Environment
Novell eDirectory 8.7.1 for All Platforms
Novell eDirectory 8.7.3 for All Platforms
Novell eDirectory 8.8 for All Platforms
Situation
How to Modify the default ACL Templates in Schema
Objects created with more default rights than desired
Resolution
1. Export the user class definition using ICE from iManager:
a. On the first screen in ICE, select the export data radio button
b. On the second screen, fill in the server IP address, leave all other defaults as is
c. On the third screen, set Base DN box value to "cn=schema", click the "Base" radio button,set the Search Filter box to "objectclasses=inetOrgPerson", leave all user attributes radio button selected.
d. On the fourth screen, leave file type as LDIF
e. On the fifth screen, click finish
When complete, a file named export.ldf will be created in sys:tomcat\4\webapps\nps\WEB_INF\temp\<random ice directory>\. With iManager 2.7, you should see a download export file link to you can click to get the output file, rather than having to get it from the tomcat subdirectory. The file should look something like this (Note that the list of attributes following MAY will likely be somewhat different, and could be much different depending on the products that have been installed in your tree. This example is from a tree with only NetWare 6.5 installed and no additional products):
#This LDIF file was generated by Novell's ICE and the LDIF destination handler. version: 1
dn: cn=schema
changetype: add
objectClasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' SUP ( organizati
onalPerson $ ndsLoginProperties ) STRUCTURAL MAY ( groupMembership $ ndsHome
Directory $ loginAllowedTimeMap $ loginDisabled $ loginExpirationTime $ logi
nGraceLimit $ loginGraceRemaining $ loginIntruderAddress $ loginIntruderAtte
mpts $ loginIntruderResetTime $ loginMaximumSimultaneous $ loginScript $ log
inTime $ networkAddressRestriction $ networkAddress $ passwordsUsed $ passwo
rdAllowChange $ passwordExpirationInterval $ passwordExpirationTime $ passwo
rdMinimumLength $ passwordRequired $ passwordUniqueRequired $ printJobConfig
uration $ privateKey $ Profile $ publicKey $ securityEquals $ accountBalance
$ allowUnlimitedCredit $ minimumAccountBalance $ messageServer $ Language $
lockedByIntruder $ serverHolds $ lastLoginTime $ typeCreatorMap $ higherPri
vileges $ printerControl $ securityFlags $ profileMembership $ Timezone $ sA
SServiceDN $ sASSecretStore $ sASSecretStoreKey $ sASSecretStoreData $ sASPK
IStoreKeys $ userCertificate $ nDSPKIUserCertificateInfo $ nDSPKIKeystore $
rADIUSActiveConnections $ rADIUSAttributeLists $ rADIUSConcurrentLimit $ rAD
IUSConnectionHistory $ rADIUSDefaultProfile $ rADIUSDialAccessGroup $ rADIUS
EnableDialAccess $ rADIUSPassword $ rADIUSServiceList $ audio $ businessCate
gory $ carLicense $ departmentNumber $ employeeNumber $ employeeType $ displ
ayName $ givenName $ homePhone $ homePostalAddress $ initials $ jpegPhoto $
labeledUri $ mail $ manager $ mobile $ o $ pager $ ldapPhoto $ preferredLang
uage $ roomNumber $ secretary $ uid $ userSMIMECertificate $ x500UniqueIdent
ifier $ userPKCS12 $ nRDRegistryData $ nRDRegistryIndex $ nDPSControlFlags $
nDPSDefaultPrinter $ nDPSDefaultPublicPrinter $ nDPSPrinterInstallList $ nD
PSPublicPrinterInstallList $ nDPSPrinterInstallTimestamp $ nDPSReplaceAllCli
entPrinters $ nrmGroupMonitorData $ nisUserGroupDomain $ userPassword ) X-ND
S_NAME 'User' X-NDS_NOT_CONTAINER '1' X-NDS_NONREMOVABLE '1' X-NDS_ACL_TEMPL
ATES ( '2#subtree#[Self]#[All Attributes Rights]' '6#entry#[Self]#loginScrip
t' '1#subtree#[Root Template]#[Entry Rights]' '2#entry#[Public]#messageServe
r' '2#entry#[Root Template]#groupMembership''6#entry#[Self]#printJobConfigur
ation' '2#entry#[Root Template]#networkAddress') ) 2. Modify the output file to delete the desired ACL templates (the highlighted values in this case). In this case, we are deleting [Root]'s rights (essentially, anyone logged into the tree) to read the 'groupMembership' attribute and the 'networkAddress' Edit the file to look something like this:version: 1
