I am OpenAM for SSO and OpenDJ as the user directory. Our applications use the generated openssouser to modify the user directory. However, this user is unable to update the ds-pwp-account-disabled attribute.
I do not see anything in the default global acis that would prevent modifying this attribute
ds-cfg-global-aci: (extop="1.3.6.1.4.1.26027.1.6.1 || 1.3.6.1.4.1.26027.1.6.3 || 1.3.6.1.4.1.4203.1.11.1 || 1.3.6.1.4.1.1466.20037 || 1.3.6.1.4.1.4203.1.11.3") (version 3.0; acl "Anonymous extended operation access"; allow(read) userdn="ldap:///anyone";)
ds-cfg-global-aci: (targetcontrol="2.16.840.1.113730.3.4.2 || 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || 2.16.840.1.113730.3.4.16") (version 3.0; acl "Anonymous control access"; allow(read) userdn="ldap:///anyone";)
ds-cfg-global-aci: (targetcontrol="1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2 || 1.2.840.113556.1.4.319 || 1.2.826.0.1.3344810.2.3 || 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 || 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9") (version 3.0; acl "Authenticated users control access"; allow(read) userdn="ldap:///all";)
ds-cfg-global-aci: (targetattr!="userPassword||authPassword||changes||changeNumber||changeType||changeTime||targetDN||newRDN||newSuperior||deleteOldRDN||targetEntryUUID||targetUniqueID||changeInitiatorsName||changeLogCookie")(version 3.0; acl "Anonymous read access"; allow (read,search,compare) userdn="ldap:///anyone";)
ds-cfg-global-aci: (targetattr="audio||authPassword||description||displayName||givenName||homePhone||homePostalAddress||initials||jpegPhoto||labeledURI||mobile||pager||postalAddress||postalCode||preferredLanguage||telephoneNumber||userPassword")(version 3.0; acl "Self entry modification"; allow (write) userdn="ldap:///self";)
ds-cfg-global-aci: (targetattr="userPassword||authPassword")(version 3.0; acl "Self entry read"; allow (read,search,compare) userdn="ldap:///self";)
ds-cfg-global-aci: (target="ldap:///cn=schema")(targetscope="base")(targetattr="objectClass||attributeTypes||dITContentRules||dITStructureRules||ldapSyntaxes||matchingRules||matchingRuleUse||nameForms||objectClasses")(version 3.0; acl "User-Visible Schema Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)
ds-cfg-global-aci: (target="ldap:///")(targetscope="base")(targetattr="objectClass||namingContexts||supportedAuthPasswordSchemes||supportedControl||supportedExtension||supportedFeatures||supportedLDAPVersion||supportedSASLMechanisms||vendorName||vendorVersion")(version 3.0; acl "User-Visible Root DSE Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)
ds-cfg-global-aci: (targetattr="createTimestamp||creatorsName||modifiersName||modifyTimestamp||entryDN||entryUUID||subschemaSubentry")(version 3.0; acl "User-Visible Operational Attributes"; allow (read,search,compare) userdn="ldap:///anyone";)
ds-cfg-global-aci: (target="ldap:///dc=replicationchanges")(targetattr="*")(version 3.0; acl "Replication backend access"; deny (all) userdn="ldap:///anyone";)
These are the acis added by the OpenAM installation.
aci: (target="ldap:///dc=testbase")(targetattr="*")(version 3.0; acl "OpenSSO datastore configuration bind user all rights under the root suffix"; allow (all) userdn = "ldap:///cn=openssouser,ou=opensso adminusers,dc=testbase"; )
aci: (target="ldap:///dc=testbase")(targetattr="*")(version 3.0; acl "OpenSSO Authn bind ldap user rights"; allow (read,search) userdn = "ldap:///cn=ldapuser,ou=opensso adminusers,dc=testbase"; )
aci: (targetcontrol = "2.16.840.1.113730.3.4.3")(version 3.0; acl "Allow Persistent Search for the OpenSSO datastore config bind user"; allow (all) userdn = "ldap:///cn=openssouser,ou=opensso adminusers,dc=testbase";)
aci: (targetattr = "objectclass || inetuserstatus || ds-pwp-account-disabled || iplanet-am-user-login-status || iplanet-am-user-account-life || iplanet-am-session-quota-limit || iplanet-am-user-alias-list || iplanet-am-session-max-session-time || iplanet-am-session-max-idle-time || iplanet-am-session-get-valid-sessions || iplanet-am-session-destroy-sessions || iplanet-am-session-add-session-listener-on-all-sessions || iplanet-am-user-admin-start-dn || iplanet-am-auth-post-login-process-class || iplanet-am-user-federation-info || iplanet-am-user-federation-info-key || sun-fm-saml2-nameid-info || sun-fm-saml2-nameid-infokey || sunAMAuthInvalidAttemptsData || memberof || member")(targetfilter="(!(userdn=cn=openssouser,ou=opensso adminusers,dc=testbase))")(version 3.0; acl "OpenSSO User self modification denied for these attributes"; deny (write) userdn ="ldap:///self";)
I tried adding this aci with no success
aci: (targetattr = "ds-pwp-account-disabled")(targetfilter="(&(userdn=cn=openssouser,ou=opensso adminusers,dc=testbase))")(version 3.0; acl "OpenSSO User allow modification of ds-pwp-account-disabled"; allow (read,write) userdn ="ldap:///self";)
If I add ds-privilege-name: bypass-acl to openssouser, I am able to modify that attribute. However, I am reluctant to add this privilege as I'm not fully aware of the potential consequences. Any other solutions?