Initializing ACLs with CDBM
When the LDAP server is started with CDBM configured for the first
time, the LDAP server creates the following entries:
cn=ibmpolicies
cn=pwdpolicy,cn=ibmpolicies
(if server compatibility level is 6 or greater)cn=configuration
cn=Replication,cn=configuration
cn=Log Management,cn=configuration
cn=Replication,cn=Log Management,cn=configuration
cn=admingroup,cn=configuration
(if server compatibility level is 7 or greater)cn=safadmingroup,cn=configuration
(if server compatibility level is 7 or greater)
The cn=ibmpolicies
suffix entry is created with the same initial ACL as a
TDBM or LDBM suffix, that allows read access to anybody and propagates the aclEntry
and entryOwner
values. Therefore, only LDAP administrators with the appropriate
authority can update the cn=ibmpolicies
suffix. The aclEntry
and
entryOwner
values can be modified. If the aclEntry
and
entryOwner
values are deleted, the default ACL is used.
The
cn=configuration
suffix entry is created with an
entryOwner
value set to the root administrator DN (adminDN
configuration option) while the aclEntry
attribute value is set such that non-LDAP
administrators do not have access to cn=configuration
entries. The
aclEntry
and entryOwner
values are propagated in the
cn=configuration
suffix of the CDBM backend. The cn=configuration
ACL is: aclEntry: group=cn=Anybody
Note:
- It is suggested that you do not entirely delete the
aclEntry
andentryOwner
values. The default ACL is used if they are deleted and allows users other than LDAP administrators with the appropriate authority access to sensitive configuration related data. - See Administrative group and roles for more information about administrative role authority.