Starting and Stopping Your Server Instance
Configuring the Server Instance
Configuring the Proxy Components
Configuring Security Between Clients and Servers
Configuring Security Between the Proxy and the Data Source
Configuring Servers With the Control Panel
Managing Global ACIs With dsconfig
Granting a Group Full Access to a Suffix
Granting Rights to Add and Delete Group Entries
Allowing Users to Add or Remove Themselves From a Group
Granting Conditional Access to a Group
Defining Permissions for DNs That Contain a Comma
The Get Effective Rights Control
Using the Get Effective Rights Control
Understanding Effective Rights Results
Restricting Access to the Get Effective Rights Control
The default global ACIs allow write access to a limited subset of the attributes of a user's own entry. These attributes include the following:
audio
authPassword
description
displayName
givenName
homePhone
homePostalAddress
initials
jpegPhoto
labeledURI
mobile
pager
postalAddress
postalCode
preferredLanguage
telephoneNumber
userPassword
Use this procedures in this section to grant users write access to additional attributes of their own entries.
The following example ACI enables users internal to example.com to change their own business category and room number.
Remember, by allowing write access, you also grant users the right to delete attribute values.
aci: (targetattr="businessCategory || roomNumber") (version 3.0; acl "Write example.com"; allow (write) userdn="ldap:///self" and dns="*.example.com";)
This example assumes that the ACI is added to the ou=People,dc=example,dc=com entry.
The following example enables any user to update all of his own personal information in the example.com tree provided that he establish an SSL connection to the directory.
By setting this permission, you are also granting users the right to delete attribute values.
aci: (targetattr="*") (version 3.0; acl "Write SSL"; allow (write) userdn= "ldap://self" and authmethod="ssl";)
This example assumes that the aci is added to the ou=subscribers,dc=example,dc=com entry.