Oracle Internet Directory Default Access Control Policies

Creation Date: 01-OCT-2002
Last Revision Date: 02-OCT-2002

Overview

Unified Messaging users can specify their own application privileges with default Oracle Internet Directory access control policies.

Products Affected

Oracle Unified Messaging with Oracle9i Application Server Release 9.0.2

Platforms Affected

All Oracle9i Application Server Platforms

Description

Oracle Unified Messaging defines and manages a number of attributes associated with user entries in Oracle Internet Directory, which manages Unified Messaging application privileges. Examples of these application privileges include message quota and Oracle mail domain control. By default, Oracle Internet Directory implements an access control policy which allows each user defined in the default subscriber naming context complete access to the user's own attributes. Therefore, customers who implement Unified Messaging with the default directory access control policies may be giving their users permission to control their own Unified Messaging application privileges.

Workaround

In addition to a one-off patch, a workaround is available that will address the problem identified above.

Prior to deploying Oracle Unified Messaging, sites should implement directory access control policies to limit self-access to Unified Messaging attributes. Specifically, Oracle recommends using Oracle Directory Manager to disallow user updates to the following attributes:
authPassword
cn
description
mailAlternateAddress
mailRoutingAddress
mailhost
orclmailaccessdomain
orclmailcreationstatus
orclmaildeliveroption
orclmaildomaincontrolaci
orclmailfolderdn
orclmailprogramdeliverinfo
orclmailservercontrolaci
orclmailsms
orclmailuserruleflag
orclmailuserdldn
orclmailvoicequota
orclownerguid
orclreferencename
orclruledn
orclsubmailbox
orclumextendedabsencestatus
orclunauthorizeddoman
orclunauthorizedsender
orclwebmailpopindicator1
orclwebmailpopindicator2
orclwebmailpopindicator3
orclwebmailpopleavemail1
orclwebmailpopleavemail2
orclwebmailpopleavemail3
orclwebmailpopmsgid1
orclwebmailpopmsgid2
orclwebmailpopmsgid3
orclwebmailpopnewmessages1
orclwebmailpopnewmessages2
orclwebmailpopnewmessages3
orclwebmailpoppassword1
orclwebmailpoppassword2
orclwebmailpoppassword3
orclwebmailpopport1
orclwebmailpopport2
orclwebmailpopport3
orclwebmailpopserver1
orclwebmailpopserver2
orclwebmailpopserver3
orclwebmailpopuser1
orclwebmailpopuser2
orclwebmailpopuser3
orclmailquota
orclmailsqldad
oraclmailstore
orclmailuserstate
orclobjectid
personaltitle
seealso
targetdn
telephonenumber
uid
vpimmaxmessagesize
vpimsupportedencodingtypes
vpimmail

Patches

Alternatively, apply patch number 2525674. This patch contains an LDIF file which automatically sets the access control policies according to these guidelines. Download currently available patches from Oracle Support Services web site, MetaLink ( http://metalink.oracle.com/). Activate the Patches button to get to the patches Web page. Enter bug Number 2525674 as indicated above and activate the Submit button.

Please visit MetaLink or check with Oracle Support Services periodically for patch availability if the patch for your platform is not available.