,%s_OracleContextDN%" (read,search,write,selfwrite,compare) by group="cn=OracleNetAdmins,%s_OracleContextDN%" (compare,search,read,write) by * (read,search,compare,nowrite,noselfwrite) orclaci: access to attr=(*) filter=(objectclass=orclNetDescription) by group="cn=OracleContextAdmins,cn=Groups,%s_OracleContextDN%" (read,search,write,selfwrite,compare) by group="cn=OracleNetAdmins,%s_OracleContextDN%" (compare,search,read,write) by * (read,search,compare,nowrite,noselfwrite)