Highlighted
Trusted Contributor.
Trusted Contributor.

Re: LDAP Search for default ACL template mssing in ldif output


was able to define what i needed, the following removes unwanted default
ACL's from the creation of a user as we do not use file and print and
are a pure LDAP Shop...trim the fat from millions of user objects.

[root@edirt02 ldif]# cat schema_tune_inetorgperson.ldif
version: 1

dn: cn=schema
changetype: modify
delete: objectClasses
objectClasses: ( 2.16.840.1.113730.3.2.2 )
-
add: objectClasses
objectClasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' SUP
organizationalPerson STRUCTURAL MAY ( groupMembership $ ndsHomeDirectory
$ loginAllowedTimeMap $ loginDisabled $ loginExpirationTime $
loginGraceLimit $ loginGraceRemaining $ loginIntruderAddress $
loginIntruderAttempts $ loginIntruderResetTime $
loginMaximumSimultaneous $ loginScript $ loginTime $
networkAddressRestriction $ networkAddress $ passwordsUsed $
passwordAllowChange $ passwordExpirationInterval $
passwordExpirationTime $ passwordMinimumLength $ passwordRequired $
passwordUniqueRequired $ printJobConfiguration $ privateKey $ Profile $
publicKey $ securityEquals $ accountBalance $ allowUnlimitedCredit $
minimumAccountBalance $ messageServer $ Language $ ndsUID $
lockedByIntruder $ serverHolds $ lastLoginTime $ typeCreatorMap $
higherPrivileges $ printerControl $ securityFlags $ profileMembership $
Timezone $ sASServiceDN $ sASSecretStore $ sASSecretStoreKey $
sASSecretStoreData $ sASPKIStoreKeys $ userCertificate $
nDSPKIUserCertificateInfo $ nDSPKIKeystore $ rADIUSActiveConnections $
rADIUSAttributeLists $ rADIUSConcurrentLimit $ rADIUSConnectionHistory $
rADIUSDefaultProfile $ rADIUSDialAccessGroup $ rADIUSEnableDialAccess $
rADIUSPassword $ rADIUSServiceList $ audio $ businessCategory $
carLicense $ departmentNumber $ employeeNumber $ employeeType $
displayName $ givenName $ homePhone $ homePostalAddress $ initials $
jpegPhoto $ labeledUri $ mail $ manager $ mobile $ o $ pager $ ldapPhoto
$ preferredLanguage $ roomNumber $ secretary $ uid $
userSMIMECertificate $ x500UniqueIdentifier $ userPKCS12 $
sssProxyStoreKey $ sssProxyStoreSecrets $ sssServerPolicyOverrideDN )
X-NDS_NAME 'User' X-NDS_NOT_CONTAINER '1' X-NDS_NONREMOVABLE '1'
X-NDS_ACL_TEMPLATES ( '2#subtree#[Self]#[All Attributes Rights]'
'1#subtree#[Root Template]#[Entry Rights]' '2#entry#[Root
Template]#groupMembership') )


--
Dieseloreo
------------------------------------------------------------------------
Dieseloreo's Profile: http://forums.novell.com/member.php?userid=36110
View this thread: http://forums.novell.com/showthread.php?t=449619

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: LDAP Search for default ACL template mssing in ldif output

