Sun Microsystems 8190994 Server User Manual


  Open as PDF
of 148
 
Removal of the o=netscapeRoot Sux
In previous versions of Directory Server, centralized administration information was kept in
o=netscapeRoot. In the new administration model, the concept of a conguration directory
server no longer exists. The o=netscapeRoot sux is no longer required, and the netscapeRoot
database les are therefore not migrated. The conguration data for this sux can be migrated,
if it is specically required.
Changes to ACIs
The following changes have been made to ACIs in Directory Server 6.0.
Changes in the ACI Scope
In Directory Server 5.2 ACIs on the root DSE had base scope. In Directory Server 6.0, ACIs on
the root DSE have global scope by default, equivalent to targetscope="subtree".
To reproduce the same behavior as Directory Server 5.2, add targetscope="base" to ACIs on
the root DSE. If you use dsmig to migrate the conguration, this is done automatically.
Changes in Sux-Level ACIs
In Directory Server 5.2, the following ACI was provided, at the sux level:
aci: (targetattr != "nsroledn || aci || nsLookThroughLimit ||
nsSizeLimit || nsTimeLimit || nsIdleTimeout || passwordPolicySubentry ||
passwordExpirationTime || passwordExpWarned || passwordRetryCount ||
retryCountResetTime || acc ountUnlockTime || passwordHistory ||
passwordAllowChangeTime")(version 3.0; acl "Allow self entry modification
except for nsroledn, aci, resource limit attributes, passwordPolicySubentry
and password policy state attributes"; allow (write)userdn ="ldap:///self";)
This ACI allowed self-modication of user passwords, among other things. This ACI is no
longer provided in Directory Server 6.0. Instead, the following global ACIs are provided by
default:
aci: (targetattr != "aci") (targetscope = "base") (version 3.0;
aci "Enable read access to rootdse for anonymous users";
allow(read,search,compare) user dn="ldap:///anyone"; )
aci: (targetattr = "*") (version 3.0; acl "Enable full access
for Administrators group"; allow (all)(groupdn =
"ldap:///cn=Administrators,cn=config"); )
ChangestoACIs
SunJavaSystemDirectoryServerEnterpriseEdition6.0 MigrationGuide March200770
SunCondential:Registered
 previous next