PingDirectory

Validating ACIs from a file

Use the validate-acis tool to process data contained in an LDIF file.

About this task

The validate-acis tool ignores all attributes except aci and ignores all entries that do not contain the aci attribute. You can use any existing LDIF file that contains access control rules.

Steps

  1. Run the validate-acis tool and specify the input file and output file.

    Choose from:

    • UNIX or Linux: bin/validate-acis

    • Windows: bat\validate-acis

      If the output file already exists, the existing file contents are re-written. If no output file is specified, the results are written to standard output.

      Example:

      $ bin/validate-acis --ldifFile test-acis.ldif --outputFile validated-acis.ldif

      Result:

      # Processing complete # Total entries examined: 1
# Entries found with ACIs: 1
# Total ACI values found: 3
# Malformed ACI values found: 0
# Other processing errors encountered: 0

  2. Open the output file and review the results.

    Example:

    For example, the validated-acis.ldif file generated in the previous step reads as follows.

    # The following access control rule is valid
dn: dc=example,dc=com
aci: (targetattr!="userPassword")
  (version 3.0; acl "Allow anonymous read access for anyone";
    allow (read,search,compare) userdn="ldap:///anyone";)

# The following access control rule is valid
dn: dc=example,dc=com
aci: (targetattr="*")
  (version 3.0; acl "Allow users to update their own entries";
    allow (write) userdn="ldap:///self";)

# The following access control rule is valid
dn: dc=example,dc=com
aci: (targetattr="*")
  (version 3.0; acl "Grant full access for the admin user";
    allow (all) userdn="ldap:///uid=admin,dc=example,dc=com";)

    Example:

    If the input file has any malformed access control instructions (ACIs), then the generated output file will show what was incorrectly entered. For example, if userPassword in the test-acis.ldif file does not have quotation marks around it, the output file reports an error. The following command uses the --onlyReportErrors option to write any error messages to the output file only if a malformed ACI syntax is encountered.

    $ bin/validate-acis --ldifFIle test-acis.ldif --outputFile validated-acis.ldif \
  --onlyReportErrors

    Result:

    # Processing complete
# Total entries examined: 1
# Entries found with ACIs: 1
# Total ACI values found: 3
# Malformed ACI values found: 1
# Other processing errors encountered: 0

    The output file shows the following message.

    # The following access control rule is malformed or contains an unsupported
# syntax: The provided string '(targetattr!=userPassword)(version 3.0; acl
# "Allow anonymous read access for anyone"; allow (read,search,compare)
# userdn="ldap:///anyone";)' could not be parsed as a valid Access Control
# Instruction (ACI) because it failed general ACI syntax evaluation
dn: dc=example,dc=com
aci: (targetattr!=userPassword)
  (version 3.0; acl "Allow anonymous read access for anyone";
    allow (read,search,compare) userdn="ldap:///anyone";)

# The following access control rule is valid
dn: dc=example,dc=com
aci: (targetattr="*")
  (version 3.0; acl "Allow users to update their own entries";
    allow (write) userdn="ldap:///self";)

# The following access control rule is valid
dn: dc=example,dc=com
aci: (targetattr="*")
  (version 3.0; acl "Grant full access for the admin user";
    allow (all) userdn="ldap:///uid=admin,dc=example,dc=com";)