Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-7284

AM profiles: cts profile in 7 does not come with the minimal ACIs

    XMLWordPrintable

Details

    Description

      Now that the production mode is enabled by default, in order to have AM and CTS working fine together, we need to add these ACIs to the default openam user defined by the profile:

      ./CTS1_SHARD1/opendj/setup -h openam.example.com -p 1389 -D "cn=myself" -w password --adminConnectorPort 4444 -Z 1636 --enableStartTls  -O --profile am-cts --set am-cts/amCtsAdminPassword:str0ngB1ndPa55w#ord --monitorUserDn uid=Monitor --monitorUserPassword password --serverId "cts1_shard1" --deploymentKey AI1QLGYmsSzDRjKDmQZu7l9sAD10aA5CBVN1bkVDC24LTccCYcFwGw --deploymentKeyPassword keypassword --replicationPort 8989
      
      Then:
      
      /Users/carole.forel/wks/pyforge/results/20200615-145603/proxy_group/WriteDistribution_CTSUseCase/CTS1_SHARD1/opendj/bin/dsconfig -h openam.example.com -p 4444 -D "cn=myself" -w password -X set-access-control-handler-prop --set "global-aci:(extop=\"1.3.6.1.4.1.26027.1.6.1||1.3.6.1.4.1.26027.1.6.3||1.3.6.1.4.1.4203.1.11.1||1.3.6.1.4.1.1466.20037||1.3.6.1.4.1.4203.1.11.3\")(version 3.0; acl \"AM extended operation access\"; allow(read) userdn=\"ldap:///anyone\";)" -n	
      
      /Users/carole.forel/wks/pyforge/results/20200615-145603/proxy_group/WriteDistribution_CTSUseCase/CTS1_SHARD1/opendj/bin/dsconfig -h openam.example.com -p 4444 -D "cn=myself" -w password -X set-access-control-handler-prop --add "global-aci:(targetcontrol=\"2.16.840.1.113730.3.4.2||2.16.840.1.113730.3.4.17||2.16.840.1.113730.3.4.19||1.3.6.1.4.1.4203.1.10.2||1.3.6.1.4.1.42.2.27.8.5.1||2.16.840.1.113730.3.4.16||1.2.840.113556.1.4.1413||1.3.6.1.4.1.36733.2.1.5.1||1.3.6.1.1.12||1.3.6.1.1.13.1||1.3.6.1.1.13.2||1.2.840.113556.1.4.319||1.2.826.0.1.3344810.2.3||2.16.840.1.113730.3.4.18||2.16.840.1.113730.3.4.9||1.2.840.113556.1.4.473||1.3.6.1.4.1.42.2.27.9.5.9\")(version 3.0; acl \"AM extended operation access\"; allow(read) userdn=\"ldap:///uid=openam_cts,ou=admins,ou=famrecords,ou=openam-session,ou=tokens\";)" -n	
      
      /Users/carole.forel/wks/pyforge/results/20200615-145603/proxy_group/WriteDistribution_CTSUseCase/CTS1_SHARD1/opendj/bin/dsconfig -h openam.example.com -p 4444 -D "cn=myself" -w password -X set-access-control-handler-prop --add "global-aci:(targetattr=\"createTimestamp||creatorsName||modifiersName||modifyTimestamp||entryDN||entryUUID||subschemaSubentry||etag||governingStructureRule||structuralObjectClass||hasSubordinates||numSubordinates||isMemberOf\")(version 3.0; acl \"AM Operational Attributes\"; allow (read,search,compare) userdn=\"ldap:///uid=openam_cts,ou=admins,ou=famrecords,ou=openam-session,ou=tokens\";)" -n	
      
      /Users/carole.forel/wks/pyforge/results/20200615-145603/proxy_group/WriteDistribution_CTSUseCase/CTS1_SHARD1/opendj/bin/dsconfig -h openam.example.com -p 4444 -D "cn=myself" -w password -X set-access-control-handler-prop --add "global-aci:(targetcontrol=\"1.3.6.1.1.12||1.3.6.1.1.13.1\")(version 3.0; acl \"Allow assertion control\"; allow (read) userdn = \"ldap:///uid=openam_cts,ou=admins,ou=famrecords,ou=openam-session,ou=tokens\";)" -n	
      14:57:42.707	INFO	SUCCESS:
      

      Not sure if that is enough, i'm still working on the example to have it working.

      Test is:

      ./run-pybot.py -s proxy_group.WriteDistribution_CTSUseCase opendj
      

      Attachments

        Issue Links

          Activity

            People

              michal.severin Michal Severin [X] (Inactive)
              cforel carole forel
              Matthew Swift Matthew Swift
              Michal Severin [X] Michal Severin [X] (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: