Filtered ACLs and non-filtered ACLs – sample LDIF file
You can use the information provided here to have a complete understanding of the ACL models, an administrator can best learn through hands on trial. Create sample data with sample ACLs for your directory and check the effective ACLs of each of the entries to ensure that the ACL scheme is correct for the required access.
Included is a sample LDIF file that contains combinations of filtered ACLs and non-filtered ACLs.This sample LDIF file can be loaded onto a directory server.
In this sample LDIF file, there is one suffix entry, two user entries and 17 additional entries
spread over 5 levels of the directory tree. Each entry has a two-digit designation.The first digit
identifies the level where the entry is in the directory tree.The entries are also numbered on each
level, incrementally, from left to right.This numbering format is reflected in the second digit.
LDIF File:
version: 1
dn: o=sample
objectclass: organization
objectclass: top
o: sample
dn: cn=User1, o=sample
cn: User1
sn: User
objectclass: person
objectclass: top
userPassword: User1
dn: o=Level11, o=sample
o: Level11
objectclass: organization
objectclass: top
dn: o=Level21, o=Level11, o=sample
o: Level21
objectclass: organization
objectclass: top
ibm-filterAclEntry: access-id:CN=USER1,o=sample:(o=Level32):normal:rwsc:
sensitive:rsc:critical:rsc
dn: o=Level31, o=Level21, o=Level11, o=sample
o: Level31
objectclass: organization
objectclass: top
ibm-filterAclInherit: FALSE
dn:o=Level41, o=Level31, o=Level21, o=Level11, o=sample
o: Level41
objectclass: organization
objectclass: top
dn: o=Level32, o=Level21, o=Level11, o=sample
o: Level32
objectclass: organization
objectclass: top
ibm-filterAclEntry: access-id:CN=USER1,o=sample:(o=Level42):normal:rwsc:
sensitive:rsc:critical:rsc
ibm-filterAclEntry: access-id:CN=USER1,o=sample:(o=Level43):normal:rwsc:
sensitive:rwsc:critical:rsc
ibm-filterAclEntry: access-id:CN=USER2,o=sample:(o=Level44):normal:rwsc:
sensitive:rsc:critical:rsc
dn: o=Level42, o=Level32, o=Level21, o=Level11, o=sample
o: Level42
objectclass: organization
objectclass: top
dn: o=Level43, o=Level32, o=Level21, o=Level11, o=sample
o: Level43
objectclass: organization
objectclass: top
ibm-filterAclEntry: access-id:CN=USER1,o=sample:(o=Level43):normal:rwsc:
sensitive:rsc:critical:rwsc
dn: o=Level44, o=Level32, o=Level21, o=Level11, o=sample
o: Level44
objectclass: organization
objectclass: top
ibm-filterAclEntry: access-id:CN=USER1,o=sample:(o=Level44):normal:rwsc:
sensitive:rsc:critical:rsc
ibm-filterAclInherit: FALSE
dn: cn=User2, o=sample
cn: User2
sn: User
objectclass: person
objectclass: top
userPassword: User2
dn: o=Level22, o=Level11, o=sample
o: Level22
objectclass: organization
objectclass: top
aclentry: access-id:CN=USER2,o=sample:normal:rsc:at.sn:deny:c:sensitive:
c:critical:c
dn: o=Level33, o=Level22, o=Level11, o=sample
o: Level33
objectclass: organization
objectclass: top
dn: o=Level34, o=Level22, o=Level11, o=sample
o: Level34
objectclass: organization
objectclass: top
ibm-filterAclEntry: access-id:CN=USER2,o=sample:(o=Level34):normal:rwsc:
sensitive:rsc:critical:rsc
ibm-filterAclEntry: access-id:CN=USER2,o=sample:(o=Level51):normal:rwsc:
sensitive:rwsc:critical:rsc
ibm-filterAclEntry: access-id:CN=USER1,o=sample:(o=Level53):normal:rwsc:
sensitive:rsc:critical:rsc
ibm-filterAclEntry: access-id:CN=USER2,o=sample:(o=Level46):normal:rwsc:
sensitive:rsc:critical:rsc
dn: o=Level45, o=Level34, o=Level22, o=Level11, o=sample
o: Level45
objectclass: organization
objectclass: top
aclentry: access-id:CN=USER2,o=sample:normal:rwsc:sensitive:rsc:critical
:rsc
aclpropagate: FALSE
dn: o=Level51, o=Level45, o=Level34, o=Level22, o=Level11, o=sample
o: Level51
objectclass: organization
objectclass: top
ibm-filterAclEntry: access-id:CN=USER2,o=sample:(o=Level51):normal:rwsc:
sensitive:rsc:critical:rsc
dn: o=Level52, o=Level45, o=Level34, o=Level22, o=Level11, o=sample
o: Level52
objectclass: organization
objectclass: top
dn: o=Level53, o=Level45, o=Level34, o=Level22, o=Level11, o=sample
o: Level53
objectclass: organization
objectclass: top
dn: o=Level46, o=Level34, o=Level22, o=Level11, o=sample
o: Level46
objectclass: organization
objectclass: top
dn: o=Level47, o=Level34, o=Level22, o=Level11, o=sample
o: Level47
objectclass: organization
objectclass: top
aclentry: access-id:CN=USER2,o=sample:normal:rwsc:sensitive:rsc:critical
:rsc
The
following output is a sample search output with comments about how the ACL was calculated for that
entry:
>idsldapsearch -D <admin DN> -w <admin PW> -b o=sample objectclass=*
ibm-effectiveACL ibm-filterAclEntry
ibm-filterACLInherit aclEntry aclPropagate
o=sample
aclPropagate=TRUE
aclEntry=group:CN=ANYBODY:system:rsc:normal:rsc:restricted:rsc
ibm-effectiveACL=group:CN=ANYBODY:restricted:rsc:normal:rsc:system:rsc
The
effective ACL for this entry is the default ACL because the following conditions are true: - There is no explicit non-filtered ACL defined on this entry.