dn: cn=schema
changetype: modify
delete: objectClasses
objectClasses: ( 2.16.840.1.113730.3.2.2 )
-
add: objectClasses
objectClasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' SUP organization
alPerson STRUCTURAL MAY ( groupMembership $ ndsHomeDirectory $ loginAllowedT
imeMap $ loginDisabled $ loginExpirationTime $ loginGraceLimit $ loginGraceR
emaining $ loginIntruderAddress $ loginIntruderAttempts $ loginIntruderReset
Time $ loginMaximumSimultaneous $ loginScript $ loginTime $ networkAddressRe
striction $ networkAddress $ passwordsUsed $ passwordAllowChange $ passwordE
xpirationInterval $ passwordExpirationTime $ passwordMinimumLength $ passwor
dRequired $ passwordUniqueRequired $ printJobConfiguration $ privateKey $ Pr
ofile $ publicKey $ securityEquals $ accountBalance $ allowUnlimitedCredit $
minimumAccountBalance $ messageServer $ Language $ UID $ lockedByIntruder $
serverHolds $ lastLoginTime $ typeCreatorMap $ higherPrivileges $ printerCo
ntrol $ securityFlags $ profileMembership $ Timezone $ sASServiceDN $ sASSec
retStore $ sASSecretStoreKey $ sASSecretStoreData $ sASPKIStoreKeys $ userCe
rtificate $ nDSPKIUserCertificateInfo $ nDSPKIKeystore $ rADIUSActiveConnect
ions $ rADIUSAttributeLists $ rADIUSConcurrentLimit $ rADIUSConnectionHistor
y $ rADIUSDefaultProfile $ rADIUSDialAccessGroup $ rADIUSEnableDialAccess $
rADIUSPassword $ rADIUSServiceList $ audio $ businessCategory $ carLicense $
departmentNumber $ employeeNumber $ employeeType $ displayName $ givenName
$ homePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledUri $ mail $
manager $ mobile $ o $ pager $ ldapPhoto $ preferredLanguage $ roomNumber $
secretary $ uid $ userSMIMECertificate $ x500UniqueIdentifier $ userPKCS12
$ nRDRegistryData $ nRDRegistryIndex $ nDPSControlFlags $ nDPSDefaultPrinter
$ nDPSDefaultPublicPrinter $ nDPSPrinterInstallList $ nDPSPublicPrinterInst
allList $ nDPSPrinterInstallTimestamp $ nDPSReplaceAllClientPrinters $ nrmGr
oupMonitorData $ userPassword $ nisUserGroupDomain ) X-NDS_NAME 'User' X-NDS
_NOT_CONTAINER '1' X-NDS_NONREMOVABLE '1' X-NDS_ACL_TEMPLATES ( '2#subtree#[
Self]#[All Attributes Rights]' '6#entry#[Self]#loginScript' '1#subtree#[Root
Template]#[Entry Rights]' '2#entry#[Public]#messageServer'
'6#entry#[Self]#printJobConfiguration' ) )
Note that the differences here is that a delete operation was inserted before the add operation, and that the highlighted values were removed. This file can now be used as input to ICE to remove the two desired ACL templates from the User class definition.
a. On the first screen in ICE, select the import data radio button
b. On the second screen, browse to and select the file you just created above.
c. On the third screen, enter the IP address of the server to make the change on. Note that this server must hold a replica of the Root partition. You can read the schema without being authenticated, but you can not modify it unless you are a Tree Admin. Select the authenticated login radio button, then fill in the dn of the admin, e.g. cn=admin,o=novell. Then enter the password, and deselect the LBURP checkbox.
d. On the fourth screen, click finish. This will execute the LDIF command, and remove the two ACL templates from the User class definition.
If you go through the first step again to read the user class definition, you will see that the two ACL templates have been removed..
Additional Information
Note that this will only succeed on a server running eDirectory 8.7 or later. The changes will synchronize throughout the tree, including to any older versions of eDirectory. If you run DSRepair, and select the Rebuild Operational Schema option on 8.7 or later server, it will not modify the changes you make. However, if you run that option on any earlier version, the original default ACL templates will be restored to any modified base schema elements, such as the User class definition modified in this example.
Formerly known as TID# 10092621