Page created: 4 Feb 2020
|
Page updated: 22 Jul 2020
| 3 min read
Product PingDirectory 8.1 Directory Capability Product documentation Content Type Administration User task IT Administrator Administrator Audience Software Deployment Method PingDirectoryProxy
The validate-acis tool can process data contained in an LDIF file.
It will ignore all attributes except aci
, and will ignore all
entries that do not contain the aci
attribute, so any existing LDIF
file that contains access control rules may be used.
-
Run the bin/validate-acis tool (UNIX or Linux systems) or
bat\validate-acis (Win dows systems) by specifying the
input file and output file. If the output file already exists, the existing
contents will be re-written. If no output file is specified, then the results
will be written to standard output.
$ bin/validate-acis --ldifFile test-acis.ldif --outputFile validated-acis.ldif
# Processing complete # Total entries examined: 1 # Entries found with ACIs: 1 # Total ACI values found: 3 # Malformed ACI values found: 0 # Other processing errors encountered: 0
-
Review the results by opening the output file. For example, the
validated-acis.ldif file that was generated in the
previous step reads as follows:
# The following access control rule is valid dn: dc=example,dc=com aci: (targetattr!="userPassword") (version 3.0; acl "Allow anonymous read access for anyone"; allow (read,search,compare) userdn="ldap:///anyone";) # The following access control rule is valid dn: dc=example,dc=com aci: (targetattr="*") (version 3.0; acl "Allow users to update their own entries"; allow (write) userdn="ldap:///self";) # The following access control rule is valid dn: dc=example,dc=com aci: (targetattr="*") (version 3.0; acl "Grant full access for the admin user"; allow (all) userdn="ldap:///uid=admin,dc=example,dc=com";)
-
If the input file has any malformed ACIs, then the generated output file will
show what was incorrectly entered. For example, remove the quotation marks
around
userPassword
in the originaltest-acis.ldif
file, and re-run the command. The following command uses the--onlyReportErrors
option to write any error messages to the output file only if a malformed ACI syntax is encountered.$ bin/validate-acis --ldifFIle test-acis.ldif --outputFile validated-acis.ldif \ --onlyReportErrors
# Processing complete # Total entries examined: 1 # Entries found with ACIs: 1 # Total ACI values found: 3 # Malformed ACI values found: 0 # Other processing errors encountered: 0
The output file shows the following message:# The following access control rule is malformed or contains an unsupported # syntax: The provided string '(targetattr!=userPassword)(version 3.0; acl # "Allow anonymous read access for anyone"; allow (read,search,compare) # userdn="ldap:///anyone";)' could not be parsed as a valid Access Control # Instruction (ACI) because it failed general ACI syntax evaluation dn: dc=example,dc=com aci: (targetattr!=userPassword) (version 3.0; acl "Allow anonymous read access for anyone"; allow (read,search,compare) userdn="ldap:///anyone";) # The following access control rule is valid dn: dc=example,dc=com aci: (targetattr="*") (version 3.0; acl "Allow users to update their own entries"; allow (write) userdn="ldap:///self";) # The following access control rule is valid dn: dc=example,dc=com aci: (targetattr="*") (version 3.0; acl "Grant full access for the admin user"; allow (all) userdn="ldap:///uid=admin,dc=example,dc=com";)