Advanced Access Control Configuration

This section contains information about the following topics:


Enabling ACL Rule Checking for Community Objects

iChain, by default, will not check community objects for ACL rules. Community objects existed in previous versions of iChain but are no longer provided; however, the functionality is provided to allow the use of pre-existing community objects.

To enable ACL rule checking for community objects, administrators should do the following:

  1. Unlock the console.

  2. Edit the appstart.ncf.

  3. Change the load aclcheck entry to load aclcheck /m.

  4. Restart the machine.

After specifying changes in the configuration, ACL rules will be checked in the following sequence:

OUs
OUs' communities
groups
groups' communitiesuser
user's communities

If a specified option is not provided, checking for the italicized portions of the above list will not be performed for checking the ACL rules.


Enabling Debugging Messages for Access Control

The module that provides iChain's Access Control (ACLCHECK.NLM) can be configured to output debug information. The administrator can choose one of two levels of increasingly more detailed information. This information can be helpful to developers and consultants. By default, no debug information is output.

To enable these debugging options, an administrator can either:

  1. Use the command line option ACLCHECK /D2 to temporarily enable the debug output (until the restart is performed or until the /D0 command is issued to disable debug).

OR

  1. Edit the APPSTART.NCF file on the iChain Proxy Server.

  2. Find the line containing the LOAD ACLCHECK command and add a debug level switch at the end of that line, for example,
    LOAD ACLCHECK /D2.

    NOTE:  Enabling the /D2 option can impact performance and should only be used for troubleshooting aclcheck issues.

  3. Shut down and restart the proxy server.


Using ACLCHECK options

The ACLCHECK utility can be used with a number of options to refine rule checking. These options are not case sensitive. When you change an ACLCHECK option, the update is stored in the appstart.ncf file.


Table 4. ACLCHECK command line options

Option Syntax and Example Explanation

Check dynamic ACLs

ACLCHECK /Q

ACLCHECK /Q

By default, dynamic ACLs are checked after checking all traditional (static) ACLs. If this option is specified, ACLCHECK first checks for dynamic ACLs. This option should be used when you have mainly dynamic ACLs.

Cache refresh interval

ACLCHECK /Fnumber_of_minutes

ACLCHECK /F300

Default: 180 minutes

Keep this number higher if you are not likely to change DS information quickly. This can improve performance since ACLCHECK does not need to throw away the already built-up cache.

Maximum log file size

ACLCHECK /Smax_file_size_in_KB

ACLCHECK /S2000

Default: 1 MB

NOTE:  If you set this parameter to 7K or less, the logs files will not be created.

Number of connection handles for the LDAP server

ACLCHECK /Cnumber_of_connections

ACLCHECK /C70

Default: 10

If you see an error message stating that ACLCHECK was unable to obtain any LDAP handles, increase this number to avoid that problem. The maximum recommended number of connections is 70.

Debug level

ACLCHECK /Dlevel

ACLCHECK /D2

Default: 0

Debug information can be helpful to developers and consultants. Set the level at 1 or 2 for more detailed information.

Utility help

ACLCHECK /H

ACLCHECK /H

Gives you information about ACLCHECK.