- There are no propagating non-filtered ACLs defined higher in the directory tree.
- None of the defined filtered ACLs apply to this entry.
cn=User1,o=sample
aclPropagate=TRUE
aclEntry=group:CN=ANYBODY:system:rsc:normal:rsc:restricted:rsc
ibm-effectiveACL=group:CN=ANYBODY:restricted:rsc:normal:rsc:system:rsc
The
effective ACL for this entry is the default ACL because the following conditions are true: - There is no explicit non-filtered ACL defined on this entry.
- There are no propagating non-filtered ACLs defined higher in the directory tree.
- None of the defined filtered ACLs apply to this entry.
o=Level11,o=sample
aclPropagate=TRUE
aclEntry=group:CN=ANYBODY:system:rsc:normal:rsc:restricted:rsc
ibm-effectiveACL=group:CN=ANYBODY:restricted:rsc:normal:rsc:system:rsc
The
effective ACL for this entry is the default ACL because the following conditions are true: - There is no explicit non-filtered ACL defined on this entry.
- There are no propagating non-filtered ACLs defined higher in the directory tree.
- None of the defined filtered ACLs apply to this entry.
o=Level21,o=Level11,o=sample
ibm-filterACLInherit=TRUE
ibm-filterAclEntry=access-id:CN=USER1,o=sample:(o=Level32):normal:rwsc:
sensitive:rsc:critical:rsc
ibm-effectiveACL=group:CN=ANYBODY:restricted:rsc:system:rsc:normal:rsc
This
entry has a filtered ACL defined in it that does not apply to the entry.The filtered ACL defined in
this entry only applies to an entry that has o=Level32.The effective ACL for this entry is the
default ACL because the following conditions are true: - There is no explicit non-filtered ACL defined on this entry.
- There are no propagating non-filtered ACLs defined higher in the directory tree.
- None of the defined filtered ACLs apply to this entry.
o=Level31,o=Level21,o=Level11,o=sample
ibm-filterACLInherit=FALSE
ibm-effectiveACL=group:CN=ANYBODY:restricted:rsc:system:rsc:normal:rsc
This
entry has an ibm-filterACLInherit=FALSE
defined on it. This attribute acts as a
ceiling and stops the accumulation of filtered ACLs.In this case, there are no filtered ACLs defined
below this entry.The effective ACL for this entry is the default ACL because the following
conditions are true: - The ibm-filterACLInherit definition causes this entry to be in filter ACL mode, and therefore excludes non-filter ACL definitions.
- None of the defined filtered ACLs apply to this entry.
o=Level41,o=Level31,o=Level21,o=Level11,o=sample
ibm-effectiveACL=group:CN=ANYBODY:restricted:rsc:system:rsc:normal:rsc
The
effective ACL for this entry is the default ACL because the following conditions are true: - There is no explicit non-filtered ACL defined on this entry.
- There are no propagating non-filtered ACLs defined higher in the directory tree.
