Initializing ACLs with CDBM
When the LDAP server is started with CDBM configured for the first
time, the LDAP server creates the following entries:
cn=ibmpoliciescn=pwdpolicy,cn=ibmpolicies(if server compatibility level is 6 or greater)cn=configurationcn=Replication,cn=configurationcn=Log Management,cn=configurationcn=Replication,cn=Log Management,cn=configurationcn=admingroup,cn=configuration(if server compatibility level is 7 or greater)cn=safadmingroup,cn=configuration(if server compatibility level is 7 or greater)
The cn=ibmpolicies suffix entry is created with the same initial ACL as a
TDBM or LDBM suffix, that allows read access to anybody and propagates the aclEntry
and entryOwner values. Therefore, only LDAP administrators with the appropriate
authority can update the cn=ibmpolicies suffix. The aclEntry and
entryOwner values can be modified. If the aclEntry and
entryOwner values are deleted, the default ACL is used.
The
cn=configuration suffix entry is created with an
entryOwner value set to the root administrator DN (adminDN
configuration option) while the aclEntry attribute value is set such that non-LDAP
administrators do not have access to cn=configuration entries. The
aclEntry and entryOwner values are propagated in the
cn=configuration suffix of the CDBM backend. The cn=configuration
ACL is: aclEntry: group=cn=AnybodyNote:
- It is suggested that you do not entirely delete the
aclEntryandentryOwnervalues. The default ACL is used if they are deleted and allows users other than LDAP administrators with the appropriate authority access to sensitive configuration related data. - See Administrative group and roles for more information about administrative role authority.