Configuring the Directory Server
Configuring Security in the Directory Server
Managing Global ACIs With dsconfig
Granting Write Access to Personal Entries
Granting a Group Full Access to a Suffix
Allowing Users to Add or Remove Themselves From a Group
Granting Conditional Access to a Group
Defining Permissions for DNs That Contain a Comma
The Get Effective Rights Control
Using the Get Effective Rights Control
Understanding Effective Rights Results
Some organizations want to allow employees to create entries in the tree if it can increase their efficiency, or if it can contribute to the corporate dynamics. The following examples assume that example.com has a social committee that is organized into various clubs (tennis, swimming, skiing, and so on).
This sample ACI allows any example.com employee to create a group entry representing a new club, under the ou=social committee branch.
aci: (target="ldap:///ou=social committee,dc=example,dc=com") (targetattr="*")(targattrfilters="add=objectClass: (|(objectClass=groupOfNames)(objectClass=top))") (version 3.0; acl "Create Group"; allow (read,search,add) userdn= "ldap:///uid=*,ou=People,dc=example,dc=com") and dns="*.example.com";)
This example assumes that the ACI is added to the ou=social committee, dc=example,dc=com entry.
Note - This ACI does not grant write permission, which means that the entry creator cannot modify the entry. Because the server adds the value top behind the scenes, you must specify objectClass=top in the targattrfilters
This sample ACI ensures that only the group owner can modify or delete a group entry under the ou=Social Committee branch.
aci: (target="ou=social committee,dc=example,dc=com") (targetattr = "*") (targattrfilters="del=objectClass:(objectClass=groupOfNames)") (version 3.0; acl "Delete Group"; allow (write,delete) userattr="owner#GROUPDN";)
This example assumes that the ACI is added to the ou=social committee,dc=example,dc=com entry.