- None of the defined filtered ACLs apply to this entry.
o=Level32,o=Level21,o=Level11,o=sample
ibm-filterACLInherit=TRUE
ibm-filterAclEntry=access-id:CN=USER2,o=sample:(o=Level44):normal:rwsc:
sensitive:rsc:critical:rsc
ibm-filterAclEntry=access-id:CN=USER1,o=sample:(o=Level43):normal:rwsc:
sensitive:rwsc:critical:rsc
ibm-filterAclEntry=access-id:CN=USER1,o=sample:(o=Level42):normal:rwsc:
sensitive:rsc:critical:rsc
ibm-effectiveACL=access-id:CN=USER1,o=sample:normal:rwsc:sensitive:rsc:
critical:rsc
The
attribute ibm-filterACLInherit=TRUE
means that this entry does not act as a ceiling
for any filtered ACLs. The three ibm-filterAclEntry attributes provide an example of how a filtered ACL can be defined
on one entry and apply to another entry. In this case the three filtered ACLs apply to the three
children of this entry but not to this entry. The effective ACL was calculated by an accumulation of
all the filtered ACLs which applied to this entry.There was only one filtered ACL that applied to
this entry, which is the filtered ACL defined on the
o=Level21,o=Level11,o=sample
entry. No other filtered ACLs apply to this entry, so the effective ACL is taken directly from the
filtered ACL defined on the o=Level21,o=Level11,o=sample
entry.
o=Level42,o=Level32,o=Level21,o=Level11,o=sample
ibm-effectiveACL=access-id:CN=USER1,o=sample:normal:rwsc:sensitive:rsc:
critical:rsc
The
filtered ACL defined on the o=Level32,o=Level21,o=Level11,o=sample
entry is used to
calculate the effective ACL for this entry.
o=Level43,o=Level32,o=Level21,o=Level11,o=sample
ibm-filterACLInherit=TRUE
ibm-filterAclEntry=access-id:CN=USER1,o=sample:(o=Level43):normal:rwsc:
sensitive:rsc:critical:rwsc
ibm-effectiveACL=access-id:CN=USER1,o=sample:normal:rwsc:sensitive:rwsc:
critical:rwsc
This
entry is a simple example of how filtered ACLs accumulate.The filtered ACL defined on the
o=Level32,o=Level21,o=Level11,o=sample
entry is combined with the filtered ACL
defined on the o=Level43,o=Level32,o=Level21,o=Level11,o=sample
entry to give read,
write, search and compare access to all three classes of attributes for user 1.
o=Level44,o=Level32,o=Level21,o=Level11,o=sample
ibm-filterACLInherit=FALSE
ibm-filterAclEntry=access-id:CN=USER1,o=sample:(o=Level44):normal:rwsc:
sensitive:rsc:critical:rsc
ibm-effectiveACL=access-id:CN=USER1,o=sample:normal:rwsc:sensitive:rsc:
critical:rsc
This
entry is a simple example of how the ibm-filterACLInherit attribute can be used to stop the
accumulation of filtered ACLs. The filtered ACL defined on the
o=Level32,o=Level21,o=Level11,o=sample
entry does not apply to this entry because
ibm-filterACLInherit=FALSE
. Only the filtered ACL defined on the
o=Level44,o=Level32,o=Level21,o=Level11,o=sample
entry applies to give access to
user 1. If the ibm-filterACLInherit value is changed to TRUE, the effective ACL gives access to both
user 2 and user 1, and looks like the following example: ibm-effectiveACL=access-id:CN=USER2,o=sample:normal:rwsc:sensitive:rsc:
critical:rsc
ibm-effectiveACL=access-id:CN=USER1,o=sample:normal:rwsc:sensitive:rsc:
critical:rsc
cn=User2,o=sample
aclPropagate=TRUE
aclEntry=group:CN=ANYBODY:system:rsc:normal:rsc:restricted:rsc
ibm-effectiveACL=group:CN=ANYBODY:restricted:rsc:normal:rsc:system:rsc
The effective ACL for this entry is the default ACL because the following conditions are true: - There is no explicit non-filtered ACL defined on this entry.
- There are no propagating non-filtered ACLs defined higher in the directory tree.
- None of the defined filtered ACLs apply to this entry.
o=Level22,o=Level11,o=sample
aclPropagate=TRUE
aclEntry=access-id:CN=USER2,o=sample:sensitive:c:at.sn:deny:c:normal:
rsc:critical:c
ibm-effectiveACL=access-id:CN=USER2,o=sample:critical:c:normal:rsc:
at.sn:deny:c:sensitive:c
This
is anexample of non-filtered ACLs.The effective ACL for this entry is the ACL defined in the entry.
