--- title: Validating ACIs before migrating data description: Identify any access control instruction (ACI) syntax problems before migrating data. component: pingdirectory version: 11.0 page_id: pingdirectory:managing_access_control:pd_ds_validate_acis_before_mig_data canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/managing_access_control/pd_ds_validate_acis_before_mig_data.html revdate: August 15, 2024 page_aliases: ["pd_ds_validate_acis_from_file.adoc", "pd_ds_validate_acis_in_another_dirserver.adoc"] section_ids: validating-acis-from-a-file: Validating ACIs from a file about-this-task: About this task steps: Steps choose-from: Choose from: example: Example: result: Result: example-2: Example: example-3: Example: result-2: Result: validating-acis-in-another-directory-server: Validating ACIs in another directory server about-this-task-2: About this task steps-2: Steps choose-from-2: Choose from: example-4: Example: result-3: Result: --- # Validating ACIs before migrating data Identify any access control instruction (ACI) syntax problems before migrating data. Many directory servers allow for a less restrictive application of their access control instructions so that they accept invalid ACIs. For example, if an Oracle directory server encounters an access control rule that it can't parse, it ignores the rule without providing a warning, and the server might not offer the intended access protection. The PingDirectory server rejects any ACIs that it can't interpret, which ensures that data access is limited as intended. However, this can cause problems when migrating data with existing access control rules to PingDirectory. To validate an ACI, PingDirectory provides a `validate-acis` tool in the `bin` directory on UNIX or Linux systems or in the `bat` directory on Windows systems. The `validate-acis` tool identifies any ACI syntax problems before you migrate data. The tool can examine access control rules contained in either an LDIF file or an LDAP directory and write its result in LDIF with comments providing information about any problems that were identified. Each entry in the output contains a single ACI. If an entry in the input contains multiple ACIs, then it can be present multiple times in the output, each time with a different ACI value. The entries contained in the output contains only ACI values. All other attributes are ignored. ## Validating ACIs from a file Use the `validate-acis` tool to process data contained in an LDIF file. ### About this task | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The `validate-acis` tool ignores all attributes except `aci` and ignores all entries that do not contain the `aci` attribute. You can use any existing LDIF file that contains access control rules. | ### Steps 1. Run the `validate-acis` tool and specify the input file and output file. #### Choose from: * UNIX or Linux: `bin/validate-acis` * Windows: `bat\validate-acis` If the output file already exists, the existing file contents are re-written. If no output file is specified, the results are written to standard output. #### Example: ```shell $ bin/validate-acis --ldifFile test-acis.ldif --outputFile validated-acis.ldif ``` #### Result: ``` # Processing complete # Total entries examined: 1 # Entries found with ACIs: 1 # Total ACI values found: 3 # Malformed ACI values found: 0 # Other processing errors encountered: 0 ``` 2. Open the output file and review the results. #### Example: For example, the `validated-acis.ldif` file generated in the previous step reads as follows. ``` # The following access control rule is valid dn: dc=example,dc=com aci: (targetattr!="userPassword") (version 3.0; acl "Allow anonymous read access for anyone"; allow (read,search,compare) userdn="ldap:///anyone";) # The following access control rule is valid dn: dc=example,dc=com aci: (targetattr="*") (version 3.0; acl "Allow users to update their own entries"; allow (write) userdn="ldap:///self";) # The following access control rule is valid dn: dc=example,dc=com aci: (targetattr="*") (version 3.0; acl "Grant full access for the admin user"; allow (all) userdn="ldap:///uid=admin,dc=example,dc=com";) ``` #### Example: If the input file has any malformed access control instructions (ACIs), then the generated output file will show what was incorrectly entered. For example, if `userPassword` in the `test-acis.ldif` file does not have quotation marks around it, the output file reports an error. The following command uses the `--onlyReportErrors` option to write any error messages to the output file only if a malformed ACI syntax is encountered. ```shell $ bin/validate-acis --ldifFIle test-acis.ldif --outputFile validated-acis.ldif \ --onlyReportErrors ``` #### Result: ``` # Processing complete # Total entries examined: 1 # Entries found with ACIs: 1 # Total ACI values found: 3 # Malformed ACI values found: 1 # Other processing errors encountered: 0 ``` The output file shows the following message: ``` # The following access control rule is malformed or contains an unsupported # syntax: The provided string '(targetattr!=userPassword)(version 3.0; acl # "Allow anonymous read access for anyone"; allow (read,search,compare) # userdn="ldap:///anyone";)' could not be parsed as a valid Access Control # Instruction (ACI) because it failed general ACI syntax evaluation dn: dc=example,dc=com aci: (targetattr!=userPassword) (version 3.0; acl "Allow anonymous read access for anyone"; allow (read,search,compare) userdn="ldap:///anyone";) # The following access control rule is valid dn: dc=example,dc=com aci: (targetattr="*") (version 3.0; acl "Allow users to update their own entries"; allow (write) userdn="ldap:///self";) # The following access control rule is valid dn: dc=example,dc=com aci: (targetattr="*") (version 3.0; acl "Grant full access for the admin user"; allow (all) userdn="ldap:///uid=admin,dc=example,dc=com";) ``` ## Validating ACIs in another directory server Use the `validate-acis` tool to examine access control instructions (ACIs) in data that exists in another directory server that you are planning to migrate to the current server. ### About this task The tool helps to determine whether the PingDirectory server accepts those ACIs. ### Steps * Run the `validate-acis` tool. #### Choose from: * UNIX or Linux: `bin/validate-acis` * Windows: `bat\validate-acis` Provide arguments that specify: * The address and port of the target PingDirectory server * Credentials to use to bind * The base DN of the subtree containing the ACIs to validate #### Example: ```shell $ bin/validate-acis ``` #### Result: ``` # Processing complete # Total entries examined: 1 # Entries found with ACIs: 1 # Total ACI values found: 3 # Malformed ACI values found: 0 # Other processing errors encountered: 0 ```