12.3 Advanced Access Control Configuration

This section contains information about the following topics:

12.3.1 Enabling ACL Rule Checking for Community Objects

iChain, by default, does not check community objects for ACL rules. Community objects existed in previous versions of iChain but are no longer provided; however, the functionality is provided to allow the use of pre-existing community objects.

To enable ACL rule checking for community objects:

  1. Unlock the console.

  2. Edit the appstart.ncf.

  3. Change the load aclcheck entry to load aclcheck /m.

  4. Restart the machine.

After specifying changes in the configuration, ACL rules are checked in the following sequence:

  • OUs

  • OUs' communities

  • Groups

  • Groups' communities

  • User

  • User's communities

If a specified option is not provided, checking for the italicized portions of the above list will not be performed for checking the ACL rules.

12.3.2 Enabling Debugging Messages for Access Control

The module that provides iChain’s Access Control (aclcheck.nlm) can be configured to output debug information. The administrator can choose one of two levels of increasingly more detailed information. This information can be helpful to developers and consultants. By default, no debug information is output. To enable these debugging options, you can use either of two procedures:

To use the command line:

  1. Use the command line option ACLCHECK /D2 to temporarily enable the debug output (until the restart is performed or until the /D0 command is issued to disable debug).

To use a configuration file:

  1. Edit the appstart.ncf file on the iChain Proxy Server.

  2. Find the line containing the LOAD ACLCHECK command and add a debug level switch at the end of that line, for example, LOAD ACLCHECK /D2.

    Enabling the /D2 option can impact performance and should only be used for troubleshooting aclcheck issues.

  3. Shut down and restart the proxy server.

12.3.3 Using ACLCHECK options

You can configure the options of the ACLCHECK NLM from the System Console. These options are not case sensitive. When you change an ACLCHECK option, the update is stored in the appstart.ncf file. Use the following syntax to change an option:

aclcheck /<option>

To set multiple options at the same time, separate them with a space. For example:

aclcheck /<option> /<option>

Replace <option> with one of the options in the table below:

Option

Explanation

Example

/h or /?

Displays help information about the ACLCHECK utility.

aclcheck /h

/d<level>

Specifies the level of debug information. This information can be helpful to developers and consultants. Set the level at 1 or 2 for more detailed information.

Default: 0

aclcheck /d2

/f<minutes>

Specifies, in minutes, how frequently the cache is refreshed. Keep this number higher if you are not likely to change DS information quickly. This can improve performance because ACLCHECK does not need to throw away the already built-up cache.

Default: 180 minutes

aclcheck /f300

/g<number>

Determines whether dynamic group processing is enabled:

  • 1 enables dynamic group processing
  • 0 disables dynamic group processing

You should disable this option if you do not have any dynamic groups or you are not using them with iChain.

Default: 0

aclcheck /g1

/k<number>

Determines whether iChain should try three times to read the membership of dynamic groups:

  • 1 enables three retries
  • 0 disables the retries

Do not enable this option unless your users are experiencing membership-not-found errors, because this option slows down the system.

For more information about this issue, see TID 10097124.

Default: 0

aclcheck /k1

/o<seconds>

Specifies, in seconds, when the cache for dynamic groups is refreshed. Certain values have specific meanings:

  • 0 disables dynamic group caching
  • -1 causes the cache to be refreshed when a user logs out or the idle count of the user times out

Dynamic groups are cached when the system boots, and that cache is refreshed on every ACL check refresh. If you add or delete a dynamic group, this cache needs to be refreshed. If you change the membership of a dynamic group and want the change to be immediate, this cache needs to be refreshed.

If you are not using dynamic groups, you should disable dynamic group caching.

Default: 300 seconds (5 minutes)

aclcheck /o360

/p

Allows you to cancel the repeated display of IP address resolution error messages such as “Get IP addr failed for hostname: host.company.com,” where host.company.com has a secured protected resource.

  • 1 enables the display of these messages
  • 0 disables the display of these messages

Default: 0

aclcheck /p1

/q

By default, dynamic ACLs are checked after checking all traditional (static) ACLs. If this option is specified, ACLCHECK first checks for dynamic ACLs. This option should be used when you have mainly dynamic ACLs.

aclcheck /q

/s<size>

Specifies, in kilobytes, the maximum size of a log file.

Default: 1 MB

NOTE:If you set this parameter to 7 KB or less, the logs files are not created.

aclcheck /s2000

/t<seconds>

Specifies the number of seconds for the semaphore timeout.

Default: 10 seconds

aclcheck /t9

/v

Causes iChain to first verify that the DN in the ACL exists in the directory before checking rights.

aclcheck /v

/w<seconds>

Specifies, in seconds, how long an LDAP search can remain outstanding before timing out. The minimum value is 10 seconds.

If set too high, this option can slow down the system.

Default: 10 seconds

aclcheck /w10

/z

Determines whether information is sent to the LDAP pool screen:

  • 1 enables the display of these messages
  • 0 disables the display of these messages

Default: 0

aclcheck  /z1

There are known timing issues with ACLCHECK. If the parameters are loaded via the appstart.ncf file, sometimes the parameters are not loaded. If you experience this problem, manually change the location of the load aclcheck string in the appstart.ncf file so that it loads before BRDSRV. For more information, see Cannot change ACLCHECK refresh interval with iChain 2.3