Note: The value returned in the effective ACL is the server's normalized value.
o=Level33,o=Level22,o=Level11,o=sample
aclPropagate=TRUE
aclEntry=access-id:CN=USER2,o=sample:sensitive:c:at.sn:deny:c:normal:
rsc:critical:c
ibm-effectiveACL=access-id:CN=USER2,o=sample:critical:c:normal:rsc:
at.sn:deny:c:sensitive:c
This
is an example of the non-filtered ACL defined on the o=Level22,o=Level11,o=sample
entry propagating down to the o=Level33,o=Level22,o=Level11,o=sample
entry. This
propagation occurs because the aclPropagate attribute was set to TRUE in the
o=Level22,o=Level11,o=sample
entry.
o=Level34,o=Level22,o=Level11,o=sample
ibm-filterACLInherit=TRUE
ibm-filterAclEntry=access-id:CN=USER2,o=sample:(o=Level46):normal:rwsc:
sensitive:rsc:critical:rsc
ibm-filterAclEntry=access-id:CN=USER1,o=sample:(o=Level53):normal:rwsc:
sensitive:rsc:critical:rsc
ibm-filterAclEntry=access-id:CN=USER2,o=sample:(o=Level51):normal:rwsc:
sensitive:rwsc:critical:rsc
ibm-filterAclEntry=access-id:CN=USER2,o=sample:(o=Level34):normal:rwsc:
sensitive:rsc:critical:rsc
ibm-effectiveACL=access-id:CN=USER2,o=sample:normal:rwsc:sensitive:rsc:
critical:rsc
This
entry has 4 filtered ACLS defined in it. One of the filtered ACLs applies to this entry. The
effective ACL is a result of this filtered ACL. Note: The non-filter ACL defined on the
o=Level22,o=Level11,o=sample
entry did not propagate to this entry.The non-filtered
ACL did not propagate to this entry because filtered ACLs are defined on this entry, and only one
kind of ACL can exist on a given entry. o=Level45,o=Level34,o=Level22,o=Level11,o=sample
aclPropagate=FALSE
aclEntry=access-id:CN=USER2,o=sample:sensitive:rsc:normal:rwsc:critical:
rsc
ibm-effectiveACL=access-id:CN=USER2,o=sample:critical:rsc:normal:rwsc:
sensitive:rsc
This
entry has an explicit non-filtered ACL defined, and the effective ACL is taken from the explicitly
defined ACL.Because aclPropagate is FALSE, the defined non-filtered ACL does not propagate down the
tree.
o=Level51,o=Level45,o=Level34,o=Level22,o=Level11,o=sample
ibm-filterACLInherit=TRUE
ibm-filterAclEntry=access-id:CN=USER2,o=sample:(o=Level51):normal:rwsc:
sensitive:rsc:critical:rsc
ibm-effectiveACL=access-id:CN=USER2,o=sample:normal:rwsc:sensitive:rwsc:
critical:rsc
This
entry is an example of how filtered ACLs can accumulate even past a non-filtered ACL entry.The
effective ACL for the entry is a combination of the filtered ACL defined on the
o=Level34,o=Level22,o=Level11,o=sample
entry and the
o=Level51,o=Level45,o=Level34,o=Level22,o=Level11,o=sample
entry.
o=Level52,o=Level45,o=Level34,o=Level22,o=Level11,o=sample
ibm-effectiveACL=group:CN=ANYBODY:restricted:rsc:system:rsc:normal:rsc
The
effective ACL for this entry is the default ACL. Because the entry does not have any explicit ACL
attributes to set the mode to either filtered or not filtered, you must look up the directory tree
for the ACL source.The Level45
entry has non-filtered ACLs, but has aclPropagate
set to FALSE, so it is not the ACL source.Then, we go to the next ancestor in the directory tree,
the Level 34
entry. The Level 34 entry is of the filter ACL type.The Level 34 entry
is the ACL source for the entry.Since there are no filtered ACLs in the tree that apply to the
entry, the default ACL is applied.
o=Level53,o=Level45,o=Level34,o=Level22,o=Level11,o=sample
ibm-effectiveACL=access-id:CN=USER1,o=sample:normal:rwsc:sensitive:rsc:
critical:rsc
The
effective ACL for this entry is the filtered ACL defined in the
o=Level34,o=Level22,o=Level11,o=sample
entry.
o=Level46,o=Level34,o=Level22,o=Level11,o=sample
ibm-effectiveACL=access-id:CN=USER2,o=sample:normal:rwsc:sensitive:rsc:
critical:rsc
The
effective ACL for this entry is the propagated non-filtered ACL defined on the
o=Level34,o=Level22,o=Level11,o=sample
entry.
o=Level47,o=Level34,o=Level22,o=Level11,o=sample
aclPropagate=TRUE
aclEntry=access-id:CN=USER2,o=sample:sensitive:rsc:normal:rwsc:critical:
rsc
ibm-effectiveACL=access-id:CN=USER2,o=sample:critical:rsc:normal:rwsc:
sensitive:rsc
This
entry has an explicit non-filtered ACL defined, so the effective ACL is taken from the explicitly
defined ACL.