Configuring the Directory Server
Configuring Security in the Directory Server
Managing Global ACIs With dsconfig
Granting Write Access to Personal Entries
Granting a Group Full Access to a Suffix
Granting Rights to Add and Delete Group Entries
Allowing Users to Add or Remove Themselves From a Group
Granting Conditional Access to a Group
Defining Permissions for DNs That Contain a Comma
The Get Effective Rights Control
Using the Get Effective Rights Control
Understanding Effective Rights Results
The directory server allows anonymous access by default. There might be situations in which you want to disable anonymous access, particularly to sensitive data within your directory.
The following default ACI allows anonymous read access to all user attributes except for the userpassword and authPassword attributes:
aci: (targetattr!="userPassword||authPassword")(version 3.0; acl " Anonymous read access"; allow (read,search,compare) userdn="ldap:///anyone";)
To disable anonymous access, remove this ACI from the default access control handler, as shown in the following example:
$ dsconfig -D cn="Directory Manager" -w password -n set-access-control-handler-prop \ --remove global-aci:'(targetattr!="userPassword||authPassword") \ (version 3.0; acl "Anonymous read access"; \ allow (read,search,compare) userdn="ldap:///anyone";)'
Note - Depending on your shell, you might need to escape any quotations in the ACI itself.