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Wow... never would have thought of that. Thank-you for posting back
your results. Well done.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJO7PbsAAoJEF+XTK08PnB5JQkP+wceJv73+SqWtXRv96lb0YER
nE2lR2j+tSChTkdJU5Egcp69n62FlkvNgs4iJxzWBH2VBq+Nsw1bQlt73pEu8237
dVUCNhiCrJzdfXfBA17N8AKWrHzfJzQogGyUOs9EDWDlB8sNN8izynoYnqICLoJX
hk9Udye+WFd/uHKDzeRJXOxTk3rKquGOlC/aOBPEBfyon7RzDKbUypqFsCyITqeE
V2s2NbQwVlHQPOHdZCfPWj4Xwea3KHqOve9JvWZ9j1cLTHb9JggDjM+/iLpFebB/
K0x0i6ArzFSqn32HPwub7K4kxTVmgCTce99Fqf5aCxf96HVUru0N8zqHKTTZoHe9
WD/vMuN1TNujZbJQurMWr50JD1jX3J3JVpf2UstEHOIY1pUEnRDayLHbzfHDqw+t
wo+YQ+NsclIcbaWa+9TV6gTdPN1kOn8axIpx/gA1pl0NoWU08iEtvIFa6qtVUJWa
dM0DkBuO4x7H0y/JrzyIvdWcVDuV9A9d+U16xtZuhRKzckFkTvj1PxVXZExe+ZcH
0gbwxsXB06QUcRkEW5Qu+0IUHUCF5JVabGOEK4NKjNndoK3677Zm6xvg4uKs9KOg
DFUWOe4ZDQ2Fzz7p+22gDAYYOMmbeJVURY8ckWwmjhq4wnjrQuUCuE//5IoJ/Nbj
XrNvd1+8J8TXsgChCazZ
=d5Ba
-----END PGP SIGNATURE-----
0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: LDAP Search for default ACL template mssing in ldif output

On Sat, 17 Dec 2011 01:36:01 +0000, Dieseloreo wrote:

> ah ha!!! found it!
>
> OPTION ON THE LDAP SERVER OBJECT
>
> "Enable old ADSI and Netscape schema output"


Ah, interesting. I've never turned that on, having no idea what it
actually did or why I would want it to do so.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.

0 Likes
Knowledge Partner
Knowledge Partner

Re: LDAP Search for default ACL template mssing in ldif output

On Fri, 16 Dec 2011 21:36:02 +0000, Dieseloreo wrote:

> now my question to everyone! what OS are you using? OES?


SLES10 here, but that shouldn't matter.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.

0 Likes
Highlighted
Trusted Contributor.
Trusted Contributor.

Re: LDAP Search for default ACL template mssing in ldif output


Also... iahve one tree where 8.7.3.x and 8.8 exist together at the
moment

below is the output from the same tree...different version of
edirectory 🙂


8.7.3.x
----------------------------------------------------------------------------------------------
version: 1

#
# filter: objectclasses=inetorgperson
# requesting: ALL
#

# schema
dn: cn=schema
objectClasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' SUP
organization
alPerson STRUCTURAL MAY ( groupMembership $ ndsHomeDirectory $
loginAllowedTi
meMap $ loginDisabled $ loginExpirationTime $ loginGraceLimit $
loginGraceRem
aining $ loginIntruderAddress $ loginIntruderAttempts $
loginIntruderResetTim
e $ loginMaximumSimultaneous $ loginScript $ loginTime $
networkAddressRestri
ction $ networkAddress $ passwordsUsed $ passwordAllowChange $
passwordExpira
tionInterval $ passwordExpirationTime $ passwordMinimumLength $
passwordRequi
red $ passwordUniqueRequired $ printJobConfiguration $ privateKey $
Profile $
publicKey $ securityEquals $ accountBalance $ allowUnlimitedCredit $
minimum
AccountBalance $ messageServer $ Language $ UID $ lockedByIntruder $
serverHo
lds $ lastLoginTime $ typeCreatorMap $ higherPrivileges $
printerControl $ se
curityFlags $ profileMembership $ Timezone $ audio $ businessCategory
$ carLi
cense $ departmentNumber $ employeeNumber $ employeeType $ givenName $
homePh
one $ homePostalAddress $ initials $ jpegPhoto $ labeledUri $ mail $
manager
$ mobile $ pager $ ldapPhoto $ preferredLanguage $ roomNumber $
secretary $ u
id $ userCertificate $ userSMIMECertificate $ x500UniqueIdentifier $
displayN
ame $ userPKCS12 $ sASServiceDN $ sASSecretStore $ sASSecretStoreKey $
sASSec
retStoreData $ sASPKIStoreKeys $ nDSPKIUserCertificateInfo $
nDSPKIKeystore $
rADIUSActiveConnections $ rADIUSAttributeLists $
rADIUSConcurrentLimit $ rAD
IUSConnectionHistory $ rADIUSDefaultProfile $ rADIUSDialAccessGroup $
rADIUSE
nableDialAccess $ rADIUSPassword $ rADIUSServiceList $
sssProxyStoreKey $ sss
ProxyStoreSecrets $ sssServerPolicyOverrideDN $ o ) X-NDS_NAME 'User'
X-NDS_N
OT_CONTAINER '1' X-NDS_NONREMOVABLE '1' X-NDS_ACL_TEMPLATES (
'2#subtree#[Sel
f]#[All Attributes Rights]' '6#entry#[Self]#loginScript'
'1#subtree#[Root Tem
plate]#[Entry Rights]' '2#entry#[Public]#messageServer' '2#entry#[Root
Templa
te]#groupMembership' '6#entry#[Self]#printJobConfiguration'
'2#entry#[Root Te
mplate]#networkAddress') )

# search result
# search: 2
# result: 0 Success

# numResponses: 2
# numEntries: 1



8.8.6.4
----------------------------------------------------------------------------------------------

version: 1

#
# filter: objectclasses=inetorgperson
# requesting: ALL
#

# schema
dn: cn=schema
objectClasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' SUP
organization
alPerson STRUCTURAL MAY ( groupMembership $ ndsHomeDirectory $
loginAllowedTi
meMap $ loginDisabled $ loginExpirationTime $ loginGraceLimit $
loginGraceRem
aining $ loginIntruderAddress $ loginIntruderAttempts $
loginIntruderResetTim
e $ loginMaximumSimultaneous $ loginScript $ loginTime $
networkAddressRestri
ction $ networkAddress $ passwordsUsed $ passwordAllowChange $
passwordExpira
tionInterval $ passwordExpirationTime $ passwordMinimumLength $
passwordRequi
red $ passwordUniqueRequired $ printJobConfiguration $ privateKey $
Profile $
publicKey $ securityEquals $ accountBalance $ allowUnlimitedCredit $
minimum
AccountBalance $ messageServer $ Language $ ndsUID $ lockedByIntruder
$ serve
rHolds $ lastLoginTime $ typeCreatorMap $ higherPrivileges $
printerControl $
securityFlags $ profileMembership $ Timezone $ audio $
businessCategory $ ca
rLicense $ departmentNumber $ employeeNumber $ employeeType $
givenName $ hom
ePhone $ homePostalAddress $ initials $ jpegPhoto $ labeledUri $ mail
$ manag
er $ mobile $ pager $ ldapPhoto $ preferredLanguage $ roomNumber $
secretary
$ uid $ userCertificate $ userSMIMECertificate $ x500UniqueIdentifier
$ displ
ayName $ userPKCS12 $ sASServiceDN $ sASSecretStore $
sASSecretStoreKey $ sAS
SecretStoreData $ sASPKIStoreKeys $ nDSPKIUserCertificateInfo $
nDSPKIKeystor
e $ rADIUSActiveConnections $ rADIUSAttributeLists $
rADIUSConcurrentLimit $
rADIUSConnectionHistory $ rADIUSDefaultProfile $ rADIUSDialAccessGroup
$ rADI
USEnableDialAccess $ rADIUSPassword $ rADIUSServiceList $
sssProxyStoreKey $
sssProxyStoreSecrets $ sssServerPolicyOverrideDN $ o ) )

# search result
# search: 2
# result: 0 Success

# numResponses: 2
# numEntries: 1


--
Dieseloreo
------------------------------------------------------------------------
Dieseloreo's Profile: http://forums.novell.com/member.php?userid=36110
View this thread: http://forums.novell.com/showthread.php?t=449619

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.